« previous next »
Pages: [1] 2 3

Author Topic: iexplore.exe  (Read 7821 times)

Offline indfin

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
iexplore.exe
« on: May 17, 2009, 10:41:19 AM »
Hello again:

Strange happenings on my desktop -- not the laptop you helped me fix last week (that is working fine, thank you).

So I get home last night and I hear music playing on my computer.  I go to the Task Manager and there are no applications running.  In Processes, iexplore.exe is hogging up lot of memory, slowing down the computer considerably, like when opening Firefox, etc.  The music keeps going on and off, playing I think radio stations.

I went to Firewall and disabled all exceptions and restarted my computer.  Then I downloaded HijackThis, but when I tried to run it, nothing happened.  I deleted, restarted computer, downloaded HJT and tried to run it a few more times, but nothing happened.  Finally, copied HJT to a disc, copied it to my computer and it ran.

Now I have two instances of iexplore.exe running, which are not using too much memory (about 80,000 K combined) and the computer seems to be running at normal speed.  The music is also stopped.

But I am sure I have virus, spyware or the like.  Can you please check.  Thanks. (I have been watching cricket online from some free sites.)

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:41 AM, on 5/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS.000\System32\smss.exe
C:\WINDOWS.000\system32\winlogon.exe
C:\WINDOWS.000\system32\services.exe
C:\WINDOWS.000\system32\lsass.exe
C:\WINDOWS.000\system32\svchost.exe
C:\WINDOWS.000\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS.000\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS.000\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS.000\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS.000\system32\ctfmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\hj\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yapta BHO - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.000\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - http://www.yapta.com/user (file missing)
O9 - Extra button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra 'Tools' menuitem: Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O9 - Extra 'Tools' menuitem: Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (HKCU)
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://us.dbrasweb.db.com/llclient/dbraswe....com+AXXPEE.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.ooxtv.com/vjocx-en.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - <a href="http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab" target="_blank" rel="nofollow">http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab</a>
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FA2A991-9158-4DA4-A4FF-3430AA4675FE}: NameServer = 68.87.64.146
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS.000\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 7064 bytes
« Last Edit: May 17, 2009, 12:30:48 PM by guestolo »
Logged

Offline indfin

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
iexplore.exe
« Reply #1 on: May 17, 2009, 10:58:53 AM »
Before all this happened, I got the following message a few times when I started Firefox yesterday:

  "The procedure entry point ??_V@YAXPAX@Z could not be located in the dynamic link library msvcrt.dll"

I x-ed it and Firefox worked fine.  It doesn't happen anymore.

HJT Log is showing Internet Explorer and McAfee entries.  I have not opened IE since starting the computer this morning and I do not have McAfee installed on my computer.

AND....the music started again.  I guess the computer has to be on for a while before things kick in.

I have very little free space left on my C: drive (200 MB).  So if I have to download any large files in the process of cleaning this mess up, I may have problems.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
iexplore.exe
« Reply #2 on: May 17, 2009, 11:03:05 AM »
Download [color=\"#FF0000\"]OTListIt2[/color][/url] by OldTimer to your Desktop.
  • Close all windows and Double click on OTListIt2.exe to Run it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTListIt2.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline indfin

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
iexplore.exe
« Reply #3 on: May 17, 2009, 11:48:03 AM »
I ran the two programs, pasted them here but when I hit "Add Reply", it says Method Not Supported.

So I am attaching the two files instead.  Thanks.

OTListIt logfile created on: 5/17/2009 12:35:38 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8     Folder = C:\Documents and Settings\hj\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy
 
479.48 Mb Total Physical Memory | 202.25 Mb Available Physical Memory | 42.18% Memory free
1.37 Gb Paging File | 1.07 Gb Available in Paging File | 77.86% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1540 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS.000 | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 0.26 Gb Free Space | 1.40% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 57.27 Gb Total Space | 2.45 Gb Free Space | 4.28% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: SOURCE401
Current User Name: hj
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On
 
[color=\"orange\"]========== Processes (SafeList) ==========[/color]
 
PRC - [2009/04/22 19:30:22 | 00,953,168 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/05/11 09:59:46 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/05/09 16:51:00 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/05/11 10:00:04 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/05/11 10:00:18 | 00,486,168 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/05/11 09:59:52 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/05/11 10:00:18 | 00,692,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2001/12/18 00:46:22 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\System32\wbem\unsecapp.exe
PRC - [2009/02/06 06:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\system32\wbem\wmiprvse.exe
PRC - [2008/04/13 20:12:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Explorer.EXE
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\Iexplore.exe
PRC - [2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\Iexplore.exe
PRC - [2009/05/17 12:34:12 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hj\Desktop\OTListIt2.exe
 
[color=\"orange\"]========== Win32 Services (SafeList) ==========[/color]
 
SRV - File not found --  -- (ACDaemon [On_Demand | Stopped])
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/05/11 10:00:04 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/05/11 09:59:46 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/10/06 09:19:36 | 00,033,752 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/05/09 16:51:00 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/04/22 19:30:22 | 00,953,168 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2006/11/10 19:18:02 | 00,774,144 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe -- (NBService [On_Demand | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2007/08/24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/07/29 19:34:38 | 00,117,544 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\usnsvc.dll -- (usnsvc [On_Demand | Stopped])
SRV - [2009/03/09 13:50:42 | 01,680,928 | ---- | M] (NanJing Nagasoft Co, LTD.) -- C:\WINDOWS.000\system32\nagasoft\vjocx.dll -- (vvdsvc [Auto | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
 
[color=\"orange\"]========== Driver Services (SafeList) ==========[/color]
 
DRV - [2002/03/25 08:13:54 | 00,303,948 | ---- | M] (Avance Logic, Inc.) -- C:\WINDOWS.000\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
DRV - [1999/09/10 07:06:00 | 00,025,244 | ---- | M] (Adaptec) -- C:\WINDOWS.000\System32\drivers\aspi32.sys -- (Aspi32 [Auto | Running])
DRV - [2009/05/11 10:00:18 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/05/11 10:00:18 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/05/11 10:00:12 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2005/05/12 14:21:08 | 01,332,544 | ---- | M] (C-Media Inc) -- C:\WINDOWS.000\system32\drivers\cmuda.sys -- (cmuda [On_Demand | Stopped])
DRV - [2008/09/29 20:50:48 | 00,028,672 | ---- | M] () -- C:\WINDOWS.000\system32\Drivers\CO_Mon.sys -- (CO_Mon [On_Demand | Stopped])
DRV - [2007/02/15 20:57:06 | 00,034,760 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS.000\System32\Drivers\ElbyCDFL.sys -- (ElbyCDFL [On_Demand | Running])
DRV - [2009/02/17 13:11:32 | 00,024,232 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS.000\System32\Drivers\ElbyCDIO.sys -- (ElbyCDIO [System | Running])
DRV - [2008/04/13 14:45:30 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\System32\DRIVERS\gameenum.sys -- (gameenum [On_Demand | Running])
DRV - [2009/04/22 19:30:54 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS.000\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
DRV - [2001/08/17 14:00:04 | 00,002,944 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\system32\drivers\msmpu401.sys -- (ms_mpu401 [On_Demand | Running])
DRV - [2001/12/18 04:45:46 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS.000\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/03/29 03:00:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS.000\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/07/16 14:19:52 | 00,070,400 | ---- | M] (Realtek Semiconductor Corporation                           ) -- C:\WINDOWS.000\system32\DRIVERS\Rtlnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2004/08/04 01:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS.000\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
DRV - [2004/03/02 14:02:30 | 00,167,040 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS.000\system32\DRIVERS\s3gnbm.sys -- (S3Psddr [On_Demand | Running])
DRV - [2004/03/02 14:02:30 | 00,167,040 | ---- | M] (S3 Graphics, Inc.) -- C:\WINDOWS.000\System32\DRIVERS\s3gnbm.sys -- (S3SavageNB [On_Demand | Stopped])
DRV - [2007/11/13 05:25:54 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS.000\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2001/09/10 01:30:00 | 00,042,880 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS.000\system32\drivers\viaudio.sys -- (VIAudio [On_Demand | Stopped])
 
[color=\"orange\"]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=\"orange\"]========== Internet Explorer ==========[/color]
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =  [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.000\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS.000\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page_bak = http://home.microsoft.com/access/allinone.asp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost
 
[color=\"orange\"]========== FireFox ==========[/color]
 
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10
 
FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/05/09 16:51:02 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS.000\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/05/11 18:10:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/27 18:16:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/27 18:16:12 | 00,000,000 | ---D | M]
 
[2009/04/27 18:16:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hj\Application Data\mozilla\Extensions
[2009/04/27 18:16:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hj\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/04/27 18:16:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\hj\Application Data\mozilla\Firefox\Profiles\41u7rlsp.default\extensions
[2009/04/27 18:16:12 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/04/27 18:16:12 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/05/09 16:51:28 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/04/24 00:38:32 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/24 00:38:34 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/04/23 20:39:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/23 20:39:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/23 20:39:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/23 20:39:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/23 20:39:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/23 20:39:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/23 20:39:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml
 
O1 HOSTS File: (23 bytes) - C:\WINDOWS.000\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1  localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Yapta BHO) - {2020dfef-8c87-4229-aa41-549d82210355} - C:\Program Files\Yapta\YaptaOverlay.dll (Yapta, Inc.)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll File not found
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun =  [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCustomizeWebView = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartBanner = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Yapta - {0094A600-9BDD-4019-BAFE-487284F7D476} - C:\Program Files\Yapta\YaptaSidebar.dll (Yapta, Inc.)
O9 - Extra 'Tools' menuitem : Yapta... - {0094A600-9BDD-4019-BAFE-487284F7D476} -  File not found
O9 - Extra Button: Yapta Settings - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe (Yapta, Inc.)
O9 - Extra 'Tools' menuitem : Yapta Settings... - {0362b485-11fe-469c-ae98-42f478e581a0} - C:\Program Files\Yapta\YaptaSettings.exe (Yapta, Inc.)
O9 - Extra Button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -  File not found
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -  File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -  File not found
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} https://us.dbrasweb.db.com/llclient/dbraswe....com+AXXPEE.dll (Confidence Online for Web Applications)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...99/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab (NsvPlayX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} http://www.live365.com/players/play365.cab (Live365Player Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} http://www.ooxtv.com/vjocx-en.cab (VodClient Control Class)
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab (IWinAmpActiveX Class)
O16 - DPF: DirectAnimation Java Classes  (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java  (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{9FA2A991-9158-4DA4-A4FF-3430AA4675FE}\\NameServer = 68.87.64.146
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.0.0812.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\ole db\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.0.0812.00.dll (Microsoft Corporation)
O18 - Protocol\Filter:  - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS.000\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS.000\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/05/23 00:39:06 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) -  File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS.000\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2005/05/30 20:43:38 | 00,000,000 | ---D | M]
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS.000\System32\lsdelete.exe ()
 
[color=\"orange\"]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[4 C:\WINDOWS.000\System32\*.tmp files]
[5 C:\WINDOWS.000\*.tmp files]
[2009/05/17 12:34:12 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\hj\Desktop\OTListIt2.exe
[2009/05/17 11:22:22 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\hj\Desktop\HiJackThis.exe
[2009/05/14 18:29:17 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\ODBC
[2009/05/12 13:30:03 | 00,000,000 | ---D | C] -- C:\WINDOWS.000\System32\nagasoft
[2009/05/12 10:44:21 | 01,089,593 | ---- | C] () -- C:\WINDOWS.000\System32\dllcache\ntprint.cat
[2009/05/11 22:42:15 | 00,000,041 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2009/05/11 22:42:15 | 00,000,024 | -HS- | C] () -- C:\WINDOWS.000\9DB1EAAE82C91755
[2009/05/11 22:37:26 | 00,000,000 | ---D | C] -- C:\Program Files\SlySoft
[2009/05/11 20:41:24 | 00,000,000 | ---D | C] -- C:\WINDOWS.000\ie8updates
[2009/05/11 20:41:04 | 00,102,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\dllcache\iecompat.dll
[2009/05/11 20:37:02 | 00,000,000 | -H-D | C] -- C:\WINDOWS.000\ie8
[2009/05/11 18:08:27 | 00,000,000 | ---D | C] -- C:\WINDOWS.000\System32\XPSViewer
[2009/05/11 18:08:16 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/05/11 18:07:48 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/05/11 18:06:14 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\dllcache\printfilterpipelinesvc.exe
[2009/05/11 18:06:14 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\prntvpt.dll
[2009/05/11 18:06:14 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\dllcache\filterpipelineprintproc.dll
[2009/05/11 18:06:13 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\xpsshhdr.dll
[2009/05/11 18:06:13 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\dllcache\xpsshhdr.dll
[2009/05/11 18:06:11 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\xpssvcs.dll
[2009/05/11 18:06:11 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS.000\System32\dllcache\xpssvcs.dll
[2009/05/11 18:05:14 | 00,000,000 | ---D | C] -- C:\WINDOWS.000\SxsCaPendDel
[2009/05/03 15:43:03 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/04/27 18:16:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\hj\Application Data\Mozilla
[2009/04/27 18:16:10 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2008/09/30 18:08:31 | 00,000,151 | ---- | C] () -- C:\WINDOWS.000\PhotoSnapViewer.INI
[2008/09/30 10:49:20 | 00,000,116 | ---- | C] () -- C:\WINDOWS.000\NeroDigital.ini
[2008/09/12 22:49:29 | 00,028,672 | ---- | C] () -- C:\WINDOWS.000\System32\drivers\CO_Mon.sys
[2008/07/23 12:50:52 | 03,596,288 | ---- | C] () -- C:\WINDOWS.000\System32\qt-dx331.dll
[2008/07/23 12:47:34 | 00,000,416 | ---- | C] () -- C:\WINDOWS.000\System32\dtu100.dll.manifest
[2008/07/23 12:47:34 | 00,000,416 | ---- | C] () -- C:\WINDOWS.000\System32\dpl100.dll.manifest
[2008/07/23 12:46:38 | 00,012,288 | ---- | C] () -- C:\WINDOWS.000\System32\DivXWMPExtType.dll
[2007/04/28 13:46:54 | 00,579,602 | ---- | C] () -- C:\WINDOWS.000\System32\x264vfw.dll
[2007/02/21 10:27:26 | 00,000,929 | ---- | C] () -- C:\WINDOWS.000\WDD_COMPARE_FILES_CFX2.INI
[2007/02/21 10:27:26 | 00,000,863 | ---- | C] () -- C:\WINDOWS.000\WDD_COMPARE_FILES_CFX1.INI
[2007/02/21 10:27:26 | 00,000,144 | ---- | C] () -- C:\WINDOWS.000\FifX_v2.INI
[2007/02/21 10:27:25 | 00,000,817 | ---- | C] () -- C:\WINDOWS.000\WDD_COMPARE_DIR_CFX1.INI
[2007/02/21 10:23:58 | 00,002,143 | ---- | C] () -- C:\WINDOWS.000\WDD_SearchHistory.INI
[2007/01/11 16:13:32 | 00,000,981 | ---- | C] () -- C:\WINDOWS.000\MD_MacroDiffs.INI
[2007/01/11 16:13:32 | 00,000,893 | ---- | C] () -- C:\WINDOWS.000\MD_MicroDiffs.INI
[2007/01/11 16:03:29 | 00,000,036 | ---- | C] () -- C:\WINDOWS.000\SW_Win2000X16.DLL
[2007/01/11 16:00:45 | 00,000,078 | ---- | C] () -- C:\WINDOWS.000\SW_Win2000X9.DLL
[2007/01/03 14:13:49 | 00,000,022 | ---- | C] () -- C:\WINDOWS.000\kodakpcd.hj.ini
[2006/06/23 22:14:50 | 00,000,029 | ---- | C] () -- C:\WINDOWS.000\atid.ini
[2006/06/23 22:14:47 | 00,000,363 | ---- | C] () -- C:\WINDOWS.000\wininit.ini
[2006/05/22 07:47:24 | 00,008,704 | ---- | C] () -- C:\WINDOWS.000\System32\ff_vfw.dll
[2006/05/21 17:56:42 | 00,000,547 | ---- | C] () -- C:\WINDOWS.000\System32\ff_vfw.dll.manifest
[2005/09/25 23:05:57 | 00,000,492 | ---- | C] () -- C:\WINDOWS.000\demo.INI
[2005/05/30 20:51:59 | 00,012,327 | ---- | C] () -- C:\WINDOWS.000\IOS.INI
[2005/05/30 20:51:59 | 00,008,487 | ---- | C] () -- C:\WINDOWS.000\cdplayer.ini
[2005/05/30 20:51:59 | 00,001,105 | ---- | C] () -- C:\WINDOWS.000\_delis43.ini
[2005/05/30 20:51:59 | 00,000,787 | ---- | C] () -- C:\WINDOWS.000\SCANREG.INI
[2005/05/30 20:51:59 | 00,000,120 | ---- | C] () -- C:\WINDOWS.000\protocol.ini
[2005/05/30 20:51:59 | 00,000,045 | ---- | C] () -- C:\WINDOWS.000\DKDGNOL.ini
[2005/05/30 20:51:59 | 00,000,043 | ---- | C] () -- C:\WINDOWS.000\webica.ini
[2005/05/30 20:51:59 | 00,000,032 | ---- | C] () -- C:\WINDOWS.000\concentr.ini
[2005/05/30 20:51:59 | 00,000,028 | ---- | C] () -- C:\WINDOWS.000\QTW.INI
[2005/05/30 20:51:59 | 00,000,026 | ---- | C] () -- C:\WINDOWS.000\MSOFFICE.INI
[2005/05/30 20:51:59 | 00,000,025 | ---- | C] () -- C:\WINDOWS.000\SOL.INI
[2005/05/30 20:51:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS.000\progman.ini
[2005/05/30 20:51:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS.000\MSINFO32.INI
[2005/05/30 20:51:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS.000\CSSETUP.INI
[2005/05/30 20:51:58 | 00,007,885 | ---- | C] () -- C:\WINDOWS.000\NETDET.INI
[2005/05/30 20:51:58 | 00,005,068 | ---- | C] () -- C:\WINDOWS.000\DELETEFI.INI
[2005/05/30 20:51:58 | 00,003,598 | ---- | C] () -- C:\WINDOWS.000\HTMLHELP.INI
[2005/05/30 20:51:58 | 00,001,053 | ---- | C] () -- C:\WINDOWS.000\ODBC.INI
[2005/05/30 20:51:58 | 00,000,225 | ---- | C] () -- C:\WINDOWS.000\TELEPHON.INI
[2005/05/30 20:51:58 | 00,000,181 | ---- | C] () -- C:\WINDOWS.000\winmine.ini
[2005/05/30 20:51:58 | 00,000,060 | ---- | C] () -- C:\WINDOWS.000\POWERPNT.INI
[2005/05/30 20:51:58 | 00,000,054 | ---- | C] () -- C:\WINDOWS.000\WAVEMIX.INI
[2004/07/01 04:28:27 | 00,000,010 | ---- | C] () -- C:\WINDOWS.000\smdat32m.sys
[2004/04/20 11:16:14 | 00,109,056 | ---- | C] () -- C:\WINDOWS.000\System32\plx_upldr.dll
[2003/02/18 18:26:28 | 00,028,672 | ---- | C] () -- C:\WINDOWS.000\System32\cmirmdrv.dll
[2001/12/18 04:46:34 | 00,001,683 | ---- | C] () -- C:\WINDOWS.000\win.ini
[2001/12/18 04:46:14 | 00,000,583 | ---- | C] () -- C:\WINDOWS.000\system.ini
[1999/01/22 18:46:58 | 00,065,536 | ---- | C] () -- C:\WINDOWS.000\System32\MSRTEDIT.DLL
[1980/01/01 00:00:00 | 00,188,416 | ---- | C] () -- C:\WINDOWS.000\System32\MEMBG.DLL
[1980/01/01 00:00:00 | 00,057,344 | ---- | C] () -- C:\WINDOWS.000\System32\ICMFILTER.DLL
 
[color=\"orange\"]========== Files - Modified Within 30 Days ==========[/color]
 
[4 C:\WINDOWS.000\System32\*.tmp files]
[5 C:\WINDOWS.000\*.tmp files]
[1 C:\Documents and Settings\hj\My Documents\*.tmp files]
[2009/05/18 11:13:54 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\hj\Desktop\HiJackThis.exe
[2009/05/17 12:34:12 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\hj\Desktop\OTListIt2.exe
[2009/05/17 11:20:02 | 00,002,206 | ---- | M] () -- C:\WINDOWS.000\System32\wpa.dbl
[2009/05/17 11:19:36 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\hj\Local Settings\desktop.ini
[2009/05/17 11:13:18 | 00,000,006 | -H-- | M] () -- C:\WINDOWS.000\tasks\SA.DAT
[2009/05/17 11:13:10 | 00,002,048 | --S- | M] () -- C:\WINDOWS.000\bootstat.dat
[2009/05/17 02:38:10 | 00,000,472 | ---- | M] () -- C:\WINDOWS.000\tasks\Ad-Aware Update (Weekly).job
[2009/05/15 08:28:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS.000\tasks\AppleSoftwareUpdate.job
[2009/05/13 08:45:30 | 00,001,683 | ---- | M] () -- C:\WINDOWS.000\win.ini
[2009/05/13 08:45:30 | 00,000,583 | ---- | M] () -- C:\WINDOWS.000\system.ini
[2009/05/13 08:45:30 | 00,000,225 | RHS- | M] () -- C:\boot. ini
[2009/05/12 23:39:46 | 00,000,041 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2009/05/12 10:39:52 | 00,000,037 | ---- | M] () -- C:\WINDOWS.000\vbaddin.ini
[2009/05/12 10:37:58 | 00,001,053 | ---- | M] () -- C:\WINDOWS.000\ODBC.INI
[2009/05/11 22:42:16 | 00,000,024 | -HS- | M] () -- C:\WINDOWS.000\9DB1EAAE82C91755
[2009/05/11 22:20:00 | 00,000,073 | -HS- | M] () -- C:\Documents and Settings\hj\My Documents\desktop.ini
[2009/05/11 22:18:22 | 00,155,568 | ---- | M] () -- C:\WINDOWS.000\System32\FNTCACHE.DAT
[2009/05/11 20:42:04 | 00,001,374 | ---- | M] () -- C:\WINDOWS.000\imsins.BAK
[2009/05/11 18:19:32 | 00,492,928 | ---- | M] () -- C:\WINDOWS.000\System32\PerfStringBackup.INI
[2009/05/11 18:19:32 | 00,435,168 | ---- | M] () -- C:\WINDOWS.000\System32\perfh009.dat
[2009/05/11 18:19:32 | 00,069,032 | ---- | M] () -- C:\WINDOWS.000\System32\perfc009.dat
[2009/05/11 10:00:18 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\drivers\avgldx86.sys
[2009/05/11 10:00:18 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\drivers\avgmfx86.sys
[2009/05/11 10:00:18 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\avgrsstx.dll
[2009/05/11 10:00:12 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS.000\System32\drivers\avgtdix.sys
[2009/05/10 04:00:06 | 00,000,408 | ---- | M] () -- C:\WINDOWS.000\tasks\McAfee.com Scan for Viruses - My Computer tsid_04302005192849.job
[2009/05/10 04:00:06 | 00,000,408 | ---- | M] () -- C:\WINDOWS.000\tasks\McAfee.com Scan for Viruses - My Computer tsid_01092005211916.job
[2009/05/07 03:16:30 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\System32\MRT.exe
[2009/05/06 23:00:02 | 00,000,502 | ---- | M] () -- C:\WINDOWS.000\tasks\Tune-up Application Start.job
[2009/05/05 10:27:56 | 00,000,438 | ---- | M] () -- C:\WINDOWS.000\tasks\EasyShare Registration Task.job
[2009/04/30 18:30:24 | 00,000,151 | ---- | M] () -- C:\WINDOWS.000\PhotoSnapViewer.INI
[2009/04/25 01:30:40 | 00,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\System32\dllcache\iecompat.dll
[2009/04/22 19:31:22 | 00,015,688 | ---- | M] () -- C:\WINDOWS.000\System32\lsdelete.exe
[2009/04/22 19:30:54 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS.000\System32\drivers\Lbd.sys
< End of report >



OTListIt Extras logfile created on: 5/17/2009 12:35:38 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8     Folder = C:\Documents and Settings\hj\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: enu | Date Format: M/d/yyyy
 
479.48 Mb Total Physical Memory | 202.25 Mb Available Physical Memory | 42.18% Memory free
1.37 Gb Paging File | 1.07 Gb Available in Paging File | 77.86% Paging File free
Paging file location(s): C:\pagefile.sys 1000 1540 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS.000 | %ProgramFiles% = C:\Program Files
Drive C: | 18.64 Gb Total Space | 0.26 Gb Free Space | 1.40% Space Free | Partition Type: FAT32
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 57.27 Gb Total Space | 2.45 Gb Free Space | 4.28% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: SOURCE401
Current User Name: hj
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On
 
[color=\"orange\"]========== File Associations ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
 
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
[color=\"orange\"]========== Security Center Settings ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
 
[color=\"orange\"]========== Authorized Applications List ==========[/color]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
File not found -- C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe:*:Disabled:backWeb-7288971
[2008/11/22 11:18:58 | 00,270,128 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe:*:Disabled:µTorrent
[2009/05/11 10:00:04 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe:*:Disabled:avgemc.exe
[2009/05/11 09:58:20 | 01,085,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Disabled:avgupd.exe
[2008/12/16 15:16:10 | 00,637,232 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\BitTorrent\bittorrent.exe:*:Disabled:BitTorrent
[2009/01/18 15:44:04 | 00,342,848 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\DNA\btdna.exe:*:Disabled:DNA
[2008/10/30 14:16:42 | 00,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Disabled:EasyShare
[2009/04/24 00:38:12 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox
[2009/03/08 14:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe:*:Disabled:Internet Explorer
File not found -- C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS.000\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000
[2009/03/27 17:01:02 | 24,103,720 | R--- | M] (Skype Technologies S.A.) -- C:\Program Files\Skype\Phone\Skype.exe:*:Disabled:Skype
[2009/03/23 06:22:06 | 04,054,312 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version4\TeamViewer.exe:*:Disabled:TeamViewer Remote Control Application
[2006/11/17 00:22:30 | 00,495,616 | ---- | M] (TVU Networks) -- C:\Program Files\TVUPlayer\TVUPlayer.exe:*:Disabled:TVU Player Component
File not found -- C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server
File not found -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger
 
[color=\"orange\"]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{03885E0D-22E9-4B14-ACA3-5F43EDDEAB7C}" = TripStalker
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{235BBFC6-D863-4066-A01A-3BD504C31033}" = Nero 7 Ultra Edition
"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skypeâ„¢ 4.0
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(tm) 6 Update 13
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{54DD126C-E5F5-404C-B4B7-66DF7FD4F2FF}" = MSSoap
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{6A136B9A-1895-436F-83F8-30D9C68BB6EA}" = Rhapsody Player Engine
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders  (English) 12
"{90120000-0012-0000-0000-0000000FF1CE}" = Microsoft Office Standard 2007
"{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_STANDARD_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_STANDARD_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}_VISPRO_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_STANDARD_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}_VISPRO_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_STANDARD_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}_VISPRO_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_STANDARD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_STANDARD_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_VISPRO_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}" = RTLSetup 2.50.503
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3A1A5F0-0B94-4E69-B3E1-92F25E31BEE9}" = H264 Codecs
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.1
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus® for Adobe
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF6DA606-904D-4C18-823F-A4CFC3035E53}" = eFax Messenger
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Avance AC'97 Audio
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FCE50DB8-C610-4C42-BE5C-193F46C6F812}" = Windows Live Messenger
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Abacast Client" = Abacast Client
"Ad-Aware" = Ad-Aware
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"AVG8Uninstall" = AVG Free 8.5
"CloneCD" = CloneCD
"C-Media Audio Driver" = C-Media WDM Audio Driver
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"dBpoweramp FLAC Codec" = dBpoweramp FLAC Codec
"ffdshow" = ffdshow
"FLAC" = FLAC 1.2.0a (remove only)
"Flickr Uploadr" = Flickr Uploadr 2.5.0.15
"foobar2000" = foobar2000 v0.9.6.2
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"P4M266" = ProSavageDDR and Utilities
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"STANDARD" = Microsoft Office Standard 2007
"TeamViewer 4" = TeamViewer 4
"TVUPlayer" = TVUPlayer 2.3.0.0
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"x264 Revision 534 x264.nl" = x264 Revision 534 x264.nl (remove only)
"Yapta" = Yapta
 
[color=\"orange\"]========== HKEY_CURRENT_USER Uninstall List ==========[/color]
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA
"Confidence Online EE" = Confidence Online(tm) for Web Applications
"uTorrent" = µTorrent
 
[color=\"orange\"]========== Last 10 Event Log Errors ==========[/color]
 
[ Application Events ]
Error - 4/21/2009 4:06:45 PM | Computer Name = SOURCE401 | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 9.1.0.163, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 4/25/2009 6:44:07 AM | Computer Name = SOURCE401 | Source = Application Error | ID = 1000
Description = Faulting application avgcsrvx.exe, version 8.0.0.223, faulting module
 avgcorex.dll, version 8.0.0.237, fault address 0x001c09ac.
 
Error - 5/11/2009 6:36:56 PM | Computer Name = SOURCE401 | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
 - Failed to compile: System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
 . Error code = 0x80070070  
 
Error - 5/11/2009 6:37:30 PM | Computer Name = SOURCE401 | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
 - Failed to compile: System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
 . Error code = 0x80070070  
 
Error - 5/11/2009 6:37:35 PM | Computer Name = SOURCE401 | Source = MsiInstaller | ID = 11307
Description = Product: Microsoft Office Standard 2007 -- Error 1307.There is not
 enough disk space to install this file: C:\Program Files\Common Files\Microsoft
 Shared\Web Server Extensions\12\BIN\FPSRVUTL.DLL.  Free some disk space and click
 'Retry', or click 'Cancel' to exit.
 
Error - 5/11/2009 6:37:43 PM | Computer Name = SOURCE401 | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft Office Standard 2007 - Update 'Microsoft Office
 2007 Service Pack 2 (SP2)' could not be installed. Error code 1603. Windows Installer
 can create logs to help troubleshoot issues with installing software packages.
Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
 
Error - 5/14/2009 1:38:08 PM | Computer Name = SOURCE401 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 SR-1 Professional -- Error 1706. No
 valid source could be found for product Microsoft Office 2000 SR-1 Professional.
  The Windows installer cannot continue.
 
Error - 5/14/2009 1:41:25 PM | Computer Name = SOURCE401 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 5/14/2009 1:41:56 PM | Computer Name = SOURCE401 | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.
 
Error - 5/17/2009 12:01:13 PM | Computer Name = SOURCE401 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3399, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
[ System Events ]
Error - 3/15/2009 1:33:02 PM | Computer Name = SOURCE401 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
 SOURCE400  that believes that it is the master browser for the domain on transport
 NetBT_Tcpip_{9FA2A991-9158-4DA4.  The master browser is stopping or an election is
 being forced.
 
Error - 3/15/2009 2:45:05 PM | Computer Name = SOURCE401 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
 SOURCE400  that believes that it is the master browser for the domain on transport
 NetBT_Tcpip_{9FA2A991-9158-4DA4.  The master browser is stopping or an election is
 being forced.
 
Error - 3/31/2009 8:28:27 PM | Computer Name = SOURCE401 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
 SOURCE400  that believes that it is the master browser for the domain on transport
 NetBT_Tcpip_{9FA2A991-9158-4DA4.  The master browser is stopping or an election is
 being forced.
 
Error - 4/9/2009 1:51:25 PM | Computer Name = SOURCE401 | Source = NetBT | ID = 4307
Description = Initialization failed because the transport refused to open initial
 Addresses.
 
Error - 5/2/2009 12:22:19 PM | Computer Name = SOURCE401 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
 SOURCE400  that believes that it is the master browser for the domain on transport
 NetBT_Tcpip_{9FA2A991-9158-4DA4.  The master browser is stopping or an election is
 being forced.
 
Error - 5/2/2009 1:30:25 PM | Computer Name = SOURCE401 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
 SOURCE400  that believes that it is the master browser for the domain on transport
 NetBT_Tcpip_{9FA2A991-9158-4DA4.  The master browser is stopping or an election is
 being forced.
 
Error - 5/11/2009 6:38:10 PM | Computer Name = SOURCE401 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
 with error 0x80070643: The 2007 Microsoft® Office Suite Service Pack 2 (SP2).
 
Error - 5/11/2009 11:51:42 PM | Computer Name = SOURCE401 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
 with error 0x80070070: The 2007 Microsoft® Office Suite Service Pack 2 (SP2).
 
Error - 5/17/2009 2:32:59 AM | Computer Name = SOURCE401 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
 while processing the file '' on the volume 'HarddiskVolume2'.  It has stopped monitoring
 the volume.
 
Error - 5/17/2009 12:17:05 PM | Computer Name = SOURCE401 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
 while processing the file '' on the volume 'HarddiskVolume2'.  It has stopped monitoring
 the volume.
 
 
< End of report >
« Last Edit: May 17, 2009, 12:06:42 PM by guestolo »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
iexplore.exe
« Reply #4 on: May 17, 2009, 12:02:32 PM »
The error you get when posting back is a problem with this line in the log
[2009/05/13 08:45:30 | 00,000,225 | RHS- | M] () -- C:\boot. ini

I simply put a single space after boot and before .ini
I've edited your response to include the logs and removed the attachments
Give me a bit to look over those logs, we're just about to start a late breakfast
So I'll return soon
« Last Edit: May 17, 2009, 12:07:34 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline indfin

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
iexplore.exe
« Reply #5 on: May 17, 2009, 12:19:54 PM »
Ok.  You are the one doing me a favor.  So, take you time.  Thanks.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
iexplore.exe
« Reply #6 on: May 17, 2009, 12:30:18 PM »
In the meantime, can you do the following please
Download [color=\"#FF0000\"]> ATF Cleaner <[/color] by Atribune and save it to your Desktop.

Double Click on ATF-Cleaner.exe to Run it
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use Firefox browser
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit from the Main menu

download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to [color=\"#006400\"]Update Malwarebytes' Anti-Malware[/color] and [color=\"#006400\"]Launch Malwarebytes' Anti-Malware[/color], then click Finish.
       
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
       
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
       
  • Make sure that everything is checked, and click Remove Selected.
        * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
       
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline indfin

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
iexplore.exe
« Reply #7 on: May 17, 2009, 01:54:28 PM »
I ran ATF.  Worked fine, except for Firefox it said "no files removed".

I tried every which way, but I cannot run mbam-setup.exe

When I restarted my computer, an IE window opened up (NOT the browser) saying "Are you sure you want to navigate away from this page" or something to that effect.  Also, I can hear clicking sounds, as when IE opens new pages (again, IE is not open).
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
iexplore.exe
« Reply #8 on: May 17, 2009, 02:02:15 PM »
Can you right click on  mbam-setup.exe and rename it to indfin.exe
Try installing again, let me know if it works
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline indfin

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
iexplore.exe
« Reply #9 on: May 17, 2009, 02:05:09 PM »
No, still can't.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
iexplore.exe
« Reply #10 on: May 17, 2009, 02:11:50 PM »
Download ComboFix from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:


    * It is important you rename Combofix during the download, but not after.
        * Please do not rename Combofix to other names, but only to the one indicated.
    SAVE IT ONLY TO YOUR DESKTOP

      --------------------------------------------------------------------
[color=\"#2E8B57\"]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with some tools[/color]
Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.

    * Click on Tools.
    * Select Advanced.
    * In the left hand pane, scroll down to "Resident Shield".
    * In the main pane, deselect the option to "Enable Resident Shield."
We will reenable this protection later
     
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


[color=\"#2e8b57\"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please
« Last Edit: May 17, 2009, 02:13:23 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline indfin

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
iexplore.exe
« Reply #11 on: May 17, 2009, 02:14:39 PM »
Tried mbam again with name change.  worked this time.  am running it now.
Logged

Offline indfin

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
iexplore.exe
« Reply #12 on: May 17, 2009, 02:16:48 PM »
Nope. Froze at Finishing Installation.  Will run ComboFix now.
Logged

Offline indfin

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
iexplore.exe
« Reply #13 on: May 17, 2009, 02:57:25 PM »
Ok, here is the ComboFix saga.

It installed the Recovery Console.   It restarted, but with a 30 second timer, not the 2 seconds I saw when I ran this on the laptop.

Then Microsoft did its Disk Error Checking, found bunch of stuff.  ComboFix started when the computer did, but after couple of minutes, the computer  shut off and retared again, but this time ComboFix did not start.

The ComboFix folder has numerous files, but the .txt file has essentially nothing.  Here it is:

ComboFix 09-05-17.01 - hj 05/17/2009 15:42:09.1 - [color=\"red\"]FAT32[/color]x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.479.166 [GMT -4:00]
Running from: C:\Documents and Settings\hj\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
_____________________________

Should I re do the ComboFix cycle again?  More importantly, is it time for me to panic?
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
iexplore.exe
« Reply #14 on: May 17, 2009, 03:08:15 PM »
Let's try Malwarebytes one more time

Can you ensure that Windows Is set to Show file extensions
* Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click OK.

Again, let's try running the installer for Malwarebytes
But this time, right click on indfin.exe and rename the installer to indfin.bat

If it does install alright, but the scanner won't start
Ensure all instances of malwarebytes is closed
Navigate to the following folder
C:\Program Files\Malwarebytes' Anti-Malware
In that folder, right click on MBAM.exe and rename it to indfin.bat
Run indfin.bat from within the folder, see if you can get it to run

If you still can't get Malwarebytes to run, can you do the following for me
Click on Start, click Run, and then type [color=\"#0000FF\"]devmgmt.msc[/color] and click OK
On the View menu click on [color=\"#0000FF\"]Show hidden devices[/color]
Browse to Non-Plug and Play Drivers do you see something like [color=\"#FF0000\"]TDSSserv.sys[/color]
« Last Edit: May 17, 2009, 03:17:32 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline indfin

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
iexplore.exe
« Reply #15 on: May 17, 2009, 03:26:25 PM »
I tried running Malwarebytes before I saw your last post.  It ran, asked me to restart the computer and below is the .txt file from the Logs tab:

Malwarebytes' Anti-Malware 1.36
Database version: 2145
Windows 5.1.2600 Service Pack 3

5/17/2009 4:12:22 PM
mbam-log-2009-05-17 (16-12-22).txt

Scan type: Quick Scan
Objects scanned: 90215
Time elapsed: 6 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS.000\SYSTEM32\UACcjsalxrcdvxfmyr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS.000\SYSTEM32\UAColfbbrodenxdqpu.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS.000\SYSTEM32\UAClaliqtydsbitbxa.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS.000\SYSTEM32\UACtenkboukhitftnw.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS.000\SYSTEM32\UACqlxbhepjyyvgved.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS.000\SYSTEM32\DRIVERS\UACkltublrnoeesxmd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\hj\Local Settings\Temp\c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS.000\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS.000\SYSTEM32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS.000\FONTS\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS.000\FONTS\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS.000\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
_________________________________________

I will not do anything from your last post until you reply to this post.
Logged

Offline indfin

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
iexplore.exe
« Reply #16 on: May 17, 2009, 03:30:11 PM »
Forgot to mention earlier, but when ComboFix wanted to restart, it asked me to copy certain file names on a piece of paper, saying we might need them later.  (It also said something like rootkit files.)  What reminded me is that the files in the Malwarbytes log are the ones that ComboFix asked me to copy.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
iexplore.exe
« Reply #17 on: May 17, 2009, 03:33:44 PM »
It is/was a certain rootkit disabling the tools from running
Can you do the following
delete your copy of Combo-Fix.exe on desktop

Then, Download ComboFix from one of these locations:
Don't rename it, just download it normally

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

      --------------------------------------------------------------------
[color=\"#2E8B57\"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]

Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline indfin

  • Full Member
  • ***
  • Posts: 100
  • Karma: +0/-0
    • View Profile
iexplore.exe
« Reply #18 on: May 17, 2009, 04:18:43 PM »
Tried running ComboFix couple of times; doesn't work.

The computer shuts down about 30 seconds after ComboFix starts.  When the computer restarts, it goes through the disk check.  The errors showing up during disk check are:

\combofix\N-\...(some numbers) "first allocation data is not valid the entry is truncated."

Also wanted to make sure that you saw the Malwarebytes log three posts earlier.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
iexplore.exe
« Reply #19 on: May 17, 2009, 04:33:11 PM »
Yes, I did see the MBAM report
Let's skip ComboFix for now

Can you do the following
Please download gmer.zip  and save it to your desktop.

    * Right click the file you just downloaded and choose Extract all
    * Click Next
    * Click Browse
    * Click the + next to My Computer
    * Click Local Disk (C:)
    * Click Make new folder
    * Enter GMER
    * Click OK, then Next
    * Check Show extracted files and click Finish
    * Double click on GMER.exe to run it.
    * Select the Rootkit tab.
    * Select all drives that are connected to your system to be scanned.
    * Click on the Scan button.
    * When the scan is finished, click Copy to save the scan log to the Windows clipboard.
    * Open Notepad or a similar text editor.
    * Paste the clipboard contents into the text editor.
    * Save the GMER scan log to post later in this thread
    * Close GMER.

Go to [color=\"#FF0000\"]Kaspersky website[/color] and perform an online antivirus scan.

   1. Read through the requirements and privacy statement and click on Accept button.
   2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
   3. When the downloads have finished, click on Settings.
   4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
            [color=\"#FF0000\"]Spyware, Adware, Dialers, and other potentially dangerous programs
            Archives
            Mail databases[/color]
   5. Click on My Computer under Scan.
   6. Once the scan is complete, it will display the results. Click on View Scan Report.
   7. You will see a list of infected items there. Click on Save Report As....
   8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Please include all the following in your next reply

1. The report from Kaspersky's
2. The log from GMER
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1] 2 3
« previous next »