Post by: kota123 on October 13, 2009, 05:32:45 AM
HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:25 AM, on 1/1/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\CTSvcCDA.EXE
D:\Program Files\Network Associates\VirusScan\Mcshield.exe
D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\DllHost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
O8 - Extra context menu item: Open in new foreground tab - res://D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202570621154 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202570621154\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202570594275 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202570594275\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3EDBC60-91DF-486C-9929-938433EAA145}: NameServer = 218.248.255.194 218.248.255.162
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - D:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - D:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 4835 bytes
Can you please help. Thanks.
Post by: guestolo on October 13, 2009, 08:39:38 AM
Quote
I tried to install AVG Free, but when I run the .exe file, it says it cannot detect an internet connectionI see McAfee installed, were you planning on removing it, is it outdated?
I see remnants of Symantec's installed, did you recently uninstall it, or had it installed a while ago and have since removed it?
How long have you had McAfee installed?
Can you do the following
Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents
In addition: If possible, can you also supply the following
Download and Save to your desktop
[color=\"#FF0000\"]OTS.exe[/color] (http://\"http://oldtimer.geekstogo.com/OTS.exe\") by OldTimer
Double click on OTS.exe to run it
Under Additional Scans click the button labelled "Extras"
Also, put a tick beside>> Reg - Disabled MS Config Items
So now all the following will be ticked
- Reg - Disabled MS Config Items
Reg - File Associations
Reg - Protocol Filters
Reg - Protocol Handlers
Reg - Security Center Settings
Reg - Winsock2 Catalogs
Reg - Uninstall List
Evnt - EventViewer Logs (Last 10 Errors)
Afterwards: Click the button [color=\"#0000FF\"]Run Scan[/color]
Let this scan finish, when done, it will open a log
Can you copy and paste that log back here please
A copy of the log will also be on your desktop>>OTS.txt
NOTE: If you do get an error posting this log, please Upload it in a reply
Simply using the (Browse..) navigate to the file and select it, then click on the (UPLOAD) button
on the bottom right of the reply box
Post by: kota123 on October 13, 2009, 10:05:17 AM
McAfee and Symantec are both old and outdated, but I don't know if they were ever uninstalled.
Uninstall List Log:
Ad-Aware SE Personal
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Download Manager
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
AIM 6
ArcSoft Panorama Maker 3
Autodesk Design Review
Avance AC'97 Audio
Creative Jukebox Driver
Creative MediaSource
Creative NOMAD Jukebox Zen Xtra
Creative Removable Disk Manager
Creative System Information
Creative Zen Vision M
F-22 Raptor Demo
GdiplusUpgrade
Google Video Player
HijackThis 2.0.2
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Software Update
J2SE Runtime Environment 5.0 Update 3
jetAudio
LimeWire PRO 4.12.3
LiveReg (Symantec Corporation)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft Office 2000 Premium
Mozilla Firefox (3.5.3)
MSN
MSXML 4.0 SP2 (KB927978)
Nero - Burning Rom
Nikon Message Center
PictureProject
QuickTime
QuickTime for Windows (32-bit)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Skype 2.5
Smart Menus (Windows Live Toolbar)
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Tabbed Browsing (Windows Live Toolbar)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool
________________________________________________
I will Upload the OTS Log in a separate reply.
As an aside, is it possible for you to email me my password to [email protected]? I have forgotten the password and I would like to access your replies from my laptop while I carry out your instructions on this desktop.
Thanks again.
Post by: kota123 on October 13, 2009, 10:12:25 AM
Cannot Upload OTS Log because it says the file is larger than the available space. Should I break it up into two to three files and upload it? Thanks.
Post by: guestolo on October 13, 2009, 09:48:58 PM
OR, as I suggested in my last post
Quote
NOTE: If you do get an error posting this log, please Upload it in a reply
Simply using the (Browse..) navigate to the file and select it, then click on the (UPLOAD) button
on the bottom right of the reply box
Post by: kota123 on October 13, 2009, 10:24:53 PM
Post by: guestolo on October 13, 2009, 10:40:46 PM
http://www.rapidshare.com/ (http://\"http://www.rapidshare.com/\")
It's a free service
Post a link to your download here
Post by: kota123 on October 13, 2009, 10:46:02 PM
http://rapidshare.com/files/292732120/OTS1013.Txt.html (http://\"http://rapidshare.com/files/292732120/OTS1013.Txt.html\")
Post by: guestolo on October 13, 2009, 11:21:46 PM
Please download the following tools
download [color=\"#0000FF\"]JavaRa[/color] (http://\"http://sourceforge.net/projects/javara/files/javara/JavaRa/JavaRa.zip/download\")
If you get this message:
Problems with the download? Please use this direct link or try another mirror.
Select the Direct link (http://\"http://downloads.sourceforge.net/project/javara/javara/JavaRa/JavaRa.zip?use_mirror=softlayer\") download unzip it to your Desktop.
Double click JavaRa.exe, select language
Close down all browser windows
then click Remove Older Versions.
Reboot the computer
Next, open JavaRa.exe again, and select Search For Updates.
Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version.
Afterwards,
Go to the following link
http://service1.symantec.com/SUPPORT/tsgen...&view=docid (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2007080716254939?Open&docid=2005033108162039&nsf=tsgeninfo.nsf&view=docid\")
Scroll to the bottom to STEP 3
Download and save to desktop, the NORTON REMOVAL TOOL
Follow the instructions
On the Windows desktop, double-click the Norton Removal Tool icon.
Follow the on-screen instructions.
Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.
After that is done
Access your Add/Remove Programs and remove McAfee VirusScan Enterprise
Reboot after removal, then next do the following
regardless if McAfee was successfully removed or not
Download and run MCPR.exe
1. Download the removal tool from: http://download.mcafee.com/products/licens...atches/MCPR.exe (http://\"http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe\")
2. Click Save and save the file to your Desktop
3. Navigate to the folder where the file was saved.
4. Make sure all McAfee windows are closed.
5. Double-click MCPR.exe to run the removal tool.
6. Restart your computer after receiving the message CleanUp Successful.
Back in Windows
Go to the following link
http://kb2.adobe.com/cps/141/tn_14157.html (http://\"http://kb2.adobe.com/cps/141/tn_14157.html\")
Download and save to desktop the uninstaller for Flash
uninstall_flash_player.exe
Once saved to desktop, again close all browser windows
Double click on the Flash uninstaller to Run it
After successfully running the uninstaller, you can manually delete it from desktop
Again, close down all browser windows
Access your Add and Remove Programs and remove the following
Viewpoint Media Player
In addition, your copies of Adaware and Spybot are outdated
Remove all the below
Ad-Aware SE Personal
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Reboot your computer once again
Update your Flash, using Internet Explorer
go to the following link
http://www.adobe.com/products/flashplayer/ (http://\"http://www.adobe.com/products/flashplayer/\")
Allow ActiveX control install when prompted
DO NOT install any Toolbar related software, unless preferred
UNTICK the selection to install any
After you have updated Flash for IE
Then install Flash for Firefox
Using the Firefox browser, again go to the following link
http://www.adobe.com/products/flashplayer/ (http://\"http://www.adobe.com/products/flashplayer/\")
Download/save to desktop the Flash installer
Close Firefox
Run the installer to install latest flash
Come back here and Post a fresh Hijackthis log afterwards
Post by: kota123 on October 14, 2009, 01:28:26 AM
HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:50 PM, on 1/1/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\CTSvcCDA.EXE
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\DllHost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "D:\WINDOWS\system32\rundll32.exe" "D:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] D:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
O8 - Extra context menu item: Open in new foreground tab - res://D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202570621154 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202570621154\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202570594275 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202570594275\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3EDBC60-91DF-486C-9929-938433EAA145}: NameServer = 218.248.255.194 218.248.255.162
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - D:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5048 bytes
Post by: guestolo on October 14, 2009, 04:44:03 AM
Carry on with the following
Download ComboFix from one of these locations:
[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]
--------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]
(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply
In your case, it may be located at D:\ComboFix.txt
NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please
Post by: kota123 on October 14, 2009, 09:55:38 AM
ComboFix 09-10-13.04 - user 10/14/2009 19:58.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.100 [GMT 5.5:30]
Running from: d:\documents and settings\user\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Installer\5351a.msi
c:\windows\Installer\c5ed.msi
d:\windows\system32\xuejsmf.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_XGMVSR
-------\Service_xgmvsr
((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))
.
2009-10-12 14:35 . 2009-10-12 14:35 -------- d-----w- D:\FOUND.028
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 14:37 . 2002-01-06 23:31 196 ----a-w- d:\windows\system32\drivers\ALCICH.DAT
2009-09-10 09:24 . 2001-12-31 20:46 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 09:23 . 2001-12-31 20:46 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
1998-12-08 13:23 . 1998-12-08 13:23 99840 ----a-w- d:\program files\Common Files\IRAABOUT.DLL
1998-12-08 13:23 . 1998-12-08 13:23 70144 ----a-w- d:\program files\Common Files\IRAMDMTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 48640 ----a-w- d:\program files\Common Files\IRALPTTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 31744 ----a-w- d:\program files\Common Files\IRAWEBTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 186368 ----a-w- d:\program files\Common Files\IRAREG.DLL
1998-12-08 13:23 . 1998-12-08 13:23 17920 ----a-w- d:\program files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2002-01-01 149280]
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=d:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=d:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=d:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=d:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=d:\windows\pss\NkbMonitor.exe.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=d:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\StubInstaller.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1157:TCP"= 1157:TCP:fkdsbmz
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);d:\windows\system32\drivers\RMSPPPOE.SYS [1/1/2002 12:09 AM 31424]
S3 npked;npked;\??\d:\windows\system32\01.tmp --> d:\windows\system32\01.tmp [?]
.
Contents of the 'Scheduled Tasks' folder
2009-10-14 d:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- d:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Windows Live Search - d:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///d:\program files\Yahoo!\Common/ycsrch.htm
IE: Open in new background tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
IE: Open in new foreground tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
IE: Yahoo! &Dictionary - file:///d:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///d:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///d:\program files\Yahoo!\Common/ycsms.htm
TCP: {B3EDBC60-91DF-486C-9929-938433EAA145} = 218.248.255.194 218.248.255.162
FF - ProfilePath - d:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7boyuqg7.default\
FF - plugin: d:\program files\BitTorrent_DNA\npbtdna.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
HKU-Default-Run-ALUAlert - d:\program files\Symantec\LiveUpdate\ALUNotify.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-10-14 20:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npked]
"ImagePath"="\??\d:\windows\system32\01.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
d:\windows\SYSTEM32\CTSVCCDA.EXE
d:\program files\JAVA\JRE6\BIN\JQS.EXE
d:\windows\SYSTEM32\HPZIPM12.EXE
d:\windows\SYSTEM32\WDFMGR.EXE
d:\windows\SYSTEM32\MSPMSPSV.EXE
d:\windows\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2009-10-14 20:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-14 14:41
Pre-Run: 11,188,273,152 bytes free
Post-Run: 11,068,473,344 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\ = "Microsoft Windows"
147
Post by: kota123 on October 14, 2009, 05:14:35 PM
Post by: guestolo on October 14, 2009, 08:22:59 PM
Don't use anything else than notepad or the script will not work
[color=\"#0000FF\"]KillAll::
Driver::
npked
File::
d:\windows\system32\01.tmp
Registry::
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npked]
"ImagePath"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npked]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1157:TCP"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"d:\\StubInstaller.exe"=-
[-HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
NetSvc::
[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
Can I see that log again
Post by: kota123 on October 15, 2009, 12:13:02 AM
ComboFix 09-10-13.04 - user 10/15/2009 10:16.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.97 [GMT 5.5:30]
Running from: d:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\user\Desktop\CFScript.txt
FILE ::
"d:\windows\system32\01.tmp"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\documents and settings\All Users\WindowsLive.exe
d:\documents and settings\user\Application Data\WindowsLive.exe
d:\windows\Fonts\unwise_.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_WINDOWS_HOSTS_CONTROLLER
-------\Service_Windows Hosts Controller
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.
2009-10-14 16:52 . 2009-10-14 16:52 -------- d-----w- d:\documents and settings\user\Application Data\MozillaControl
2009-10-14 16:52 . 2009-10-14 16:52 141454 ----a-w- d:\windows\system32\man8.exe
2009-10-14 15:02 . 2009-10-14 15:03 1050713 ----a-w- d:\windows\system32\rss.exe
2009-10-12 14:35 . 2009-10-12 14:35 -------- d-----w- D:\FOUND.028
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 04:54 . 2002-01-06 23:31 196 ----a-w- d:\windows\system32\drivers\ALCICH.DAT
2009-09-10 09:24 . 2001-12-31 20:46 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 09:23 . 2001-12-31 20:46 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
1998-12-08 13:23 . 1998-12-08 13:23 99840 ----a-w- d:\program files\Common Files\IRAABOUT.DLL
1998-12-08 13:23 . 1998-12-08 13:23 70144 ----a-w- d:\program files\Common Files\IRAMDMTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 48640 ----a-w- d:\program files\Common Files\IRALPTTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 31744 ----a-w- d:\program files\Common Files\IRAWEBTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 186368 ----a-w- d:\program files\Common Files\IRAREG.DLL
1998-12-08 13:23 . 1998-12-08 13:23 17920 ----a-w- d:\program files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((( SnapShot@2009-10-14_14.38.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-15 04:55 . 2009-10-15 04:55 16384 d:\windows\temp\Perflib_Perfdata_548.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2002-01-01 149280]
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=d:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=d:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=d:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=d:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=d:\windows\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:BS
"55322:TCP"= 55322:TCP:FD
"9991:TCP"= 9991:TCP:PORT2
"58311:TCP"= 58311:TCP:FD
"56500:TCP"= 56500:TCP:FD
"36203:TCP"= 36203:TCP:FD
"60715:TCP"= 60715:TCP:FD
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);d:\windows\system32\drivers\RMSPPPOE.SYS [1/1/2002 12:09 AM 31424]
.
Contents of the 'Scheduled Tasks' folder
2009-10-15 d:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- d:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Windows Live Search - d:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///d:\program files\Yahoo!\Common/ycsrch.htm
IE: Open in new background tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
IE: Open in new foreground tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
IE: Yahoo! &Dictionary - file:///d:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///d:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///d:\program files\Yahoo!\Common/ycsms.htm
TCP: {B3EDBC60-91DF-486C-9929-938433EAA145} = 218.248.255.194 218.248.255.162
FF - ProfilePath - d:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7boyuqg7.default\
FF - plugin: d:\program files\BitTorrent_DNA\npbtdna.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
- - - - ORPHANS REMOVED - - - -
HKU-Default-Run-Windows Live - d:\documents and settings\All Users\WindowsLive.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-10-15 10:25
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
d:\windows\SYSTEM32\CTSVCCDA.EXE
d:\program files\JAVA\JRE6\BIN\JQS.EXE
d:\windows\SYSTEM32\HPZIPM12.EXE
d:\windows\SYSTEM32\WDFMGR.EXE
d:\windows\SYSTEM32\MSPMSPSV.EXE
.
**************************************************************************
.
Completion time: 2009-10-15 10:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-15 04:58
Pre-Run: 11,133,091,840 bytes free
Post-Run: 11,115,757,568 bytes free
149
Thanks. Today, small windows have started opening up. One of these said "Operation timed out when attemting to contact linkbee.com"
Post by: kota123 on October 15, 2009, 12:44:01 AM
Post by: guestolo on October 15, 2009, 09:51:16 AM
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://\"ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe\")
- Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
- This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, select Complete scan.
- Click the green arrow (http://i154.photobucket.com/albums/s258/evilfantasy69/drweb.jpg) at the right, and the scan will start.
- Click Yes to all if it asks if you want to cure/move the file.
- When the scan has finished, in the menu, click File and choose Save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
- Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.
In addition:
Win32kDiag:
Please save this [color=\"#0000FF\"]file[/color] (http://\"http://ad13.geekstogo.com/Win32kDiag.exe\") to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
Post by: kota123 on October 16, 2009, 02:14:21 PM
Dr.WebCureIt Log
A0006383.DLL;D:\System Volume Information\_restore{B6D9DB89-3E45-45EF-BC98-EBD679773278}\RP7;Win32.HLLW.Autoruner.5555;Deleted.;
A0007625.exe;D:\System Volume Information\_restore{B6D9DB89-3E45-45EF-BC98-EBD679773278}\RP7;Win32.HLLW.Piabot.4;Deleted.;
A0008643.exe;D:\System Volume Information\_restore{B6D9DB89-3E45-45EF-BC98-EBD679773278}\RP7;Win32.HLLW.Piabot.4;Deleted.;
WrapperOuter1154.EXE;D:\Backup of old c\My Documents\My Pictures;Adware.VirtualBouncer;;
WrapperOuter1154.EXE;D:\Backup of old c\data of c\My Documents\My Pictures;Adware.VirtualBouncer;;
casinonet.exe\data010;D:\Backup of old d\Documents and Settings\S K Jolly\Local Settings\Temp\casinonet.exe;Program.PrcView.3725;;
casinonet.exe;D:\Backup of old d\Documents and Settings\S K Jolly\Local Settings\Temp;Archive contains infected objects;Moved.;
VCD_PLAY.EXE.Vir;D:\quarantine;Win32.Parite.2;Cured.;
VCD_PLAY.EXE.Vir.0;D:\quarantine;Win32.Parite.2;Cured.;
xuejsmf.dll.vir;D:\Qoobox\Quarantine\D\WINDOWS\system32;Win32.HLLW.Autoruner.5555;Deleted.;
Win32kDiag Log:
Running from: D:\Documents and Settings\user\Desktop\Win32kDiag.exe
Log file at : D:\Documents and Settings\user\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'D:\WINDOWS'...
Finished!
_________________________________
Thanks.
Post by: guestolo on October 17, 2009, 02:16:52 PM
Delete your copy of ComboFix from desktop
Then, REDownload ComboFix from one of these locations:
[color=\"#0000FF\"]Link 1[/color] (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]
Run ComboFix again, post it's log afterwards
Post by: kota123 on October 18, 2009, 03:47:27 AM
ComboFix 09-10-16.09 - user 10/18/2009 13:31.3.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.103 [GMT 5.5:30]
Running from: d:\documents and settings\user\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_WINDOWS_HOSTS_CONTROLLER
((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.
2009-10-16 08:05 . 2009-10-16 08:05 -------- d-----w- d:\documents and settings\user\DoctorWeb
2009-10-14 16:52 . 2009-10-14 16:52 -------- d-----w- d:\documents and settings\user\Application Data\MozillaControl
2009-10-14 15:02 . 2009-10-14 15:03 1050713 ----a-w- d:\windows\system32\rss.exe
2009-10-12 14:35 . 2009-10-12 14:35 -------- d-----w- D:\FOUND.028
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 08:09 . 2002-01-06 23:31 196 ----a-w- d:\windows\system32\drivers\ALCICH.DAT
2009-09-10 09:24 . 2001-12-31 20:46 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 09:23 . 2001-12-31 20:46 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
1998-12-08 13:23 . 1998-12-08 13:23 99840 ----a-w- d:\program files\Common Files\IRAABOUT.DLL
1998-12-08 13:23 . 1998-12-08 13:23 70144 ----a-w- d:\program files\Common Files\IRAMDMTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 48640 ----a-w- d:\program files\Common Files\IRALPTTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 31744 ----a-w- d:\program files\Common Files\IRAWEBTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 186368 ----a-w- d:\program files\Common Files\IRAREG.DLL
1998-12-08 13:23 . 1998-12-08 13:23 17920 ----a-w- d:\program files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((( SnapShot@2009-10-14_14.38.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-18 08:09 . 2009-10-18 08:09 16384 d:\windows\temp\Perflib_Perfdata_54c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2002-01-01 149280]
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=d:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=d:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=d:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=d:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=d:\windows\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:BS
"55322:TCP"= 55322:TCP:FD
"9991:TCP"= 9991:TCP:PORT2
"58311:TCP"= 58311:TCP:FD
"56500:TCP"= 56500:TCP:FD
"36203:TCP"= 36203:TCP:FD
"60715:TCP"= 60715:TCP:FD
"50170:TCP"= 50170:TCP:FD
"53233:TCP"= 53233:TCP:FD
"30525:TCP"= 30525:TCP:FD
"19776:TCP"= 19776:TCP:FD
"53896:TCP"= 53896:TCP:FD
"9892:TCP"= 9892:TCP:FD
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);d:\windows\system32\drivers\RMSPPPOE.SYS [1/1/2002 12:09 AM 31424]
.
Contents of the 'Scheduled Tasks' folder
2009-10-16 d:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- d:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Windows Live Search - d:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///d:\program files\Yahoo!\Common/ycsrch.htm
IE: Open in new background tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
IE: Open in new foreground tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
IE: Yahoo! &Dictionary - file:///d:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///d:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///d:\program files\Yahoo!\Common/ycsms.htm
TCP: {B3EDBC60-91DF-486C-9929-938433EAA145} = 218.248.255.194 218.248.255.162
FF - ProfilePath - d:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7boyuqg7.default\
FF - plugin: d:\program files\BitTorrent_DNA\npbtdna.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-10-18 13:40
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\windows\SYSTEM32\CTSVCCDA.EXE
d:\program files\JAVA\JRE6\BIN\JQS.EXE
d:\windows\SYSTEM32\HPZIPM12.EXE
d:\windows\SYSTEM32\WDFMGR.EXE
d:\windows\SYSTEM32\MSPMSPSV.EXE
.
**************************************************************************
.
Completion time: 2009-10-18 13:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-18 08:14
ComboFix2.txt 2009-10-15 04:59
Pre-Run: 11,011,719,168 bytes free
Post-Run: 11,020,206,080 bytes free
138
Post by: guestolo on October 18, 2009, 11:03:19 AM
=Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box
Code: [Select]
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000 Double click on fix.reg and allow to add/merge to the registry at the prompt
Go to START>>RUN>>Type in cmd and hit ok
At the prompt, type the following
[color=\"#FF0000\"]ipconfig /flushdns[/color]
Then hit enter on your keyboard
Note the single space after ipconfig and before the /
TFC (Temp file Cleaner)
Download [color=\"#0000FF\"]TFC[/color] (http://\"http://oldtimer.geekstogo.com/TFC.exe\") to your desktop, or other location.
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.
Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.
If you are not prompted to reboot, can you reboot manually
Back in Windows
Download HostsXpert [color=\"red\"]Here[/color] (http://\"http://www.funkytoad.com/download/HostsXpert.zip\") and unzip it to your desktop.
Next, open HostsXpert
- Make sure that the "make hosts writable?" button in the upper left corner is checked>>Should read 'Make Readonly'
- then click on 'Restore MS host files'>>OK
- Close HostsXpert.
Go to this link
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Use the browse button and navigate to this file on your hard disk
d:\windows\system32\rss.exe<--this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Or just post the link to the results page
Are you now able to open Malwarebytes AntiMalware and do all the following?
- Check for Updates by opening the Update tab
- If an update is found, it will download and install the latest version.
- Select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Also, are you now able to run AVG and update it?
If so, run a scan with it and post back the results
Post by: kota123 on October 19, 2009, 07:26:21 AM
I also cannot post the Virustotal log, but here is the link:
http://www.virustotal.com/analisis/d593b8a...4d38-1255595597 (http://\"http://www.virustotal.com/analisis/d593b8a3851952a8582b1935f63ce87b3866281cb0ef838c563cad69a9c74d38-1255595597\")
Post by: kota123 on October 19, 2009, 08:03:02 AM
MBAM Log:
Malwarebytes' Anti-Malware 1.41
Database version: 2985
Windows 5.1.2600 Service Pack 2
10/19/2009 6:15:51 PM
mbam-log-2009-10-19 (18-15-51).txt
Scan type: Quick Scan
Objects scanned: 100848
Time elapsed: 7 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windows hosts controller (Worm.Archive) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\windows hosts controller (Worm.Archive) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windows hosts controller (Worm.Archive) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\intime (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\reup (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WaitToKillServiceT (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\d:\windows\fonts\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
D:\WINDOWS\Fonts\unwise_.exe (Worm.Archive) -> Delete on reboot.
Post by: kota123 on October 19, 2009, 08:56:10 AM
Post by: kota123 on October 19, 2009, 09:28:09 AM
Post by: guestolo on October 19, 2009, 11:35:30 PM
Use Radidshare or another file share program
http://www.rapidshare.com/ (http://\"http://www.rapidshare.com/\")
Link to the upload please
Were you able to get AVG installed? If not we'll try an alternative methods
Post by: kota123 on October 20, 2009, 02:01:20 AM
http://rapidshare.com/files/295369455/avg9inst.log.html (http://\"http://rapidshare.com/files/295369455/avg9inst.log.html\")
MD5: C245F8A3B232F50E0312DF90DB0B0039
Thank you.
Post by: guestolo on October 20, 2009, 10:33:21 PM
"%userprofile%\desktop\win32kdiag.exe" -f -r
Can you once again, delete your copy of ComboFix
Redownload a fresh copy from
[color=\"#0000FF\"]Link 1[/color] (http://\"http://www.forospyware.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work
[color=\"#0000FF\"]KillAll::
File::
d:\windows\system32\rss.exe
[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
Can I see that log again
In addition: Can you once again run Malwarebytes AntiMalware
It's important that you first check for updates
Then run another quick scan
Remove anything found and reboot if prompted
Come back here and post it's log also
Post by: kota123 on October 21, 2009, 04:14:40 AM
Running from: D:\Documents and Settings\user\desktop\win32kdiag.exe
Log file at : D:\Documents and Settings\user\Desktop\Win32kDiag.txt
Removing all found mount points.
Attempting to reset file permissions.
WARNING: Could not get backup privileges!
Searching 'D:\WINDOWS'...
Finished!
_________________________________________________
ComboFix Log:
ComboFix 09-10-20.03 - user 10/21/2009 14:05.4.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.58 [GMT 5.5:30]
Running from: d:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\user\Desktop\CFScript.txt
* Created a new restore point
FILE ::
"d:\windows\system32\rss.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\windows\Fonts\unwise_.exe
d:\windows\Installer\91fb3.msi
d:\windows\system32\rss.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_WINDOWS_HOSTS_CONTROLLER
-------\Service_Windows Hosts Controller
((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.
2009-10-19 16:06 . 2009-10-19 16:06 141454 ----a-w- d:\windows\system32\man8.exe
2009-10-16 08:05 . 2009-10-16 08:05 -------- d-----w- d:\documents and settings\user\DoctorWeb
2009-10-14 16:52 . 2009-10-14 16:52 -------- d-----w- d:\documents and settings\user\Application Data\MozillaControl
2009-10-12 14:35 . 2009-10-12 14:35 -------- d-----w- D:\FOUND.028
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-21 08:44 . 2002-01-06 23:31 196 ----a-w- d:\windows\system32\drivers\ALCICH.DAT
2009-09-10 09:24 . 2001-12-31 20:46 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 09:23 . 2001-12-31 20:46 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
1998-12-08 13:23 . 1998-12-08 13:23 99840 ----a-w- d:\program files\Common Files\IRAABOUT.DLL
1998-12-08 13:23 . 1998-12-08 13:23 70144 ----a-w- d:\program files\Common Files\IRAMDMTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 48640 ----a-w- d:\program files\Common Files\IRALPTTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 31744 ----a-w- d:\program files\Common Files\IRAWEBTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 186368 ----a-w- d:\program files\Common Files\IRAREG.DLL
1998-12-08 13:23 . 1998-12-08 13:23 17920 ----a-w- d:\program files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((( SnapShot@2009-10-14_14.38.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 15:24 . 2009-07-11 15:24 65536 d:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 49152 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 49152 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 61440 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 61440 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 61440 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 57344 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 65536 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 45056 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 40960 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-11 19:37 . 2009-07-11 19:37 57856 d:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-11 19:49 . 2009-07-11 19:49 69632 d:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-07-11 14:11 . 2009-07-11 14:11 97280 d:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2009-10-21 08:44 . 2009-10-21 08:44 16384 d:\windows\temp\Perflib_Perfdata_610.dat
+ 2009-07-11 19:42 . 2009-07-11 19:42 632656 d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-11 19:39 . 2009-07-11 19:39 554832 d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-11 19:38 . 2009-07-11 19:38 479232 d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2009-10-19 14:07 . 2009-10-19 14:07 424448 d:\windows\Installer\163814.msi
+ 2009-07-11 15:16 . 2009-07-11 15:16 1093120 d:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-11 15:16 . 2009-07-11 15:16 1105920 d:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2002-01-01 149280]
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=d:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=d:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=d:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=d:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=d:\windows\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"d:\\Program Files\\Messenger\\MSMSGS.EXE"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"d:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"d:\\Program Files\\BitTorrent\\bittorrent.exe"=
"d:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:BS
"55322:TCP"= 55322:TCP:FD
"9991:TCP"= 9991:TCP:PORT2
"58311:TCP"= 58311:TCP:FD
"56500:TCP"= 56500:TCP:FD
"36203:TCP"= 36203:TCP:FD
"60715:TCP"= 60715:TCP:FD
"50170:TCP"= 50170:TCP:FD
"53233:TCP"= 53233:TCP:FD
"30525:TCP"= 30525:TCP:FD
"19776:TCP"= 19776:TCP:FD
"53896:TCP"= 53896:TCP:FD
"9892:TCP"= 9892:TCP:FD
"54642:TCP"= 54642:TCP:FD
"44109:TCP"= 44109:TCP:FD
"18930:TCP"= 18930:TCP:FD
"6076:TCP"= 6076:TCP:FD
"47678:TCP"= 47678:TCP:FD
"31557:TCP"= 31557:TCP:FD
"2507:TCP"= 2507:TCP:FD
"55466:TCP"= 55466:TCP:FD
"54018:TCP"= 54018:TCP:FD
"26120:TCP"= 26120:TCP:FD
"29260:TCP"= 29260:TCP:FD
"3114:TCP"= 3114:TCP:FD
"37109:TCP"= 37109:TCP:FD
"19100:TCP"= 19100:TCP:FD
"37711:TCP"= 37711:TCP:FD
"52812:TCP"= 52812:TCP:FD
"51418:TCP"= 51418:TCP:FD
"20930:TCP"= 20930:TCP:FD
"15127:TCP"= 15127:TCP:FD
"19720:TCP"= 19720:TCP:FD
"20501:TCP"= 20501:TCP:FD
"25095:TCP"= 25095:TCP:FD
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);d:\windows\system32\drivers\RMSPPPOE.SYS [1/1/2002 12:09 AM 31424]
.
Contents of the 'Scheduled Tasks' folder
2009-10-21 d:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- d:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Windows Live Search - d:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///d:\program files\Yahoo!\Common/ycsrch.htm
IE: Open in new background tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
IE: Open in new foreground tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
IE: Yahoo! &Dictionary - file:///d:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///d:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///d:\program files\Yahoo!\Common/ycsms.htm
TCP: {B3EDBC60-91DF-486C-9929-938433EAA145} = 218.248.255.194 218.248.255.162
FF - ProfilePath - d:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7boyuqg7.default\
FF - plugin: d:\program files\BitTorrent_DNA\npbtdna.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-10-21 14:15
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\CTSvcCDA.EXE
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\HPZipm12.exe
d:\windows\system32\wdfmgr.exe
d:\windows\system32\MsPMSPSv.exe
d:\combofix\CF14133.exe
d:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-21 14:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-21 08:48
ComboFix2.txt 2009-10-15 04:59
Pre-Run: 10,667,196,416 bytes free
Post-Run: 10,837,688,320 bytes free
- - End Of File - - 151FC958EC28F9E22478209C88AC2D73
__________________________________________________
Updated MBAM and ran it.
MBAM Log:
Malwarebytes' Anti-Malware 1.41
Database version: 3004
Windows 5.1.2600 Service Pack 2
10/21/2009 2:29:32 PM
mbam-log-2009-10-21 (14-29-32).txt
Scan type: Quick Scan
Objects scanned: 101068
Time elapsed: 5 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
____________________________________
Thank you.
Post by: guestolo on October 21, 2009, 11:04:58 PM
I know our time zones are making our response times less frequent that we both would like
But let's do another step at this please
Delete CFScript.txt from desktop, we're going to redo it
But first do the following
Ensure to Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
==Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
Change the Save as Type to All Files.
Name the file as reset.bat
Save this file on the desktop
Code: [Select]
NETSH FIREWALL RESET Double click on reset.bat
A dos like window will open, then close in a few seconds
that is normal
Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work
[color=\"#0000FF\"]KillAll::
File::
d:\windows\system32\man8.exe
d:\windows\system32\rss.exe
Folder::
D:\FOUND.028
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
Can I see that log again
In addition: We need to get some kind of AntiVirus software installed on this computer
If you haven't installed AVG yet
Can you please download and save to desktop
a beta version of Avast 5, from THIS LINK (http://\"http://files.avast.com/files/beta/5.0.167/setup_av_free.exe\")
Double click to install it
Once installed, open Avast from the icon on desktop
Click on "Maintenance"
UPDATE>>select to "Update Engine and AntiVirus Definitions"
After updating
Click on "SCAN COMPUTER>>BOOT TIME SCANNING
Under "Areas to Scan" Select "All hard Disks"
Then click on the button at the bottom>>SCHEDULE NOW
Then select to Restart Computer
A boot time scan should start before windows loads
Take note of the location of the log created after the scan is done
The default location should be :\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report\aswBoot.txt
If anything is found during the scan, select to Move the virus to Chest
If that is not possible, Repair or Delete it
If an archive, such as .zip or .cab is not possible is found and cannot be moved, deleted or repaired
simply skip that file
If you can get Avast to install and run, please post it's log along with the new log from ComboFix
Post by: kota123 on October 22, 2009, 02:44:17 AM
Following is the ComboFix Log:
ComboFix 09-10-20.03 - user 10/22/2009 12:53.5.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223.89 [GMT 5.5:30]
Running from: d:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\user\Desktop\CFScript.txt
FILE ::
"d:\windows\system32\man8.exe"
"d:\windows\system32\rss.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\FOUND.028
d:\found.028\FILE0000.CHK
d:\found.028\FILE0001.CHK
d:\found.028\FILE0002.CHK
d:\found.028\FILE0003.CHK
d:\found.028\FILE0004.CHK
d:\found.028\FILE0005.CHK
d:\found.028\FILE0006.CHK
d:\found.028\FILE0007.CHK
d:\found.028\FILE0008.CHK
d:\found.028\FILE0009.CHK
d:\found.028\FILE0010.CHK
d:\found.028\FILE0011.CHK
d:\found.028\FILE0012.CHK
d:\found.028\FILE0013.CHK
d:\found.028\FILE0014.CHK
d:\found.028\FILE0015.CHK
d:\found.028\FILE0016.CHK
d:\found.028\FILE0017.CHK
d:\found.028\FILE0018.CHK
d:\found.028\FILE0019.CHK
d:\found.028\FILE0020.CHK
d:\found.028\FILE0021.CHK
d:\found.028\FILE0022.CHK
d:\found.028\FILE0023.CHK
d:\found.028\FILE0024.CHK
d:\found.028\FILE0025.CHK
d:\found.028\FILE0026.CHK
d:\found.028\FILE0027.CHK
d:\found.028\FILE0028.CHK
d:\found.028\FILE0029.CHK
d:\found.028\FILE0030.CHK
d:\found.028\FILE0031.CHK
d:\found.028\FILE0032.CHK
d:\found.028\FILE0033.CHK
d:\found.028\FILE0034.CHK
d:\found.028\FILE0035.CHK
d:\found.028\FILE0036.CHK
d:\found.028\FILE0037.CHK
d:\found.028\FILE0038.CHK
d:\found.028\FILE0039.CHK
d:\found.028\FILE0040.CHK
d:\found.028\FILE0041.CHK
d:\found.028\FILE0042.CHK
d:\found.028\FILE0043.CHK
d:\found.028\FILE0044.CHK
d:\found.028\FILE0045.CHK
d:\found.028\FILE0046.CHK
d:\found.028\FILE0047.CHK
d:\found.028\FILE0048.CHK
d:\found.028\FILE0049.CHK
d:\found.028\FILE0050.CHK
d:\found.028\FILE0051.CHK
d:\found.028\FILE0052.CHK
d:\found.028\FILE0053.CHK
d:\found.028\FILE0054.CHK
d:\found.028\FILE0055.CHK
d:\found.028\FILE0056.CHK
d:\found.028\FILE0057.CHK
d:\found.028\FILE0058.CHK
d:\found.028\FILE0059.CHK
d:\found.028\FILE0060.CHK
d:\found.028\FILE0061.CHK
d:\found.028\FILE0062.CHK
d:\found.028\FILE0063.CHK
d:\found.028\FILE0064.CHK
d:\found.028\FILE0065.CHK
d:\found.028\FILE0066.CHK
d:\found.028\FILE0067.CHK
d:\found.028\FILE0068.CHK
d:\found.028\FILE0069.CHK
d:\found.028\FILE0070.CHK
d:\found.028\FILE0071.CHK
d:\found.028\FILE0072.CHK
d:\found.028\FILE0073.CHK
d:\found.028\FILE0074.CHK
d:\found.028\FILE0075.CHK
d:\found.028\FILE0076.CHK
d:\found.028\FILE0077.CHK
d:\found.028\FILE0078.CHK
d:\found.028\FILE0079.CHK
d:\windows\system32\man8.exe
.
((((((((((((((((((((((((( Files Created from 2009-09-22 to 2009-10-22 )))))))))))))))))))))))))))))))
.
2009-10-16 08:05 . 2009-10-16 08:05 -------- d-----w- d:\documents and settings\user\DoctorWeb
2009-10-14 16:52 . 2009-10-14 16:52 -------- d-----w- d:\documents and settings\user\Application Data\MozillaControl
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 07:30 . 2002-01-06 23:31 196 ----a-w- d:\windows\system32\drivers\ALCICH.DAT
2009-09-10 09:24 . 2001-12-31 20:46 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 09:23 . 2001-12-31 20:46 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
1998-12-08 13:23 . 1998-12-08 13:23 99840 ----a-w- d:\program files\Common Files\IRAABOUT.DLL
1998-12-08 13:23 . 1998-12-08 13:23 70144 ----a-w- d:\program files\Common Files\IRAMDMTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 48640 ----a-w- d:\program files\Common Files\IRALPTTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 31744 ----a-w- d:\program files\Common Files\IRAWEBTR.DLL
1998-12-08 13:23 . 1998-12-08 13:23 186368 ----a-w- d:\program files\Common Files\IRAREG.DLL
1998-12-08 13:23 . 1998-12-08 13:23 17920 ----a-w- d:\program files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((( SnapShot@2009-10-14_14.38.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 15:24 . 2009-07-11 15:24 65536 d:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 49152 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 49152 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 61440 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 61440 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 61440 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 57344 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 65536 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 45056 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll
+ 2009-07-11 15:02 . 2009-07-11 15:02 40960 d:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll
+ 2009-07-11 19:37 . 2009-07-11 19:37 57856 d:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll
+ 2009-07-11 19:49 . 2009-07-11 19:49 69632 d:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll
+ 2009-07-11 14:11 . 2009-07-11 14:11 97280 d:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2009-10-22 07:31 . 2009-10-22 07:31 16384 d:\windows\temp\Perflib_Perfdata_61c.dat
+ 2009-07-11 19:42 . 2009-07-11 19:42 632656 d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-11 19:39 . 2009-07-11 19:39 554832 d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-11 19:38 . 2009-07-11 19:38 479232 d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2009-10-19 14:07 . 2009-10-19 14:07 424448 d:\windows\Installer\163814.msi
+ 2009-07-11 15:16 . 2009-07-11 15:16 1093120 d:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll
+ 2009-07-11 15:16 . 2009-07-11 15:16 1105920 d:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2002-01-01 149280]
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=d:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=d:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=d:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=d:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=d:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=d:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=d:\windows\pss\NkbMonitor.exe.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);d:\windows\system32\drivers\RMSPPPOE.SYS [1/1/2002 12:09 AM 31424]
.
Contents of the 'Scheduled Tasks' folder
2009-10-21 d:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- d:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 10:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Windows Live Search - d:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: &Yahoo! Search - file:///d:\program files\Yahoo!\Common/ycsrch.htm
IE: Open in new background tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
IE: Open in new foreground tab - d:\program files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
IE: Yahoo! &Dictionary - file:///d:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///d:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///d:\program files\Yahoo!\Common/ycsms.htm
FF - ProfilePath - d:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7boyuqg7.default\
FF - plugin: d:\program files\BitTorrent_DNA\npbtdna.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-10-22 13:01
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\CTSvcCDA.EXE
d:\program files\Java\jre6\bin\jqs.exe
d:\windows\system32\HPZipm12.exe
d:\windows\system32\wdfmgr.exe
d:\windows\system32\MsPMSPSv.exe
d:\combofix\CF12168.exe
d:\windows\system32\wscntfy.exe
d:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-22 13:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-22 07:34
ComboFix2.txt 2009-10-21 08:48
ComboFix3.txt 2009-10-15 04:59
Pre-Run: 10,824,990,720 bytes free
Post-Run: 10,795,417,600 bytes free
- - End Of File - - 40438964F219F9D51AC7D68EE2AC5154
_______________________________________
Will reply again after the Avast download. Thanks.
Post by: kota123 on October 22, 2009, 04:07:42 AM
Avast Log:
10/22/2009 13:30
Scan of all local drives
File C:\WINDOWS\SYSTEM\RASPPPOE.EXE is infected by Win32:Trojan-gen, Moved to chest
File C:\System Volume Information\_restore{B6D9DB89-3E45-45EF-BC98-EBD679773278}\RP11\A0016403.EXE is infected by Win32:Trojan-gen, Moved to chest
File D:\WINDOWS\system32\RASPPPOE.EXE is infected by Win32:Trojan-gen, Moved to chest
File D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE is infected by Win32:Spyware-gen [Spy], Moved to chest
File D:\Program Files\HP\Digital Imaging\bin\hpqirs08.exe is infected by Win32:Spyware-gen [Spy], Moved to chest
File D:\System Volume Information\_restore{B6D9DB89-3E45-45EF-BC98-EBD679773278}\RP6\A0006147.msi|>Cabs.w1.cab|>csscan.exe is infected by Win32:Spyware-gen [Spy], Move to chest: Error 0xC0000002 {Not Implemented}, Delete: Error 42111 {The operation is not supported for this type of archive.}, Repair: Error 42060 {The file was not repaired.}
File D:\System Volume Information\_restore{B6D9DB89-3E45-45EF-BC98-EBD679773278}\RP6\A0006211.rbf is infected by Win32:Spyware-gen [Spy], Moved to chest
File D:\System Volume Information\_restore{B6D9DB89-3E45-45EF-BC98-EBD679773278}\RP11\A0016404.EXE is infected by Win32:Trojan-gen, Moved to chest
File D:\System Volume Information\_restore{B6D9DB89-3E45-45EF-BC98-EBD679773278}\RP11\A0016405.EXE is infected by Win32:Spyware-gen [Spy], Moved to chest
File D:\System Volume Information\_restore{B6D9DB89-3E45-45EF-BC98-EBD679773278}\RP11\A0016406.exe is infected by Win32:Spyware-gen [Spy], Moved to chest
File D:\Backup of old c\My Documents\cable4net\RASPPPOE.EXE is infected by Win32:Trojan-gen, Moved to chest
File D:\Backup of old c\data of c\My Documents\cable4net\RASPPPOE.EXE is infected by Win32:Trojan-gen, Moved to chest
File D:\Backup of old d\Documents and Settings\S K Jolly\Local Settings\Temporary Internet Files\Content.IE5\WXMB01QR\optimized_pics[1].zip|>optimized_pics\108_0899_r1.jpg Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 4955
Number of tested files: 211579
Number of infected files: 12
__________________________________________
Thanks.
Post by: guestolo on October 22, 2009, 08:14:58 AM
Can you try the following, I would like to know if this will work now
Go to the following link
http://service1.symantec.com/SUPPORT/tsgen...&view=docid (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2007080716254939?Open&docid=2005033108162039&nsf=tsgeninfo.nsf&view=docid\")
Scroll to the bottom to STEP 3
Download and save to desktop, the NORTON REMOVAL TOOL
Follow the instructions
On the Windows desktop, double-click the Norton Removal Tool icon.
Follow the on-screen instructions.
Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.
After that is done
Access your Add/Remove Programs and remove McAfee VirusScan Enterprise
Reboot after removal, then next do the following
regardless if McAfee was successfully removed or not
Download and run MCPR.exe
1. Download the removal tool from: http://download.mcafee.com/products/licens...atches/MCPR.exe (http://\"http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe\")
2. Click Save and save the file to your Desktop
3. Navigate to the folder where the file was saved.
4. Make sure all McAfee windows are closed.
5. Double-click MCPR.exe to run the removal tool.
6. Restart your computer after receiving the message CleanUp Successful.
In addition, can you run OTL.exe and post the new log that opens
Keep me informed how things are running please
Post by: kota123 on October 22, 2009, 09:03:51 AM
I was able to run the Norton Removal tool.
I could not find McAfee VirusScan Enterprise in the Add/Remove Programs, but when I tried to run MCPR.exe, I got a message saying "McAfee Enterprise software detected. annot continue. Please contact McAfee....."
Finally, I downloaded OTL.exe and clicked "Run Scan". Following are the two Logs it created:
OTL Extras logfile created on: 10/22/2009 7:21:59 PM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = D:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
223.48 Mb Total Physical Memory | 113.43 Mb Available Physical Memory | 50.76% Memory free
547.08 Mb Paging File | 435.42 Mb Available in Paging File | 79.59% Paging File free
Paging file location(s): D:\pagefile.sys 336 672 [binary data]
%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 18.62 Gb Total Space | 15.96 Gb Free Space | 85.71% Space Free | Partition Type: FAT32
Drive D: | 18.63 Gb Total Space | 9.83 Gb Free Space | 52.77% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: AA-EC0D1346D3FA
Current User Name: user
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
[color=\"#E56717\"]========== Extra Registry (SafeList) ==========[/color]
[color=\"#E56717\"]========== File Associations ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- D:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- D:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- D:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
[color=\"#E56717\"]========== Shell Spawning ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "D:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "D:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "D:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "D:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "D:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "D:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)
[color=\"#E56717\"]========== Security Center Settings ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
[color=\"#E56717\"]========== Authorized Applications List ==========[/color]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\Documents and Settings\USER\Local Settings\TEMP\7zS2F.tmp\SymNRT.exe" = D:\Documents and Settings\USER\Local Settings\TEMP\7zS2F.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- (Symantec Corporation)
[color=\"#E56717\"]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan
"{0FF18B53-CA57-40BB-B562-21A27B662005}" = 1600
"{1306C737-0AF4-46C7-B282-64E099304712}" = Smart Menus (Windows Live Toolbar)
"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant
"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax
"{1A2948E0-9445-42BE-9D01-472952F2657F}" = Autodesk Design Review
"{1AD5F465-8282-4DAD-B957-E09C0B783D18}" = InstantShare
"{1B680FBA-E317-4E93-AF43-3B59798A4BE0}" = Copy
"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp
"{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}" = Windows Live Sign-in Assistant
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(tm) 6 Update 16
"{272EC8BA-5A08-4ea1-A189-684466A06B02}" = cp_dwShrek2Albums1
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload
"{3248F0A8-6813-11D6-A77B-00B0D0150030}" = J2SE Runtime Environment 5.0 Update 3
"{328420FA-7638-4AB1-81DF-E0FECEFF24E3}" = Windows Live Toolbar Feed Detector (Windows Live Toolbar)
"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}" = CueTour
"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext
"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme
"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade
"{5E8D588F-307C-4250-B622-26969027319A}" = PanoStandAlone
"{644D04A2-C682-4FD5-977D-03B804C4B9C5}" = CreativeProjects
"{646A65DD-23FC-418E-B9F0-E0500FB42CB1}" = PhotoGallery
"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan
"{66F324A1-BDC0-11D7-9E5C-00D0B76A8705}" = Creative NOMAD Jukebox Zen Xtra
"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations
"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm
"{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}" = cp_dwShrek2Cards1
"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}" = SkinsHP1
"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}" = DocProc
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A4D7B764-4140-11D4-88EB-0050DA3579C0}" = Nero - Burning Rom
"{A5B9D22C-755A-4AC6-9904-875E80838BB6}" = CP_AtenaShokunin1Config
"{A5F68DC8-0278-4AD8-B413-861509B5F25B}" = ArcSoft Panorama Maker 3
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director
"{BD29EBAC-AD7D-4b27-B727-4CC6AC52D36B}" = MarketResearch
"{C6876FE6-A314-4628-B0D7-F3EE5E35C4B4}" = Windows Live Toolbar
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CB449D5A-7710-47aa-B9F5-352B877C90E6}" = 1600_Help
"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg
"{CE0C8CC5-E396-442B-A50E-D1D374A9E820}" = DocumentViewer
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D3F28364-8B10-45F1-8C2D-0037F4538BBB}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{DC3065BF-95B4-42C5-B47D-0B713CDA75D0}" = Creative Zen Vision M
"{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}" = jetAudio
"{F4C6CC40-1142-49be-A28C-7BBD36F0B41A}" = 1600Trb
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Avance AC'97 Audio
"{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}" = CreativeProjectsTemplates
"{FDB226E3-D55D-4922-894F-20CE4646077D}" = Tabbed Browsing (Windows Live Toolbar)
"{FF3999BE-1A7B-4738-88AA-97BF14094A4A}" = PictureProject
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AIM_6" = AIM 6
"avast5" = avast! Free Antivirus
"Creative Jukebox Driver" = Creative Jukebox Driver
"Creative Removable Disk Manager" = Creative Removable Disk Manager
"F-22 Raptor Demo" = F-22 Raptor Demo
"GoogleVideoPlayer" = Google Video Player
"HijackThis" = HijackThis 2.0.2
"HP Photo & Imaging" = HP Image Zone 4.7
"HPExtendedCapabilities" = HP Extended Capabilities 4.7
"LimeWire" = LimeWire PRO 4.12.3
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.5.3)" = Mozilla Firefox (3.5.3)
"MSNINST" = MSN
"QuickTime" = QuickTime
"QuickTime32" = QuickTime for Windows (32-bit)
"Skype_is1" = Skype 2.5
"SysInfo" = Creative System Information
"VLC media player" = VideoLAN VLC media player 0.8.5
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinZip" = WinZip
"Yahoo! Customizations" = Yahoo! extras
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Photos Drag-Drop Uploader 1v7" = Yahoo! Photos Easy Upload Tool
"YInstHelper" = Yahoo! Install Manager
[color=\"#E56717\"]========== HKEY_CURRENT_USER Uninstall List ==========[/color]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent 6.0
"BitTorrent DNA" = BitTorrent DNA
[color=\"#E56717\"]========== Last 10 Event Log Errors ==========[/color]
[ Application Events ]
Error - 10/21/2009 4:51:16 AM | Computer Name = AA-EC0D1346D3FA | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module svchost.exe, version 5.1.2600.2180, fault address 0x00001361.
Error - 10/21/2009 5:29:34 AM | Computer Name = AA-EC0D1346D3FA | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module unknown, version 0.0.0.0, fault address 0x001f1cb0.
Error - 10/22/2009 3:12:26 AM | Computer Name = AA-EC0D1346D3FA | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.2180, faulting
module netapi32.dll, version 5.1.2600.2976, fault address 0x00018809.
Error - 10/22/2009 9:31:31 AM | Computer Name = AA-EC0D1346D3FA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.
Error - 10/22/2009 9:31:31 AM | Computer Name = AA-EC0D1346D3FA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.
[ System Events ]
Error - 10/21/2009 4:24:32 AM | Computer Name = AA-EC0D1346D3FA | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)
Error - 10/21/2009 4:24:32 AM | Computer Name = AA-EC0D1346D3FA | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.
Error - 10/21/2009 4:24:33 AM | Computer Name = AA-EC0D1346D3FA | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)
Error - 10/21/2009 4:24:33 AM | Computer Name = AA-EC0D1346D3FA | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.
Error - 10/21/2009 4:24:33 AM | Computer Name = AA-EC0D1346D3FA | Source = Service Control Manager | ID = 7000
Description = The PfModNT service failed to start due to the following error: %%2
Error - 10/21/2009 4:24:33 AM | Computer Name = AA-EC0D1346D3FA | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%126
Error - 10/21/2009 4:26:10 AM | Computer Name = AA-EC0D1346D3FA | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)
Error - 10/21/2009 4:26:10 AM | Computer Name = AA-EC0D1346D3FA | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.
< End of report >
___________________________________________________
OTL logfile created on: 10/22/2009 7:21:59 PM - Run 1
OTL by OldTimer - Version 3.0.21.0 Folder = D:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
223.48 Mb Total Physical Memory | 113.43 Mb Available Physical Memory | 50.76% Memory free
547.08 Mb Paging File | 435.42 Mb Available in Paging File | 79.59% Paging File free
Paging file location(s): D:\pagefile.sys 336 672 [binary data]
%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 18.62 Gb Total Space | 15.96 Gb Free Space | 85.71% Space Free | Partition Type: FAT32
Drive D: | 18.63 Gb Total Space | 9.83 Gb Free Space | 52.77% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: AA-EC0D1346D3FA
Current User Name: user
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
[color=\"#E56717\"]========== Processes (SafeList) ==========[/color]
PRC - [2009/10/22 19:20:52 | 00,521,216 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\user\Desktop\OTL.exe
PRC - [2009/10/15 03:41:36 | 02,555,120 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2009/10/15 03:41:34 | 00,040,384 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2004/10/11 11:20:30 | 00,038,912 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\wdfmgr.exe
PRC - [2004/09/29 12:14:36 | 00,069,632 | ---- | M] (HP) -- D:\WINDOWS\System32\HPZipm12.exe
PRC - [2004/08/03 19:26:50 | 01,032,192 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Explorer.EXE
PRC - [2002/01/01 11:08:40 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\MsPMSPSv.exe
PRC - [1999/12/12 22:31:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- D:\WINDOWS\System32\CTSvcCDA.EXE
[color=\"#E56717\"]========== Win32 Services (SafeList) ==========[/color]
SRV - [2009/10/15 03:41:34 | 00,040,384 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner [On_Demand | Running])
SRV - [2009/10/15 03:41:34 | 00,040,384 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner [On_Demand | Running])
SRV - [2009/10/15 03:41:34 | 00,040,384 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus [Auto | Running])
SRV - [2004/10/11 11:20:30 | 00,038,912 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2004/09/29 12:14:36 | 00,069,632 | ---- | M] (HP) -- D:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2004/08/06 03:50:00 | 00,102,463 | ---- | M] (Network Associates, Inc.) -- D:\Program Files\Network Associates\Common Framework\FrameworkService.exe -- (McAfeeFramework [Auto | Stopped])
SRV - [2004/08/04 00:56:46 | 00,038,912 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2003/02/20 19:19:38 | 00,032,768 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2002/01/01 11:08:40 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\MsPMSPSv.exe -- (WMDM PMSP Service [Auto | Running])
SRV - [1999/12/12 22:31:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- D:\WINDOWS\System32\CTSvcCDA.EXE -- (Creative Service for CDROM Access [Auto | Running])
[color=\"#E56717\"]========== Driver Services (SafeList) ==========[/color]
DRV - [2009/10/15 03:29:22 | 00,046,544 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
DRV - [2009/10/15 03:29:00 | 00,149,328 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Running])
DRV - [2009/10/15 03:25:34 | 00,023,120 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
DRV - [2009/10/15 03:25:06 | 00,100,176 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
DRV - [2009/10/15 03:24:54 | 00,019,024 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
DRV - [2009/10/15 03:24:38 | 00,027,728 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
DRV - [2005/12/16 11:12:48 | 00,091,263 | R--- | M] (VM) -- D:\WINDOWS\System32\Drivers\usbVM31b.sys -- (ZSMC301b [On_Demand | Stopped])
DRV - [2004/12/14 22:06:52 | 00,051,120 | R--- | M] (HP) -- D:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2004/12/14 22:06:52 | 00,021,744 | R--- | M] (HP) -- D:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2004/12/14 22:06:52 | 00,016,496 | R--- | M] (HP) -- D:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2004/08/03 23:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2004/08/03 22:41:56 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\System32\DRIVERS\HSFDPSP2.sys -- (HSF_DP [On_Demand | Stopped])
DRV - [2004/08/03 22:41:56 | 00,011,868 | ---- | M] (Conexant) -- D:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2004/08/03 22:41:50 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\System32\DRIVERS\HSFCXTS2.sys -- (winachsf [On_Demand | Stopped])
DRV - [2004/08/03 22:41:48 | 00,220,032 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\System32\DRIVERS\HSFBS2S2.sys -- (HSFHWBS2 [On_Demand | Stopped])
DRV - [2004/08/03 22:29:52 | 00,166,912 | ---- | M] (S3 Graphics, Inc.) -- D:\WINDOWS\System32\DRIVERS\s3gnbm.sys -- (S3SavageNB [On_Demand | Stopped])
DRV - [2004/08/03 22:29:52 | 00,166,912 | ---- | M] (S3 Graphics, Inc.) -- D:\WINDOWS\System32\DRIVERS\s3gnbm.sys -- (S3Psddr [On_Demand | Running])
DRV - [2004/07/17 06:06:38 | 00,027,440 | ---- | M] () -- D:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2003/10/23 01:23:00 | 00,016,848 | ---- | M] (Creative Technology Ltd.) -- D:\WINDOWS\System32\DRIVERS\ctpdusb.sys -- (Jukebox3 [On_Demand | Stopped])
DRV - [2002/10/03 00:09:08 | 00,031,424 | R--- | M] (Robert Schlabbach) -- D:\WINDOWS\System32\DRIVERS\RMSPPPOE.SYS -- (RMSPPPOE [On_Demand | Running])
DRV - [2001/11/21 09:23:22 | 00,242,412 | ---- | M] (Avance Logic, Inc.) -- D:\WINDOWS\System32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2001/08/23 06:30:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- D:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2001/08/17 14:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Running])
DRV - [2001/08/17 12:12:40 | 00,019,017 | ---- | M] (Realtek Semiconductor Corporation) -- D:\WINDOWS\System32\DRIVERS\RTL8029.SYS -- (rtl8029 [On_Demand | Running])
DRV - [2001/05/04 12:54:52 | 00,003,033 | ---- | M] (VIA Technologies. Inc.) -- D:\WINDOWS\System32\Drivers\VIAPFD.SYS -- (VIAPFD [System | Running])
DRV - [2000/10/25 17:57:24 | 00,003,000 | R--- | M] () -- D:\WINDOWS\system32\SetupNT.sys -- (SetupNT [Auto | Running])
[color=\"#E56717\"]========== Standard Registry (SafeList) ==========[/color]
[color=\"#E56717\"]========== Internet Explorer ==========[/color]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home (http://\"http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
[color=\"#E56717\"]========== FireFox ==========[/color]
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: D:\Program Files\Java\jre6\lib\deploy\jqs\ff [2002/01/01 11:08:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2006/06/21 13:37:06 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2006/06/21 13:37:04 | 00,000,000 | ---D | M]
[2008/07/02 20:13:18 | 00,000,000 | ---D | M] -- D:\Documents and Settings\user\Application Data\mozilla\Extensions
[2008/07/02 20:13:18 | 00,000,000 | ---D | M] -- D:\Documents and Settings\user\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/07/02 20:13:18 | 00,000,000 | ---D | M] -- D:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\7boyuqg7.default\extensions
[2008/07/02 20:12:20 | 00,000,000 | ---D | M] -- D:\Program Files\mozilla firefox\extensions
[2008/07/02 20:12:24 | 00,000,000 | ---D | M] -- D:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2002/01/01 11:09:32 | 00,000,000 | ---D | M] -- D:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
[2009/08/25 01:45:26 | 00,023,544 | ---- | M] (Mozilla Foundation) -- D:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/25 01:45:26 | 00,137,208 | ---- | M] (Mozilla Foundation) -- D:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2007/08/30 03:17:44 | 00,054,600 | ---- | M] (BitTorrent, Inc.) -- D:\Program Files\mozilla firefox\plugins\npbittorrent.dll
[2007/05/10 22:52:34 | 00,095,864 | ---- | M] (Adobe Systems Inc.) -- D:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2008/01/03 18:19:06 | 00,049,152 | ---- | M] (Adobe Systems, Inc.) -- D:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2009/08/25 01:45:28 | 00,065,016 | ---- | M] (mozilla.org) -- D:\Program Files\mozilla firefox\plugins\npnul32.dll
[2002/01/01 11:08:42 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/08/25 00:15:46 | 00,001,394 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/08/25 00:15:46 | 00,002,193 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/08/25 00:15:46 | 00,001,534 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/08/25 00:15:46 | 00,002,344 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/08/25 00:15:46 | 00,002,371 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/08/25 00:15:46 | 00,001,178 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/08/25 00:15:46 | 00,000,792 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\yahoo.xml
O1 HOSTS File: (27 bytes) - D:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll File not found
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo!)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [avast5] D:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Windows Live Search - D:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: &Yahoo! Search - D:\Program Files\Yahoo!\Common [2002/01/01 02:37:36 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Open in new background tab - D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui (Microsoft Corporation)
O8 - Extra context menu item: Open in new foreground tab - D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui (Microsoft Corporation)
O8 - Extra context menu item: Yahoo! &Dictionary - D:\Program Files\Yahoo!\Common [2002/01/01 02:37:36 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - D:\Program Files\Yahoo!\Common [2002/01/01 02:37:36 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - D:\Program Files\Yahoo!\Common [2002/01/01 02:37:36 | 00,000,000 | ---D | M]
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo!)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\") (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microsoftu...b?1202570621154 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202570621154\") (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1202570594275 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202570594275\") (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab\") (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab\") (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab\") (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\") (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/24 00:50:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - D:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found
[color=\"#E56717\"]========== Files/Folders - Created Within 30 Days ==========[/color]
[2009/10/22 13:23:14 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/10/14 22:22:24 | 00,000,000 | ---D | C] -- D:\Documents and Settings\user\Application Data\MozillaControl
[2009/10/22 13:23:14 | 00,000,000 | ---D | C] -- D:\Program Files\Alwil Software
[2009/10/22 19:20:35 | 00,521,216 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\user\Desktop\OTL.exe
[2009/10/22 18:58:55 | 00,793,200 | ---- | C] (Symantec Corporation) -- D:\Documents and Settings\user\Desktop\Norton_Removal_Tool.exe
[2009/10/22 13:24:48 | 00,019,024 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/10/22 13:24:47 | 00,149,328 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswSP.sys
[2009/10/22 13:24:46 | 00,023,120 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswRdr.sys
[2009/10/22 13:24:43 | 00,046,544 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswTdi.sys
[2009/10/22 13:24:39 | 00,100,176 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon2.sys
[2009/10/22 13:24:39 | 00,094,544 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon.sys
[2009/10/22 13:24:38 | 00,027,728 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aavmker4.sys
[2009/10/22 13:23:46 | 00,149,600 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\aswBoot.exe
[2009/10/22 12:59:29 | 00,000,000 | ---D | C] -- D:\WINDOWS\temp
[2009/10/19 13:20:37 | 00,271,872 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\user\Desktop\TFC.exe
[2009/10/18 14:09:36 | 00,000,000 | ---D | C] -- D:\Recycled
[2009/10/16 13:28:26 | 17,909,056 | ---- | C] (Doctor Web, Ltd.) -- D:\Documents and Settings\user\Desktop\drweb-cureit.exe
[2009/10/14 19:54:15 | 00,212,480 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWXCACLS.exe
[2009/10/14 19:54:15 | 00,161,792 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWREG.exe
[2009/10/14 19:54:15 | 00,136,704 | ---- | C] (SteelWerX) -- D:\WINDOWS\SWSC.exe
[2009/10/14 19:54:15 | 00,031,232 | ---- | C] (NirSoft) -- D:\WINDOWS\NIRCMD.exe
[2009/10/14 19:54:06 | 00,000,000 | ---D | C] -- D:\WINDOWS\ERDNT
[2009/10/14 19:53:26 | 00,000,000 | ---D | C] -- D:\Qoobox
[1998/12/08 18:53:54 | 00,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- D:\Program Files\Common Files\IRAREG.DLL
[1998/12/08 18:53:54 | 00,099,840 | ---- | C] (Symantec Corp.) -- D:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/08 18:53:54 | 00,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- D:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/08 18:53:54 | 00,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- D:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/08 18:53:54 | 00,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- D:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/08 18:53:54 | 00,017,920 | ---- | C] (Symantec Corp.) -- D:\Program Files\Common Files\IRASRIAL.DLL
[color=\"#E56717\"]========== Files - Modified Within 30 Days ==========[/color]
[2009/10/22 19:20:52 | 00,521,216 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\user\Desktop\OTL.exe
[2009/10/22 19:13:46 | 00,608,344 | ---- | M] () -- D:\Documents and Settings\user\Desktop\MCPR.exe
[2009/10/22 19:09:36 | 00,000,256 | ---- | M] () -- D:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/10/22 19:07:52 | 00,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2009/10/22 19:07:40 | 00,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2009/10/22 19:07:38 | 23,440,9984 | -HS- | M] () -- D:\hiberfil.sys
[2009/10/22 19:07:36 | 00,000,196 | ---- | M] () -- D:\WINDOWS\System32\drivers\ALCICH.DAT
[2009/10/22 18:59:08 | 00,793,200 | ---- | M] (Symantec Corporation) -- D:\Documents and Settings\user\Desktop\Norton_Removal_Tool.exe
[2009/10/22 18:27:54 | 00,001,161 | ---- | M] () -- D:\WINDOWS\win.ini
[2009/10/22 18:27:54 | 00,000,227 | ---- | M] () -- D:\WINDOWS\system.ini
[2009/10/22 15:06:54 | 04,668,928 | ---- | M] () -- D:\Documents and Settings\user\Desktop\911AerialPhotos.pps
[2009/10/22 13:24:52 | 00,001,607 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2009/10/22 13:24:42 | 00,002,626 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2009/10/22 13:07:14 | 00,000,000 | ---- | M] () -- D:\Documents and Settings\user\Desktop\setup_av_free.exe
[2009/10/22 12:47:32 | 00,000,020 | ---- | M] () -- D:\Documents and Settings\user\Desktop\reset.bat
[2009/10/21 14:44:04 | 00,666,658 | ---- | M] () -- D:\Documents and Settings\user\Desktop\drbr.zip
[2009/10/21 13:59:18 | 03,351,153 | R--- | M] () -- D:\Documents and Settings\user\Desktop\ComboFix.exe
[2009/10/21 13:06:22 | 00,047,104 | ---- | M] () -- D:\Documents and Settings\user\Desktop\Win32kDiag(2).exe
[2009/10/21 12:57:30 | 00,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2009/10/19 21:36:14 | 00,000,081 | ---- | M] () -- D:\WINDOWS\System32\asr_zdpwt
[2009/10/19 20:01:38 | 00,000,081 | ---- | M] () -- D:\WINDOWS\System32\asr_lboha
[2009/10/19 13:20:38 | 00,271,872 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\user\Desktop\TFC.exe
[2009/10/19 12:59:46 | 00,000,138 | ---- | M] () -- D:\Documents and Settings\user\Desktop\fix.reg
[2009/10/19 12:58:24 | 00,000,081 | ---- | M] () -- D:\WINDOWS\System32\asr_chyud
[2009/10/18 13:55:52 | 00,000,081 | ---- | M] () -- D:\WINDOWS\System32\asr_ebsre
[2009/10/18 13:55:32 | 00,000,081 | ---- | M] () -- D:\WINDOWS\System32\asr_fbjgq
[2009/10/18 13:49:42 | 00,000,081 | ---- | M] () -- D:\WINDOWS\System32\asr_ymjfn
[2009/10/18 13:30:20 | 00,000,081 | ---- | M] () -- D:\WINDOWS\System32\asr_jqrko
[2009/10/17 00:25:00 | 00,047,104 | ---- | M] () -- D:\Documents and Settings\user\Desktop\Win32kDiag.exe
[2009/10/16 13:33:00 | 17,909,056 | ---- | M] (Doctor Web, Ltd.) -- D:\Documents and Settings\user\Desktop\drweb-cureit.exe
[2009/10/15 10:33:14 | 00,000,081 | ---- | M] () -- D:\WINDOWS\System32\asr_kirhx
[2009/10/15 03:41:22 | 00,149,600 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\aswBoot.exe
[2009/10/15 03:29:22 | 00,046,544 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswTdi.sys
[2009/10/15 03:29:00 | 00,149,328 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswSP.sys
[2009/10/15 03:25:34 | 00,023,120 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswRdr.sys
[2009/10/15 03:25:06 | 00,100,176 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon2.sys
[2009/10/15 03:25:02 | 00,094,544 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon.sys
[2009/10/15 03:24:54 | 00,019,024 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/10/15 03:24:38 | 00,027,728 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aavmker4.sys
[2009/10/14 22:21:44 | 00,000,081 | ---- | M] () -- D:\WINDOWS\System32\asr_ccsan
[2009/10/14 20:48:26 | 00,000,081 | ---- | M] () -- D:\WINDOWS\System32\asr_ebxke
[2009/10/14 20:44:20 | 00,000,081 | ---- | M] () -- D:\WINDOWS\System32\asr_bgann
[2009/10/11 08:10:10 | 00,236,544 | ---- | M] () -- D:\WINDOWS\PEV.exe
[color=\"#E56717\"]========== Files - No Company Name ==========[/color]
[2009/10/22 19:13:39 | 00,608,344 | ---- | C] () -- D:\Documents and Settings\user\Desktop\MCPR.exe
[2009/10/22 15:05:31 | 04,668,928 | ---- | C] () -- D:\Documents and Settings\user\Desktop\911AerialPhotos.pps
[2009/10/22 13:24:50 | 00,001,607 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2009/10/22 13:07:13 | 00,000,000 | ---- | C] () -- D:\Documents and Settings\user\Desktop\setup_av_free.exe
[2009/10/22 12:47:30 | 00,000,020 | ---- | C] () -- D:\Documents and Settings\user\Desktop\reset.bat
[2009/10/21 14:43:52 | 00,666,658 | ---- | C] () -- D:\Documents and Settings\user\Desktop\drbr.zip
[2009/10/21 13:59:00 | 03,351,153 | R--- | C] () -- D:\Documents and Settings\user\Desktop\ComboFix.exe
[2009/10/21 13:06:25 | 00,047,104 | ---- | C] () -- D:\Documents and Settings\user\Desktop\Win32kDiag(2).exe
[2009/10/19 21:36:13 | 00,000,081 | ---- | C] () -- D:\WINDOWS\System32\asr_zdpwt
[2009/10/19 20:01:37 | 00,000,081 | ---- | C] () -- D:\WINDOWS\System32\asr_lboha
[2009/10/19 12:59:44 | 00,000,138 | ---- | C] () -- D:\Documents and Settings\user\Desktop\fix.reg
[2009/10/19 12:58:23 | 00,000,081 | ---- | C] () -- D:\WINDOWS\System32\asr_chyud
[2009/10/18 13:55:51 | 00,000,081 | ---- | C] () -- D:\WINDOWS\System32\asr_ebsre
[2009/10/18 13:55:31 | 00,000,081 | ---- | C] () -- D:\WINDOWS\System32\asr_fbjgq
[2009/10/18 13:49:40 | 00,000,081 | ---- | C] () -- D:\WINDOWS\System32\asr_ymjfn
[2009/10/18 13:30:19 | 00,000,081 | ---- | C] () -- D:\WINDOWS\System32\asr_jqrko
[2009/10/17 00:25:03 | 00,047,104 | ---- | C] () -- D:\Documents and Settings\user\Desktop\Win32kDiag.exe
[2009/10/15 10:33:12 | 00,000,081 | ---- | C] () -- D:\WINDOWS\System32\asr_kirhx
[2009/10/14 22:21:43 | 00,000,081 | ---- | C] () -- D:\WINDOWS\System32\asr_ccsan
[2009/10/14 20:48:24 | 00,000,081 | ---- | C] () -- D:\WINDOWS\System32\asr_ebxke
[2009/10/14 20:44:18 | 00,000,081 | ---- | C] () -- D:\WINDOWS\System32\asr_bgann
[2009/10/14 19:54:15 | 00,236,544 | ---- | C] () -- D:\WINDOWS\PEV.exe
[2009/10/14 19:54:15 | 00,098,816 | ---- | C] () -- D:\WINDOWS\sed.exe
[2009/10/14 19:54:15 | 00,080,412 | ---- | C] () -- D:\WINDOWS\grep.exe
[2009/10/14 19:54:15 | 00,068,096 | ---- | C] () -- D:\WINDOWS\zip.exe
[2007/08/09 14:42:45 | 00,000,261 | ---- | C] () -- D:\WINDOWS\WPE PRO.INI
[2006/08/25 20:37:29 | 00,024,576 | R--- | C] () -- D:\WINDOWS\System32\RunSetup.dll
[2006/08/10 16:51:07 | 00,005,222 | ---- | C] () -- D:\Documents and Settings\user\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
[2006/08/10 16:51:07 | 00,000,206 | ---- | C] () -- D:\WINDOWS\HPGdiPlus.ini
[2005/11/23 15:51:52 | 00,000,127 | ---- | C] () -- D:\Documents and Settings\user\Local Settings\Application Data\fusioncache.dat
[2005/11/23 15:27:21 | 00,000,820 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/10/24 21:51:23 | 00,271,264 | ---- | C] () -- D:\WINDOWS\VBRUN100.DLL
[2005/10/24 21:46:59 | 00,134,464 | ---- | C] () -- D:\WINDOWS\GLCV20DR.DLL
[2005/10/24 21:46:54 | 00,011,616 | ---- | C] () -- D:\WINDOWS\GLFS20DR.DLL
[2005/10/24 21:43:55 | 00,000,235 | ---- | C] () -- D:\WINDOWS\QTW.INI
[2005/10/24 21:42:43 | 00,000,110 | ---- | C] () -- D:\WINDOWS\KPCMS.INI
[2005/10/24 21:41:58 | 00,000,036 | ---- | C] () -- D:\WINDOWS\progman.ini
[2005/10/24 21:41:54 | 00,000,715 | ---- | C] () -- D:\WINDOWS\CARDSHOP.INI
[2005/10/24 21:38:05 | 00,000,376 | ---- | C] () -- D:\WINDOWS\ODBC.INI
[2005/10/24 21:38:05 | 00,000,063 | ---- | C] () -- D:\WINDOWS\mdm.ini
[2005/10/24 20:10:17 | 00,000,164 | ---- | C] () -- D:\WINDOWS\avrack.ini
[2005/10/24 20:00:42 | 04,839,974 | -H-- | C] () -- D:\Documents and Settings\user\Local Settings\Application Data\IconCache.db
[2005/10/24 20:00:15 | 00,003,000 | R--- | C] () -- D:\WINDOWS\System32\SetupNT.sys
[2005/10/24 19:59:18 | 00,036,648 | ---- | C] () -- D:\Documents and Settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2005/10/24 19:57:11 | 00,000,062 | -HS- | C] () -- D:\Documents and Settings\user\Application Data\desktop.ini
[2005/10/24 19:24:09 | 00,000,062 | -HS- | C] () -- D:\Documents and Settings\All Users\Application Data\desktop.ini
[2004/08/03 19:26:44 | 00,081,920 | ---- | C] () -- D:\WINDOWS\System32\ieencode.dll
[2004/07/17 06:06:38 | 00,027,440 | ---- | C] () -- D:\WINDOWS\System32\drivers\secdrv.sys
[2002/01/27 16:22:53 | 00,017,408 | ---- | C] () -- D:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2002/01/18 19:20:56 | 00,000,000 | ---- | C] () -- D:\WINDOWS\NSREX.INI
[2002/01/06 03:19:03 | 00,043,520 | ---- | C] () -- D:\WINDOWS\System32\CmdLineExt03.dll
[2002/01/01 18:16:56 | 00,028,672 | ---- | C] () -- D:\WINDOWS\System32\PdeSrvps.dll
[2002/01/01 09:24:02 | 00,000,008 | ---- | C] () -- D:\WINDOWS\System32\CtSACKey.sys
[2002/01/01 02:08:12 | 00,000,959 | ---- | C] () -- D:\WINDOWS\EntPack.ini
[2002/01/01 00:17:59 | 00,000,097 | ---- | C] () -- D:\WINDOWS\VPPLAYS.INI
[2001/08/23 06:30:00 | 00,001,161 | ---- | C] () -- D:\WINDOWS\win.ini
[2001/08/23 06:30:00 | 00,000,227 | ---- | C] () -- D:\WINDOWS\system.ini
[1999/01/22 10:46:58 | 00,065,536 | ---- | C] () -- D:\WINDOWS\System32\MSRTEDIT.DLL
< End of report >
__________________________________________________________-
Thank you.
Post by: guestolo on October 22, 2009, 10:04:09 PM
Quote
I am 9 hours ahead of New York time.Makes you 12 hours ahead of my time
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> Still some files remaining
We'll deal with them in a bit
Go to START>>RUN>>Copy/Paste the following in Red below then hit OK
[color=\"#FF0000\"]combofix /u[/color]
this will uninstall ComboFix and it's components
NEXT:
Access your Add and Remove Programs, close down all Browser windows
Uninstall the older version of Java
J2SE Runtime Environment 5.0 Update 3
also, uninstall your outdated copy of
Adobe Reader 8.1.2
We'll update it in a bit
Run OTL.exe
- Under the [color=\"#0000FF\"]Custom Scans/Fixes[/color] box at the bottom, copy/paste in the following in the quote box belowQuote
:OTL
SRV - [2004/08/06 03:50:00 | 00,102,463 | ---- | M] (Network Associates, Inc.) -- D:\Program Files\Network Associates\Common Framework\FrameworkService.exe -- (McAfeeFramework [Auto | Stopped])
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
[2009/10/19 13:20:37 | 00,271,872 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\user\Desktop\TFC.exe
[2009/10/16 13:28:26 | 17,909,056 | ---- | C] (Doctor Web, Ltd.) -- D:\Documents and Settings\user\Desktop\drweb-cureit.exe
:Services
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\Documents and Settings\USER\Local Settings\TEMP\7zS2F.tmp\SymNRT.exe" =-
:Files
D:\Documents and Settings\user\Desktop\MCPR.exe
D:\Documents and Settings\user\Desktop\Norton_Removal_Tool.exe
D:\Documents and Settings\user\Desktop\setup_av_free.exe
D:\Documents and Settings\user\Desktop\reset.bat
D:\Documents and Settings\user\Desktop\Win32kDiag(2).exe
D:\WINDOWS\System32\asr_zdpwt
D:\WINDOWS\System32\asr_lboha
D:\Documents and Settings\user\Desktop\fix.reg
D:\WINDOWS\System32\asr_chyud
D:\WINDOWS\System32\asr_ebsre
D:\WINDOWS\System32\asr_fbjgq
D:\WINDOWS\System32\asr_ymjfn
D:\WINDOWS\System32\asr_jqrko
D:\Documents and Settings\user\Desktop\Win32kDiag.exe
D:\WINDOWS\System32\asr_kirhx
D:\WINDOWS\System32\asr_ccsan
D:\WINDOWS\System32\asr_ebxke
D:\WINDOWS\System32\asr_bgann
:Commands
[emptytemp]
[Reboot] - Then click the [color=\"#FF0000\"]Run Fix[/color] button at the top
- Let the program run unhindered, reboot the PC when it is done
On startup, please post the log that OTL produces
Afterwards: Update Adobe Reader
Using Mozilla Firefox go to the following link
http://get.adobe.com/reader/ (http://\"http://get.adobe.com/reader/\")
UNTICK "McAfee Security Scan" and/or "Google Toolbar" if they are selected
Then click Download
to download and install the latest version of Adobe Reader
Note: You may get a prompt to allow Adobe downloader to run from Firefox
When the above is done
Can you again run a Scan with OTL.exe and post it's new log
Post by: kota123 on October 23, 2009, 12:27:47 AM
All processes killed
========== OTL ==========
Service\Driver McAfeeFramework stopped successfully.
Service\Driver McAfeeFramework deleted successfully.
D:\Program Files\Network Associates\Common Framework\FrameworkService.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
D:\Documents and Settings\user\Desktop\TFC.exe moved successfully.
D:\Documents and Settings\user\Desktop\drweb-cureit.exe moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\D:\Documents and Settings\USER\Local Settings\TEMP\7zS2F.tmp\SymNRT.exe deleted successfully.
========== FILES ==========
D:\Documents and Settings\user\Desktop\MCPR.exe moved successfully.
D:\Documents and Settings\user\Desktop\Norton_Removal_Tool.exe moved successfully.
D:\Documents and Settings\user\Desktop\setup_av_free.exe moved successfully.
D:\Documents and Settings\user\Desktop\reset.bat moved successfully.
D:\Documents and Settings\user\Desktop\Win32kDiag(2).exe moved successfully.
D:\WINDOWS\System32\asr_zdpwt moved successfully.
D:\WINDOWS\System32\asr_lboha moved successfully.
D:\Documents and Settings\user\Desktop\fix.reg moved successfully.
D:\WINDOWS\System32\asr_chyud moved successfully.
D:\WINDOWS\System32\asr_ebsre moved successfully.
D:\WINDOWS\System32\asr_fbjgq moved successfully.
D:\WINDOWS\System32\asr_ymjfn moved successfully.
D:\WINDOWS\System32\asr_jqrko moved successfully.
D:\Documents and Settings\user\Desktop\Win32kDiag.exe moved successfully.
D:\WINDOWS\System32\asr_kirhx moved successfully.
D:\WINDOWS\System32\asr_ccsan moved successfully.
D:\WINDOWS\System32\asr_ebxke moved successfully.
D:\WINDOWS\System32\asr_bgann moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes
User: user
->Temp folder emptied: 19871202 bytes
File delete failed. D:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 830649 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 89878793 bytes
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. D:\WINDOWS\temp\_avast5_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. D:\WINDOWS\temp\Perflib_Perfdata_6f0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied: 16384 bytes
RecycleBin emptied: 49389395 bytes
Total Files Cleaned = 152.61 mb
OTL by OldTimer - Version 3.0.21.0 log created on 10232009_105020
Files\Folders moved on Reboot...
File\Folder D:\WINDOWS\temp\_avast5_\Webshlock.txt not found!
File\Folder D:\WINDOWS\temp\Perflib_Perfdata_6f0.dat not found!
Registry entries deleted on Reboot...
___________________________________________
Thank you.
Post by: kota123 on October 23, 2009, 01:00:00 AM
OTL logfile created on: 10/23/2009 11:24:03 AM - Run 2
OTL by OldTimer - Version 3.0.21.0 Folder = D:\Documents and Settings\user\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
223.48 Mb Total Physical Memory | 47.63 Mb Available Physical Memory | 21.31% Memory free
547.08 Mb Paging File | 356.26 Mb Available in Paging File | 65.12% Paging File free
Paging file location(s): D:\pagefile.sys 336 672 [binary data]
%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Program Files
Drive C: | 18.62 Gb Total Space | 15.98 Gb Free Space | 85.82% Space Free | Partition Type: FAT32
Drive D: | 18.63 Gb Total Space | 10.44 Gb Free Space | 56.03% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: AA-EC0D1346D3FA
Current User Name: user
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
[color=\"#E56717\"]========== Processes (SafeList) ==========[/color]
PRC - [2009/10/22 19:20:52 | 00,521,216 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\user\Desktop\OTL.exe
PRC - [2009/10/15 03:41:36 | 02,555,120 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2009/10/15 03:41:34 | 00,040,384 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2009/08/25 01:45:04 | 00,908,280 | ---- | M] (Mozilla Corporation) -- D:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2004/10/11 11:20:30 | 00,038,912 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\wdfmgr.exe
PRC - [2004/09/29 12:14:36 | 00,069,632 | ---- | M] (HP) -- D:\WINDOWS\System32\HPZipm12.exe
PRC - [2004/08/03 19:26:50 | 01,032,192 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Explorer.EXE
PRC - [2002/01/01 11:08:40 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2002/01/01 11:08:40 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\MsPMSPSv.exe
PRC - [1999/12/12 22:31:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- D:\WINDOWS\System32\CTSvcCDA.EXE
PRC - [1998/09/03 23:09:08 | 00,119,400 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\MDM.EXE
[color=\"#E56717\"]========== Win32 Services (SafeList) ==========[/color]
SRV - [2009/10/15 03:41:34 | 00,040,384 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner [On_Demand | Running])
SRV - [2009/10/15 03:41:34 | 00,040,384 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner [On_Demand | Running])
SRV - [2009/10/15 03:41:34 | 00,040,384 | ---- | M] (ALWIL Software) -- D:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus [Auto | Running])
SRV - [2009/09/23 16:37:30 | 00,051,168 | ---- | M] (NOS Microsystems Ltd.) -- D:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper [On_Demand | Running])
SRV - [2004/10/11 11:20:30 | 00,038,912 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2004/09/29 12:14:36 | 00,069,632 | ---- | M] (HP) -- D:\WINDOWS\System32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2004/08/04 00:56:46 | 00,038,912 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2003/02/20 19:19:38 | 00,032,768 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2002/01/01 11:08:40 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\MsPMSPSv.exe -- (WMDM PMSP Service [Auto | Running])
SRV - [1999/12/12 22:31:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- D:\WINDOWS\System32\CTSvcCDA.EXE -- (Creative Service for CDROM Access [Auto | Running])
[color=\"#E56717\"]========== Driver Services (SafeList) ==========[/color]
DRV - [2009/10/15 03:29:22 | 00,046,544 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Running])
DRV - [2009/10/15 03:29:00 | 00,149,328 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Running])
DRV - [2009/10/15 03:25:34 | 00,023,120 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Running])
DRV - [2009/10/15 03:25:06 | 00,100,176 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Running])
DRV - [2009/10/15 03:24:54 | 00,019,024 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk [Auto | Running])
DRV - [2009/10/15 03:24:38 | 00,027,728 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Running])
DRV - [2005/12/16 11:12:48 | 00,091,263 | R--- | M] (VM) -- D:\WINDOWS\System32\Drivers\usbVM31b.sys -- (ZSMC301b [On_Demand | Stopped])
DRV - [2004/12/14 22:06:52 | 00,051,120 | R--- | M] (HP) -- D:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2004/12/14 22:06:52 | 00,021,744 | R--- | M] (HP) -- D:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2004/12/14 22:06:52 | 00,016,496 | R--- | M] (HP) -- D:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2004/08/03 23:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2004/08/03 22:41:56 | 01,041,536 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\System32\DRIVERS\HSFDPSP2.sys -- (HSF_DP [On_Demand | Stopped])
DRV - [2004/08/03 22:41:56 | 00,011,868 | ---- | M] (Conexant) -- D:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2004/08/03 22:41:50 | 00,685,056 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\System32\DRIVERS\HSFCXTS2.sys -- (winachsf [On_Demand | Stopped])
DRV - [2004/08/03 22:41:48 | 00,220,032 | ---- | M] (Conexant Systems, Inc.) -- D:\WINDOWS\System32\DRIVERS\HSFBS2S2.sys -- (HSFHWBS2 [On_Demand | Stopped])
DRV - [2004/08/03 22:29:52 | 00,166,912 | ---- | M] (S3 Graphics, Inc.) -- D:\WINDOWS\System32\DRIVERS\s3gnbm.sys -- (S3SavageNB [On_Demand | Stopped])
DRV - [2004/08/03 22:29:52 | 00,166,912 | ---- | M] (S3 Graphics, Inc.) -- D:\WINDOWS\System32\DRIVERS\s3gnbm.sys -- (S3Psddr [On_Demand | Running])
DRV - [2004/07/17 06:06:38 | 00,027,440 | ---- | M] () -- D:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2003/10/23 01:23:00 | 00,016,848 | ---- | M] (Creative Technology Ltd.) -- D:\WINDOWS\System32\DRIVERS\ctpdusb.sys -- (Jukebox3 [On_Demand | Stopped])
DRV - [2002/10/03 00:09:08 | 00,031,424 | R--- | M] (Robert Schlabbach) -- D:\WINDOWS\System32\DRIVERS\RMSPPPOE.SYS -- (RMSPPPOE [On_Demand | Running])
DRV - [2001/11/21 09:23:22 | 00,242,412 | ---- | M] (Avance Logic, Inc.) -- D:\WINDOWS\System32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [2001/08/23 06:30:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- D:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2001/08/17 14:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Running])
DRV - [2001/08/17 12:12:40 | 00,019,017 | ---- | M] (Realtek Semiconductor Corporation) -- D:\WINDOWS\System32\DRIVERS\RTL8029.SYS -- (rtl8029 [On_Demand | Running])
DRV - [2001/05/04 12:54:52 | 00,003,033 | ---- | M] (VIA Technologies. Inc.) -- D:\WINDOWS\System32\Drivers\VIAPFD.SYS -- (VIAPFD [System | Running])
DRV - [2000/10/25 17:57:24 | 00,003,000 | R--- | M] () -- D:\WINDOWS\system32\SetupNT.sys -- (SetupNT [Auto | Running])
[color=\"#E56717\"]========== Standard Registry (SafeList) ==========[/color]
[color=\"#E56717\"]========== Internet Explorer ==========[/color]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home (http://\"http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = D:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
[color=\"#E56717\"]========== FireFox ==========[/color]
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 48
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: D:\Program Files\Java\jre6\lib\deploy\jqs\ff [2002/01/01 11:08:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2006/06/21 13:37:06 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2006/06/21 13:37:04 | 00,000,000 | ---D | M]
[2008/07/02 20:13:18 | 00,000,000 | ---D | M] -- D:\Documents and Settings\user\Application Data\mozilla\Extensions
[2008/07/02 20:13:18 | 00,000,000 | ---D | M] -- D:\Documents and Settings\user\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/07/02 20:13:18 | 00,000,000 | ---D | M] -- D:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\7boyuqg7.default\extensions
[2009/10/23 10:59:56 | 00,000,000 | ---D | M] -- D:\Documents and Settings\user\Application Data\mozilla\Firefox\Profiles\7boyuqg7.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2008/07/02 20:12:20 | 00,000,000 | ---D | M] -- D:\Program Files\mozilla firefox\extensions
[2008/07/02 20:12:24 | 00,000,000 | ---D | M] -- D:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2002/01/01 11:09:32 | 00,000,000 | ---D | M] -- D:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
[2009/08/25 01:45:26 | 00,023,544 | ---- | M] (Mozilla Foundation) -- D:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/08/25 01:45:26 | 00,137,208 | ---- | M] (Mozilla Foundation) -- D:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin2.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin3.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin4.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin5.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin6.dll
[2007/09/19 15:04:20 | 00,106,496 | ---- | M] (Apple Computer, Inc.) -- D:\Program Files\mozilla firefox\plugins\npqtplugin7.dll
[2007/08/30 03:17:44 | 00,054,600 | ---- | M] (BitTorrent, Inc.) -- D:\Program Files\mozilla firefox\plugins\npbittorrent.dll
[2008/01/03 18:19:06 | 00,049,152 | ---- | M] (Adobe Systems, Inc.) -- D:\Program Files\mozilla firefox\plugins\np32dsw.dll
[2009/08/25 01:45:28 | 00,065,016 | ---- | M] (mozilla.org) -- D:\Program Files\mozilla firefox\plugins\npnul32.dll
[2002/01/01 11:08:42 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2009/09/23 16:37:30 | 00,032,448 | ---- | M] (NOS Microsystems Ltd.) -- D:\Program Files\mozilla firefox\plugins\np_gp.dll
[2009/02/27 13:13:42 | 00,103,792 | ---- | M] (Adobe Systems Inc.) -- D:\Program Files\mozilla firefox\plugins\nppdf32.dll
[2009/08/25 00:15:46 | 00,001,394 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/08/25 00:15:46 | 00,002,193 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/08/25 00:15:46 | 00,001,534 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/08/25 00:15:46 | 00,002,344 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/08/25 00:15:46 | 00,002,371 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/08/25 00:15:46 | 00,001,178 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/08/25 00:15:46 | 00,000,792 | ---- | M] () -- D:\Program Files\mozilla firefox\searchplugins\yahoo.xml
O1 HOSTS File: (27 bytes) - D:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll File not found
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo!)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe ARM] D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast5] D:\Program Files\Alwil Software\Avast5\AvastUI.exe (ALWIL Software)
O4 - HKLM..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\RunOnce: [Uninstall Adobe Download Manager] File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disableregistrytools = 0
O8 - Extra context menu item: &Windows Live Search - D:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: &Yahoo! Search - D:\Program Files\Yahoo!\Common [2002/01/01 02:37:36 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Open in new background tab - D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui (Microsoft Corporation)
O8 - Extra context menu item: Open in new foreground tab - D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui (Microsoft Corporation)
O8 - Extra context menu item: Yahoo! &Dictionary - D:\Program Files\Yahoo!\Common [2002/01/01 02:37:36 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - D:\Program Files\Yahoo!\Common [2002/01/01 02:37:36 | 00,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - D:\Program Files\Yahoo!\Common [2002/01/01 02:37:36 | 00,000,000 | ---D | M]
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\npjpi160_16.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo!)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\") (Windows Genuine Advantage Validation Tool)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microsoftu...b?1202570621154 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202570621154\") (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1202570594275 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202570594275\") (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab\") (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab\") (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab\") (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\") (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/10/24 00:50:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - D:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found
[color=\"#E56717\"]========== Files/Folders - Created Within 30 Days ==========[/color]
[2009/10/22 13:23:14 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/10/23 11:00:07 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Application Data\NOS
[2009/10/14 22:22:24 | 00,000,000 | ---D | C] -- D:\Documents and Settings\user\Application Data\MozillaControl
[2009/10/23 11:10:52 | 00,000,000 | ---D | C] -- D:\Program Files\Common Files\Adobe AIR
[2009/10/22 13:23:14 | 00,000,000 | ---D | C] -- D:\Program Files\Alwil Software
[2009/10/23 11:00:06 | 00,000,000 | ---D | C] -- D:\Program Files\NOS
[2009/10/23 11:13:03 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Desktop\Adobe Reader 9 Installer
[2009/10/23 10:50:20 | 00,000,000 | ---D | C] -- D:\_OTL
[2009/10/23 09:58:59 | 00,000,000 | --SD | C] -- D:\ComboFix
[2009/10/22 19:20:35 | 00,521,216 | ---- | C] (OldTimer Tools) -- D:\Documents and Settings\user\Desktop\OTL.exe
[2009/10/22 13:24:48 | 00,019,024 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/10/22 13:24:47 | 00,149,328 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswSP.sys
[2009/10/22 13:24:46 | 00,023,120 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswRdr.sys
[2009/10/22 13:24:43 | 00,046,544 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswTdi.sys
[2009/10/22 13:24:39 | 00,100,176 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon2.sys
[2009/10/22 13:24:39 | 00,094,544 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon.sys
[2009/10/22 13:24:38 | 00,027,728 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aavmker4.sys
[2009/10/22 13:23:46 | 00,149,600 | ---- | C] (ALWIL Software) -- D:\WINDOWS\System32\aswBoot.exe
[2009/10/22 12:59:29 | 00,000,000 | ---D | C] -- D:\WINDOWS\temp
[2009/10/18 14:09:36 | 00,000,000 | -HSD | C] -- D:\Recycled
[2009/10/14 19:54:06 | 00,000,000 | ---D | C] -- D:\WINDOWS\ERDNT
[1998/12/08 18:53:54 | 00,186,368 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- D:\Program Files\Common Files\IRAREG.DLL
[1998/12/08 18:53:54 | 00,099,840 | ---- | C] (Symantec Corp.) -- D:\Program Files\Common Files\IRAABOUT.DLL
[1998/12/08 18:53:54 | 00,070,144 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- D:\Program Files\Common Files\IRAMDMTR.DLL
[1998/12/08 18:53:54 | 00,048,640 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- D:\Program Files\Common Files\IRALPTTR.DLL
[1998/12/08 18:53:54 | 00,031,744 | ---- | C] (Symantec Corp., Peter Norton Computing Group) -- D:\Program Files\Common Files\IRAWEBTR.DLL
[1998/12/08 18:53:54 | 00,017,920 | ---- | C] (Symantec Corp.) -- D:\Program Files\Common Files\IRASRIAL.DLL
[color=\"#E56717\"]========== Files - Modified Within 30 Days ==========[/color]
[2009/10/23 11:22:02 | 00,000,641 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Acrobat.com.lnk
[2009/10/23 11:18:30 | 00,001,636 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/10/23 11:09:56 | 00,000,256 | ---- | M] () -- D:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/10/23 10:52:52 | 00,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT
[2009/10/23 10:52:24 | 00,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat
[2009/10/23 10:52:22 | 23,440,9984 | -HS- | M] () -- D:\hiberfil.sys
[2009/10/23 10:52:20 | 00,000,196 | ---- | M] () -- D:\WINDOWS\System32\drivers\ALCICH.DAT
[2009/10/22 19:20:52 | 00,521,216 | ---- | M] (OldTimer Tools) -- D:\Documents and Settings\user\Desktop\OTL.exe
[2009/10/22 18:27:54 | 00,001,161 | ---- | M] () -- D:\WINDOWS\win.ini
[2009/10/22 18:27:54 | 00,000,227 | ---- | M] () -- D:\WINDOWS\system.ini
[2009/10/22 15:06:54 | 04,668,928 | ---- | M] () -- D:\Documents and Settings\user\Desktop\911AerialPhotos.pps
[2009/10/22 13:24:52 | 00,001,607 | ---- | M] () -- D:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2009/10/22 13:24:42 | 00,002,626 | ---- | M] () -- D:\WINDOWS\System32\CONFIG.NT
[2009/10/21 14:44:04 | 00,666,658 | ---- | M] () -- D:\Documents and Settings\user\Desktop\drbr.zip
[2009/10/21 12:57:30 | 00,002,206 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl
[2009/10/15 03:41:22 | 00,149,600 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\aswBoot.exe
[2009/10/15 03:29:22 | 00,046,544 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswTdi.sys
[2009/10/15 03:29:00 | 00,149,328 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswSP.sys
[2009/10/15 03:25:34 | 00,023,120 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswRdr.sys
[2009/10/15 03:25:06 | 00,100,176 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon2.sys
[2009/10/15 03:25:02 | 00,094,544 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswmon.sys
[2009/10/15 03:24:54 | 00,019,024 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aswFsBlk.sys
[2009/10/15 03:24:38 | 00,027,728 | ---- | M] (ALWIL Software) -- D:\WINDOWS\System32\drivers\aavmker4.sys
[color=\"#E56717\"]========== Files - No Company Name ==========[/color]
[2009/10/23 11:22:01 | 00,000,641 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Acrobat.com.lnk
[2009/10/23 11:18:28 | 00,001,636 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/10/22 15:05:31 | 04,668,928 | ---- | C] () -- D:\Documents and Settings\user\Desktop\911AerialPhotos.pps
[2009/10/22 13:24:50 | 00,001,607 | ---- | C] () -- D:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2009/10/21 14:43:52 | 00,666,658 | ---- | C] () -- D:\Documents and Settings\user\Desktop\drbr.zip
[2007/08/09 14:42:45 | 00,000,261 | ---- | C] () -- D:\WINDOWS\WPE PRO.INI
[2006/08/25 20:37:29 | 00,024,576 | R--- | C] () -- D:\WINDOWS\System32\RunSetup.dll
[2006/08/10 16:51:07 | 00,005,222 | ---- | C] () -- D:\Documents and Settings\user\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
[2006/08/10 16:51:07 | 00,000,206 | ---- | C] () -- D:\WINDOWS\HPGdiPlus.ini
[2005/11/23 15:51:52 | 00,000,127 | ---- | C] () -- D:\Documents and Settings\user\Local Settings\Application Data\fusioncache.dat
[2005/11/23 15:27:21 | 00,000,820 | ---- | C] () -- D:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/10/24 21:51:23 | 00,271,264 | ---- | C] () -- D:\WINDOWS\VBRUN100.DLL
[2005/10/24 21:46:59 | 00,134,464 | ---- | C] () -- D:\WINDOWS\GLCV20DR.DLL
[2005/10/24 21:46:54 | 00,011,616 | ---- | C] () -- D:\WINDOWS\GLFS20DR.DLL
[2005/10/24 21:43:55 | 00,000,235 | ---- | C] () -- D:\WINDOWS\QTW.INI
[2005/10/24 21:42:43 | 00,000,110 | ---- | C] () -- D:\WINDOWS\KPCMS.INI
[2005/10/24 21:41:58 | 00,000,036 | ---- | C] () -- D:\WINDOWS\progman.ini
[2005/10/24 21:41:54 | 00,000,715 | ---- | C] () -- D:\WINDOWS\CARDSHOP.INI
[2005/10/24 21:38:05 | 00,000,376 | ---- | C] () -- D:\WINDOWS\ODBC.INI
[2005/10/24 21:38:05 | 00,000,063 | ---- | C] () -- D:\WINDOWS\mdm.ini
[2005/10/24 20:10:17 | 00,000,164 | ---- | C] () -- D:\WINDOWS\avrack.ini
[2005/10/24 20:00:42 | 04,839,974 | -H-- | C] () -- D:\Documents and Settings\user\Local Settings\Application Data\IconCache.db
[2005/10/24 20:00:15 | 00,003,000 | R--- | C] () -- D:\WINDOWS\System32\SetupNT.sys
[2005/10/24 19:59:18 | 00,036,648 | ---- | C] () -- D:\Documents and Settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2005/10/24 19:57:11 | 00,000,062 | -HS- | C] () -- D:\Documents and Settings\user\Application Data\desktop.ini
[2005/10/24 19:24:09 | 00,000,062 | -HS- | C] () -- D:\Documents and Settings\All Users\Application Data\desktop.ini
[2004/08/03 19:26:44 | 00,081,920 | ---- | C] () -- D:\WINDOWS\System32\ieencode.dll
[2004/07/17 06:06:38 | 00,027,440 | ---- | C] () -- D:\WINDOWS\System32\drivers\secdrv.sys
[2002/01/27 16:22:53 | 00,017,408 | ---- | C] () -- D:\Documents and Settings\user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2002/01/18 19:20:56 | 00,000,000 | ---- | C] () -- D:\WINDOWS\NSREX.INI
[2002/01/06 03:19:03 | 00,043,520 | ---- | C] () -- D:\WINDOWS\System32\CmdLineExt03.dll
[2002/01/01 18:16:56 | 00,028,672 | ---- | C] () -- D:\WINDOWS\System32\PdeSrvps.dll
[2002/01/01 09:24:02 | 00,000,008 | ---- | C] () -- D:\WINDOWS\System32\CtSACKey.sys
[2002/01/01 02:08:12 | 00,000,959 | ---- | C] () -- D:\WINDOWS\EntPack.ini
[2002/01/01 00:17:59 | 00,000,097 | ---- | C] () -- D:\WINDOWS\VPPLAYS.INI
[2001/08/23 06:30:00 | 00,001,161 | ---- | C] () -- D:\WINDOWS\win.ini
[2001/08/23 06:30:00 | 00,000,227 | ---- | C] () -- D:\WINDOWS\system.ini
[1999/01/22 10:46:58 | 00,065,536 | ---- | C] () -- D:\WINDOWS\System32\MSRTEDIT.DLL
< End of report >
________________________________________________--
Thank you.
Post by: guestolo on October 23, 2009, 07:37:32 AM
Avast 5 is still Beta, so for now, it may not be a good idea to use it as your regular everyday AntiVirus software
Leave it installed for now, and please do the following
Avast is at present, is identifying some legit files as trojan-gen, which may not be correct
Right click the Avast icon by the clock and select OPEN
Under MAINTENANCE open the Virus chest
Find each of the following in the chest, ONLY the ones below
==========================
C:\WINDOWS\SYSTEM\RASPPPOE.EXE
D:\WINDOWS\system32\RASPPPOE.EXE
D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
D:\Program Files\HP\Digital Imaging\bin\hpqirs08.exe
==========================
Right click on each of the files and RESTORE them
Close Avast main menu
Can you scan each ones of those files seperately at Virustotal
Here's the link again, link to the results please
http://www.virustotal.com/flash/index_en.html (http://\"http://www.virustotal.com/flash/index_en.html\")
Post by: kota123 on October 23, 2009, 08:45:15 AM
Thank you.
http://www.virustotal.com/analisis/f09e291...cff3-1255897055 (http://\"http://www.virustotal.com/analisis/f09e291bbfdc481fea2d8d1572902b7a84d18c614eeca5ceee97184e7230cff3-1255897055\")
http://www.virustotal.com/analisis/f09e291...cff3-1255897055 (http://\"http://www.virustotal.com/analisis/f09e291bbfdc481fea2d8d1572902b7a84d18c614eeca5ceee97184e7230cff3-1255897055\")
http://www.virustotal.com/analisis/751cf7a...29ab-1244508227 (http://\"http://www.virustotal.com/analisis/751cf7af9a7ed3f977160376b88dc14ef9eb14254acf32d223d4bad6727329ab-1244508227\")
http://www.virustotal.com/analisis/2d0acbf...505a-1243575730 (http://\"http://www.virustotal.com/analisis/2d0acbfcb53df42d0282859aed7c3c4e260b913e62575fc31d51f2af79a5505a-1243575730\")
Post by: guestolo on October 24, 2009, 01:45:44 PM
As you don't have the much RAM installed on this computer
More RAM would sure help
Can you Go to the following link:
http://download.cnet.com/Avira-AntiVir-Per...cdlPid=11012914 (http://\"http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322935.html?part=dl-10322935&subj=dl&tag=button&cdlPid=11012914\")
Download and save the installer to desktop>>>Link is Download Now (32.39mb)
Don't install it yet
Please do the following:
Please download [color=\"blue\"]OTC.exe[/color] (http://\"http://oldtimer.geekstogo.com/OTC.exe\") by OldTimer:
- Save it to your Desktop.
- Double click OTC.exe.
- Click the CleanUp! button.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes.
Back in Windows
Access your Add and Remove Programs and uninstall AVAST 5
When it's removed, reboot your computer again
Back in Windows, go ahead and run the installer for AVIRA AntiVirus that you downloaded earlier
Ensure that you have it check for Updates
The first time it updates may take awhile, but allow it time
NOTE: Avira will display a single big Ad on your computer
Don't be alarmed, just click OK at the bottom of the Ad to close it
A scan of your System should then start
If a scan does not start after updating, double click on the Avira icon by the clock (the red/white umbrella)
and select "Scan system now"
Quarantine or delete everything it finds
When the scan is finished
Reboot the computer
Back in Windows
Can you post all the following back please
Please post the log from Avira
Open Avira again (Double click on the red Umbrella icon by the clock)
Click on REPORTS under Overview
Double click on the Scan report you just made
Then click on "Report File"
In addition post a fresh Hijackthis log
Post by: kota123 on October 26, 2009, 04:16:38 AM
Ran OTC and removed Avast.
Avira Scan Log:
Avira AntiVir Personal
Report file date: Monday, October 26, 2009 13:29
Scanning for 1822519 virus strains and unwanted programs.
Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : AA-EC0D1346D3FA
Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 09:06:16
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 06:28:26
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 07:05:50
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 06:28:54
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 08:00:38
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 04:51:44
ANTIVIR2.VDF : 7.1.6.112 4833792 Bytes 10/15/2009 07:52:40
ANTIVIR3.VDF : 7.1.6.146 323072 Bytes 10/25/2009 07:52:44
Engineversion : 8.2.1.44
AEVDF.DLL : 8.1.1.2 106867 Bytes 10/26/2009 07:53:22
AESCRIPT.DLL : 8.1.2.40 487804 Bytes 10/26/2009 07:53:20
AESCN.DLL : 8.1.2.5 127346 Bytes 10/26/2009 07:53:16
AERDL.DLL : 8.1.3.2 479604 Bytes 10/26/2009 07:53:16
AEPACK.DLL : 8.2.0.2 422263 Bytes 10/26/2009 07:53:12
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 05:29:40
AEHEUR.DLL : 8.1.0.167 2011511 Bytes 10/26/2009 07:53:08
AEHELP.DLL : 8.1.7.0 237940 Bytes 10/26/2009 07:52:54
AEGEN.DLL : 8.1.1.68 364918 Bytes 10/26/2009 07:52:52
AEEMU.DLL : 8.1.1.0 393587 Bytes 10/26/2009 07:52:48
AECORE.DLL : 8.1.8.1 184693 Bytes 10/26/2009 07:52:46
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 10:02:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 04:18:00
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 06:02:16
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 10:04:30
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 06:02:10
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 10:35:42
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 06:07:10
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 10:33:50
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 03:51:34
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 06:02:12
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 11:10:00
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 05:49:50
Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: d:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Start of the scan: Monday, October 26, 2009 13:29
Starting search for hidden objects.
d:\windows\ï¿‹b913580.log
[INFO] The file is not visible.
[WARNING] The file could not be copied to the quarantine directory.
[WARNING] Error in ARK library
'28628' objects were checked, '1' hidden objects were found.
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ALG.EXE' - '1' Module(s) have been scanned
Scan process 'MsPMSPSv.exe' - '1' Module(s) have been scanned
Scan process 'JUSCHED.EXE' - '1' Module(s) have been scanned
Scan process 'EXPLORER.EXE' - '1' Module(s) have been scanned
Scan process 'WDFMGR.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'JQS.EXE' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'SPOOLSV.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'SVCHOST.EXE' - '1' Module(s) have been scanned
Scan process 'LSASS.EXE' - '1' Module(s) have been scanned
Scan process 'SERVICES.EXE' - '1' Module(s) have been scanned
Scan process 'WINLOGON.EXE' - '1' Module(s) have been scanned
Scan process 'CSRSS.EXE' - '1' Module(s) have been scanned
Scan process 'SMSS.EXE' - '1' Module(s) have been scanned
25 processes with 25 modules were scanned
Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Starting to scan executable files (registry).
The registry was scanned ( '52' files ).
Starting the file scan:
Begin scan in 'C:\' <NEW>
Begin scan in 'D:\' <NEW>
D:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
D:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
D:\Backup of old c\My Documents\My Pictures\WrapperOuter1154.EXE
[DETECTION] Contains recognition pattern of the DR/VirtualBouncer.J.12 dropper
D:\Backup of old c\data of c\My Documents\My Pictures\WrapperOuter1154.EXE
[DETECTION] Contains recognition pattern of the DR/VirtualBouncer.J.12 dropper
Beginning disinfection:
D:\Backup of old c\My Documents\My Pictures\WrapperOuter1154.EXE
[DETECTION] Contains recognition pattern of the DR/VirtualBouncer.J.12 dropper
[NOTE] The file was moved to '4b465f1d.qua'!
D:\Backup of old c\data of c\My Documents\My Pictures\WrapperOuter1154.EXE
[DETECTION] Contains recognition pattern of the DR/VirtualBouncer.J.12 dropper
[NOTE] The file was moved to '4adf9496.qua'!
End of the scan: Monday, October 26, 2009 14:02
Used time: 32:23 Minute(s)
The scan has been done completely.
4829 Scanned directories
176668 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
176664 Files not concerned
1761 Archives were scanned
3 Warnings
4 Notes
28628 Objects were scanned with rootkit scan
1 Hidden objects were found
_______________________________________________________________
HiJack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:54 PM, on 10/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\Program Files\Avira\AntiVir Desktop\avguard.exe
D:\WINDOWS\system32\CTSvcCDA.EXE
D:\Program Files\Java\jre6\bin\jqs.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open in new background tab - res://D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/229?bd5c537a7d664a57afed0ed06658bb63
O8 - Extra context menu item: Open in new foreground tab - res://D:\Program Files\Windows Live Toolbar\Components\en-in\msntabres.dll.mui/230?bd5c537a7d664a57afed0ed06658bb63
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\npjpi160_16.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\npjpi160_16.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202570621154 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202570621154\")
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202570594275 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202570594275\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{B3EDBC60-91DF-486C-9929-938433EAA145}: NameServer = 218.248.255.194 218.248.255.162
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5517 bytes
______________________________________________________
Thank you.
Post by: guestolo on October 26, 2009, 09:48:48 AM
Do a "System scan only" with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Java adds Java Quick Starter service to run on startup
It's really not needed and may save on system resources to disable it
Open the Windows Control Panel, Open the Java icon
Click the ADVANCED tab>>Expand (+) on Miscellaneous
Untick "Java Quick Starter"
Apply and Ok it then reboot your computer for the change to take effect
Back in Windows
I would add SpywareBlaster to your Protection software, it does not run in the background but helps to silently protect your system
SpywareBlaster by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
At the link you can read more about it if you like then continue with
Free Download on the right>>Continue Download at next page
Basically it
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates
After updating, select "Protection Status" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
or again, click on Protection Startus>>enable all protection
I would set a weekly scan with Avira
Double click on the Avira icon by the clock
When it opens, click on "Administration" >>"Scheduler"
Put a tick in "ENABLED" beside Complete System Scan
Then right click on Complete System scan and choose to "EDIT JOB"
You can set your preference to run once a week, just follow along the prompts
You can even have Avira shut down the computer after the scan is done
Take a look at the following link
http://users.telenet.be/bluepatchy/miekiem...owcomputer.html (http://\"http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html\")
Tips on keeping your computer running a bit faster
Scroll to the section>Clean unused files from your system
You can manually clean temp files etc.. or I suggest download and installing CCleaner
from the above link
NOTE: During install UNTICK the Yahoo Toolbar and any other preference you may not want
Once installed simpy click on RUN CLEANER on the bottom right
OK the prompt
When done just close it out
Run it every couple weeks or so, or just before a scheduled AntiVirus scan
If you find that you have to keep logging into sites you normally didn't have to
CCleaner will remove Cookies also, simply open CCleaner
Click on OPTIONS>>COOKIES
Move any Cookie you don't want cleaned in the future to the KEEP SIDE
Run a Disk Defragment on the computer also after the above is done
That should do it
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: kota123 on October 26, 2009, 11:25:49 AM
Just a couple of questions in the end.
1. Avira takes a long time to load at startup. Can I switch to AVG?
2. Is ATF Cleaner as efficient as CCleaner? I have ATF on my laptop and am more comfortable with it.
3. I presume I can start downloading the Windows updates, which I was unable to do before.
Thank you once again.
Post by: guestolo on October 26, 2009, 11:46:18 AM
Code: [Select]
* Intel Pentium 1.8 GHz processor or faster
* 550 MB free hard drive space (for installation)
* 512 MB RAMFor Avira
Code: [Select]
At least 192 MB RAM (Windows XP)You still have barely enough to run eitherNOTE the amount of minimal system RAM
You appear to have 256 MB RAM>>32 mb shared to Video
Is it possible for you to upgrade the amount of Ram installed?
ATF-Cleaner will be fine
Let me know if you can download and install Windows Updates
Post by: kota123 on October 27, 2009, 10:20:19 AM
Thank you very much for all your help.