Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning! Win32/adware.virtumonde


  • This topic is locked This topic is locked
4 replies to this topic

#1 stan99

stan99

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 24 September 2008 - 09:02 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:10:32, on 9/24/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\aspimgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\ltcm000c.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\lphctrbj0e3cv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Glance21\Glance.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\OFFICE11\ONQNOTE.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lphctrbj0e3cv] C:\WINDOWS\System32\lphctrbj0e3cv.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Glance.lnk = C:\Program Files\Glance21\Glance.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONQNOTE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B086168A-36B9-4B4C-84A1-1E9B692BBB49}: NameServer = 207.69.188.185,207.69.188.186
O21 - SSODL: VIjpDO - {FCC1D7B0-566B-7D1A-6BD2-4E60C7F6EEAA} - C:\WINDOWS\system32\moo.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 6393 bytes

BC AdBot (Login to Remove)

 


#2 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 PM

Posted 24 September 2008 - 10:01 AM

Hello, stan99. Welcome to BC.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware and save it to your Desktop.
Alternate download location
Alternate download location

Double-click mbam-setup.exe to install the application.
  • Make sure a check mark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See note below)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Please post that log in your next reply.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


I would like you to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the OTViewIt icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Click the Run Scan button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

In your next reply, please include the following:
  • Log from MBAM
  • Logs from OTViewIt.


#3 stan99

stan99
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:42 PM

Posted 24 September 2008 - 02:58 PM

THANKS! Worked like a charm, it seems.

-----------------------------------------------------

Malwarebytes' Anti-Malware 1.28
Database version: 1203
Windows 5.1.2600 Service Pack 1

9/24/2008 12:41:12 PM
mbam-log-2008-09-24 (12-41-12).txt

Scan type: Quick Scan
Objects scanned: 52754
Time elapsed: 10 minute(s), 36 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
C:\WINDOWS\system32\lphctrbj0e3cv.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\WINDOWS\system32\aspimgr.exe (Trojan.Proxy) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\aspimgr (Trojan.Proxy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\aspimgr (Trojan.Proxy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr (Trojan.Proxy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysrest32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphctrbj0e3cv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sysrest32.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\blphctrbj0e3cv.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphctrbj0e3cv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phctrbj0e3cv.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\s32.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ws386.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aspimgr.exe (Trojan.Proxy) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stan R\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


-----------------------------------------------------


OTViewIt logfile created on: 9/24/2008 12:53:21 PM - Run 1
OTViewIt by OldTimer - Version 1.0.7.2 Folder = C:\Documents and Settings\Stan R\Desktop
Windows XP Professional Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

191.42 Mb Total Physical Memory | 66.69 Mb Available Physical Memory | 34.84% Memory free
464.98 Mb Paging File | 307.36 Mb Available in Paging File | 66.10% Paging File free
Paging file location(s): C:\pagefile.sys 286 384;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 5.45 Gb Free Space | 29.24% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA
Current User Name: Stan R
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Process Files Modified Within 30 Days ==========

[2008/09/24 12:52:41 | 00,418,816 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stan R\Desktop\OTViewIt.exe

========== (O23) Win32 Service Files Modified Within 30 Days ==========


========== Driver Service Files Modified Within 30 Days ==========

[2001/08/23 05:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://www.google.com/ie
"Local Page"=C:\windows\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"Default_Search_URL"=http://www.google.com/ie
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Local Page"=C:\windows\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.google.com
"Start Page"=http://www.google.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s
"provider"=gogl

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1275210071-1563985344-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Local Page"=C:\windows\system32\blank.htm
"Page_Transitions"=
"Search Page"=http://www.google.com
"Start Page"=http://www.google.com/

[HKEY_USERS\S-1-5-21-1275210071-1563985344-1060284298-1004\SOFTWARE\Microsoft\Internet Explorer\Search]
"SearchAssistant"=http://www.google.com/ie

[HKEY_USERS\S-1-5-21-1275210071-1563985344-1060284298-1004\Software\Microsoft\Internet Explorer\SearchURL]
""=http://www.google.com/search?q=%s
"provider"=gogl

[HKEY_USERS\S-1-5-21-1275210071-1563985344-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (HKLM) -- C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (Google Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{8E718888-423F-11D2-876E-00A0C9082467}" (HKLM) -- C:\WINDOWS\system32\msdxm.ocx ()

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative WebCam Tray"=C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE File not found

========== (O4) Startup Folders ==========

[2007/12/20 06:55:28 | 00,046,592 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\office.lnk.exe

========== (O6 & O7) Current Version Policies ==========


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"NoDispBackgroundPage"=0
"NoDispScrSavPage"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"NoDispBackgroundPage"=1
"NoDispScrSavPage"=1

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"NoDispBackgroundPage"=1
"NoDispScrSavPage"=1

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1275210071-1563985344-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145


[HKEY_USERS\S-1-5-21-1275210071-1563985344-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"NoDispBackgroundPage"=0
"NoDispScrSavPage"=0

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\]
{c95fe080-8f5d-11d2-a20b-00aa003c157a}: @shdoclc.dll,-866 -- C:\WINDOWS\Web\related.htm ()
{c95fe080-8f5d-11d2-a20b-00aa003c157a}: @shdoclc.dll,-864 -- C:\WINDOWS\Web\related.htm ()

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{17492023-C23A-453E-A040-C7C580BBF700}: http://go.microsoft.com/fwlink/?linkid=39204 -- Windows Genuine Advantage Validation Tool
{5ED80217-570B-4DA9-BF44-BE107C0EC166}: http://cdn.scan.onecare.live.com/resource/...lscbase5036.cab -- Windows Live Safety Center Base Module
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_14
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab -- Shockwave Flash Object

========== (O17) DNS Name Servers ==========

{254F2A11-7657-48BC-89C0-390C927BD425} (Servers: | Description: )
{B086168A-36B9-4B4C-84A1-1E9B692BBB49} (Servers: 207.69.188.185,207.69.188.186 | Description: Intel® PRO/100+ MiniPCI)
{C22C0AB2-0338-4B7E-A382-F8137FFF7112} (Servers: | Description: NETGEAR WG511v2 54 Mbps Wireless PC Card)

========== (O21) SSODL Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"VIjpDO"={FCC1D7B0-566B-7D1A-6BD2-4E60C7F6EEAA} (HKLM) -- C:\WINDOWS\system32\moo.dll ()

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2003/01/30 15:34:56 | 00,000,000 | -H-- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[2008/09/24 12:52:39 | 00,418,816 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Stan R\Desktop\OTViewIt.exe
[2008/09/24 12:28:21 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/09/24 12:28:20 | 00,017,200 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/09/24 12:28:19 | 00,038,528 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/09/24 12:26:34 | 02,182,784 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Stan R\Desktop\mbam-setup.exe
[2008/09/24 06:10:05 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\HijackThis.lnk
[2008/09/24 06:09:56 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Stan R\Desktop\HJTInstall.exe
[2008/09/24 05:56:27 | 05,154,304 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\WindowsDefender.msi
[2008/09/24 00:04:27 | 20,079,0016 | -HS- | C] () -- C:\hiberfil.sys
[2008/09/23 23:19:07 | 00,002,808 | ---- | C] () -- C:\WINDOWS\System32\tmp.reg
[2008/09/23 23:04:18 | 01,658,334 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\SmitfraudFix.exe
[2008/09/23 11:07:33 | 00,014,336 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\WPNT schedule.xls
[2008/09/23 10:52:40 | 00,017,920 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\WPNT attendees.xls
[2008/09/23 04:27:54 | 00,063,586 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\1aswinner004.jpg
[2008/09/18 15:19:30 | 00,031,232 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\TenStepAd.doc
[2008/09/17 09:20:11 | 00,000,434 | ---- | C] () -- C:\WINDOWS\tasks\WebReg 20080917092011.job
[2008/09/16 15:37:39 | 00,047,104 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\KMI-Sept-May-filtered.xls
[2008/09/16 15:23:54 | 00,087,552 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\KMI-Sept-filtered.xls
[2008/09/16 15:09:53 | 00,287,744 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\Member Leads_Quindi_9[1].15.08.xls
[2008/09/15 19:42:15 | 00,144,459 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\monegan on palin.JPG
[2008/09/10 07:06:54 | 00,020,708 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\ryan-033006.pdf
[2008/09/10 06:47:24 | 00,035,809 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\The World Clock - Time Zones - sorted by country name.htm
[2008/09/09 20:09:05 | 00,038,400 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\overseas call list 9-09.xls
[2008/09/08 16:57:01 | 00,028,672 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\9-26-invitation,v2.doc
[2008/09/08 16:50:48 | 00,032,768 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\9-26-invitation.doc
[2008/09/08 08:58:20 | 00,106,689 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\nate castro agreement.pdf
[2008/09/05 11:21:50 | 00,208,589 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\ApprovalLetter-14653.pdf
[2008/09/04 07:13:43 | 00,067,584 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\exportCC-9-03-2008-de-deduped.xls
[2008/09/04 07:13:30 | 00,040,960 | ---- | C] () -- C:\Documents and Settings\Stan R\Desktop\call+list+8-18-2008+to+9-03-2008.xls

========== Files - Modified Within 30 Days ==========

[16 C:\*.tmp files]
[2 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[2008/09/24 12:52:41 | 00,418,816 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stan R\Desktop\OTViewIt.exe
[2008/09/24 12:45:01 | 00,012,612 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/09/24 12:44:44 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/09/24 12:44:27 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/09/24 12:44:14 | 20,079,0016 | -HS- | M] () -- C:\hiberfil.sys
[2008/09/24 12:28:21 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/09/24 12:26:39 | 02,182,784 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Stan R\Desktop\mbam-setup.exe
[2008/09/24 06:10:06 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\HijackThis.lnk
[2008/09/24 06:09:57 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Stan R\Desktop\HJTInstall.exe
[2008/09/24 05:56:32 | 05,154,304 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\WindowsDefender.msi
[2008/09/24 00:13:28 | 00,048,640 | -HS- | M] () -- C:\Documents and Settings\Stan R\Desktop\Thumbs.db
@Alternate Data Stream - 0 bytes -> C:\Documents and Settings\Stan R\Desktop\Thumbs.db:encryptable
[2008/09/23 23:53:57 | 00,002,808 | ---- | M] () -- C:\WINDOWS\System32\tmp.reg
[2008/09/23 23:04:25 | 01,658,334 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\SmitfraudFix.exe
[2008/09/23 11:07:33 | 00,014,336 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\WPNT schedule.xls
[2008/09/23 10:57:14 | 00,017,920 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\WPNT attendees.xls
[2008/09/23 04:25:24 | 00,063,586 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\1aswinner004.jpg
[2008/09/19 17:22:30 | 00,000,410 | ---- | M] () -- C:\WINDOWS\tasks\Norton Security Scan.job
[2008/09/18 15:19:26 | 00,031,232 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\TenStepAd.doc
[2008/09/17 09:20:12 | 00,000,434 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20080917092011.job
[2008/09/16 15:37:39 | 00,047,104 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\KMI-Sept-May-filtered.xls
[2008/09/16 15:36:02 | 00,087,552 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\KMI-Sept-filtered.xls
[2008/09/16 15:09:55 | 00,287,744 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\Member Leads_Quindi_9[1].15.08.xls
[2008/09/15 19:42:15 | 00,144,459 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\monegan on palin.JPG
[2008/09/10 07:06:54 | 00,020,708 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\ryan-033006.pdf
[2008/09/10 06:47:29 | 00,035,809 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\The World Clock - Time Zones - sorted by country name.htm
[2008/09/10 00:12:56 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/09/10 00:04:02 | 00,038,528 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/09/10 00:03:56 | 00,017,200 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/09/09 20:09:03 | 00,038,400 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\overseas call list 9-09.xls
[2008/09/08 17:12:46 | 00,028,672 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\9-26-invitation,v2.doc
[2008/09/08 16:50:43 | 00,032,768 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\9-26-invitation.doc
[2008/09/08 08:58:20 | 00,106,689 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\nate castro agreement.pdf
[2008/09/05 11:21:43 | 00,208,589 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\ApprovalLetter-14653.pdf
[2008/09/04 07:13:43 | 00,067,584 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\exportCC-9-03-2008-de-deduped.xls
[2008/09/04 07:13:31 | 00,040,960 | ---- | M] () -- C:\Documents and Settings\Stan R\Desktop\call+list+8-18-2008+to+9-03-2008.xls
< End of report >



-----------------------------------------------------


OTViewIt Extras logfile created on: 9/24/2008 12:53:22 PM - Run Stan R
OTViewIt by OldTimer - Version 1.0.7.2 Folder = C:\Documents and Settings\Stan R\Desktop
Windows XP Professional Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

191.42 Mb Total Physical Memory | 66.69 Mb Available Physical Memory | 34.84% Memory free
464.98 Mb Paging File | 307.36 Mb Available in Paging File | 66.10% Paging File free
Paging file location(s): C:\pagefile.sys 286 384;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.62 Gb Total Space | 5.45 Gb Free Space | 29.24% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA
Current User Name: Stan R
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days
========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=0x00000000
"FirewallDisableNotify"=0x00000000
"UpdatesDisableNotify"=0x00000000

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_CURRENT_USER Protocol Defaults ==========


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-21-1275210071-1563985344-1060284298-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
msdaipp: [HKLM - No CLSID value]
[2003/09/17 11:01:28 | 00,844,048 | ---- | M] () C:\WINDOWS\system32\msdxm.ocx (vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} (HKLM) [AsyncPProt Class])

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0552A36D-0D7E-4FF5-8FDB-6629ABA7C779}"=iTunes
"{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}"=HP Driver Diagnostics
"{1F63ED0B-EDD2-4037-B6AB-1358C624AF48}"=Scan
"{20A10409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office OneNote 2003 Beta
"{21E75254-410E-49C4-8981-2E1A2A2221F2}"=HP Diagnostic Assistant
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{2405665A-16C9-4D3A-B70E-F006220E1472}"=Overland
"{267868CE-6DFF-40F7-9C58-C01119B7B117}"=Fax
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}"=Rhapsody Player Engine
"{2F71F2BA-B513-4113-969C-18A84D238E27}"=1310
"{3248F0A8-6813-11D6-A77B-00B0D0150140}"=J2SE Runtime Environment 5.0 Update 14
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java™ 6 Update 3
"{32A3A4F4-B792-11D6-A78A-00B0D0150140}"=J2SE Development Kit 5.0 Update 14
"{34A59AC3-6C5C-4A09-A7F5-369A37176C8A}"=AiOSoftware
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}"=HPSystemDiagnostics
"{3E908702-AF35-4611-9518-955DA24B7E07}"=Microsoft XML Parser and SDK
"{41254D7B-EADF-4078-AE4A-BD73B300EE86}"=Unload
"{457791C5-D702-4143-A7B2-2744BE9573F2}"=HP Software Update
"{595D0DE8-C38A-4432-B851-47DECC1A99BD}"=HP Unload DLL Patch
"{597D73A8-5FDB-4bc1-9893-40B54459F1BC}"=ProductContext
"{5C70F739-3373-4C3C-B5D5-965C37C28E5F}"=Quindi Meeting Companion
"{80413011-029C-4D6B-B3AD-725DDE60B81C}"=1310Trb
"{80EE18E6-F16C-11D4-8BE8-006097C9A3ED}"=ISScript
"{8777AC6D-89F9-4793-8266-DE406F343E89}"=QFolder
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}"=Logitech Desktop Messenger
"{90120000-0020-0409-0000-0000000FF1CE}"=Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}"=Microsoft Office XP Professional with FrontPage
"{910ED86B-8712-4610-9C0B-6B947B03BBBD}"=Microsoft DirectX 8.1 SDK
"{A1062847-0846-427A-92A1-BB8251A91E91}"=HP PSC & OfficeJet 4.2
"{A2500497-FD32-493e-B8E5-28D6728DBEF5}"=Readme
"{A488D63E-B3DD-4423-892F-2F2EC8909518}"=Logitech QuickCam
"{A4EA3AB4-E78C-4286-96DF-26035507CE55}"=AiO_Scan
"{AC76BA86-7AD7-1033-7B44-A71000000002}"=Adobe Reader 7.1.0
"{B3D5D4E0-E965-41C4-ABFD-A7B1AD0663C2}"=Director
"{BF018D2F-C788-4AB1-AB95-1280EAB8F13E}"=TrayApp
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{DA15D535-5E1D-4076-B520-8571346D6238}"=Norton Security Scan
"{DBEA1034-5882-4A88-8033-81C4EF0CFA29}"=Google Toolbar for Internet Explorer
"{E21658D0-8C83-4ADD-937B-6ED07F335ABA}"=1310Tour
"{E90BEB5B-CFA0-418E-9ABB-4C4A7B0D9483}"=1310_Help
"{EC8673DA-F96B-497E-B2DB-BC7B029FD680}"=BufferChm
"{F4F47155-5B4D-42AA-97F8-490BC52EA7F3}"=Destinations
"{F65787F3-B356-45EC-8DD0-0E6758EDBCEE}"=WebReg
"2xAV Plug-In for WMP"=2xAV Plug-In for WMP
"2xAV Plug-In SDK"=2xAV Plug-In SDK
"ActiveTouchMeetingClient"=WebEx
"Adobe Acrobat 5.0"=Adobe Acrobat 5.0
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Shockwave Player"=Adobe Shockwave Player
"AdobeESD"=Adobe Download Manager 1.2 (Remove Only)
"Blaze Media Pro"=Blaze Media Pro
"Creative CardCam"=Creative CardCam Driver (1.00.04.00)
"Creative CardCam Manual English"=Creative CardCam Manual (English)
"Creative CardCam Photo Album"=CardCam Photo Album
"Creative PD1130"=Creative WebCam NX Pro Driver (1.00.06.0512)
"Creative PD1170"=Creative WebCam Notebook Driver (1.00.06.0519)
"Creative WebCam Monitor"=Creative WebCam Monitor
"Creative WebCam NX Pro Manual English"=Creative WebCam NX Pro Manual (English)
"Creative WebCam Pro"=Creative WebCam Pro Driver
"Creative WebCam Pro Manual English"=Creative WebCam Pro Manual (English)
"Glance_is1"=Glance 2.3
"HijackThis"=HijackThis 2.0.2
"HP Photo & Imaging"=HP Image Zone 4.2
"InstallShield_{0552A36D-0D7E-4FF5-8FDB-6629ABA7C779}"=iTunes
"InstallShield_{910ED86B-8712-4610-9C0B-6B947B03BBBD}"=DirectX 8.1 SDK
"KB870669"=Microsoft Data Access Components KB870669
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"PROSet"=Intel® PRO Network Adapters and Drivers
"Q828026"=Windows Media Player Hotfix [See Q828026 for more information]
"QcDrv"=Logitech® Camera Driver
"QuickTime"=QuickTime
"RealPlayer 6.0"=RealPlayer
"ShockwaveFlash"=Adobe Flash Player 9 ActiveX
"Windows Live OneCare safety scanner"=Windows Live OneCare safety scanner
"XircWinModem5"=Xircom MPCI Modem 56

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/9/2007 2:42:56 AM | Computer Name = TOSHIBA | Source = Perflib | ID = 1015
Description = The timeout waiting for the performance data collection function "PerfProc"
in
the "C:\WINDOWS\System32\perfproc.dll" Library to finish has expired. There may
be a problem with this extensible counter or the service it is collecting data from
or the system may have been very busy when this call was attempted.

Error - 10/9/2007 1:54:34 PM | Computer Name = TOSHIBA | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application excel.exe, version 10.0.2614.0, faulting module
excel.exe, version 10.0.2614.0, fault address 0x004bbf71.

Error - 10/13/2007 7:43:35 PM | Computer Name = TOSHIBA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 6.0.2800.1106, hang module
MSHTML.DLL, version 6.0.2800.1458, hang address 0x0001d5c2.

Error - 10/14/2007 5:46:00 PM | Computer Name = TOSHIBA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2800.1106, faulting
module mshtml.dll, version 6.0.2800.1458, fault address 0x000961be.

Error - 10/27/2007 10:18:36 AM | Computer Name = TOSHIBA | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office XP Professional with FrontPage -- Error
1706. Setup cannot find the required files. Check your connection to the network,
or CD-ROM drive. For other potential solutions to this problem, see C:\Program
Files\Microsoft Office\Office10\1033\SETUP.HLP.

Error - 10/27/2007 4:20:18 PM | Computer Name = TOSHIBA | Source = ESENT | ID = 489
Description = wuauclt (1596) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 10/27/2007 4:20:18 PM | Computer Name = TOSHIBA | Source = ESENT | ID = 455
Description = wuaueng.dll (1596) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 10/27/2007 4:20:28 PM | Computer Name = TOSHIBA | Source = ESENT | ID = 489
Description = wuauclt (1596) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 10/27/2007 4:20:28 PM | Computer Name = TOSHIBA | Source = ESENT | ID = 455
Description = wuaueng.dll (1596) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 10/29/2007 8:56:31 AM | Computer Name = TOSHIBA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2800.1106, faulting
module unknown, version 0.0.0.0, fault address 0x623aedb0.

[ System Events ]
Error - 9/24/2008 5:09:30 AM | Computer Name = TOSHIBA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 9/24/2008 5:09:35 AM | Computer Name = TOSHIBA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 9/24/2008 5:09:39 AM | Computer Name = TOSHIBA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 9/24/2008 5:09:44 AM | Computer Name = TOSHIBA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 9/24/2008 5:09:49 AM | Computer Name = TOSHIBA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 9/24/2008 7:07:03 AM | Computer Name = TOSHIBA | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x4d0), which lies in the 0x4d0 - 0x4d1 protected address range. This could lead
to system instability. Please contact your system vendor for technical assistance.

Error - 9/24/2008 7:07:04 AM | Computer Name = TOSHIBA | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x4d0), which lies in the 0x4d0 - 0x4d1 protected address range. This could lead
to system instability. Please contact your system vendor for technical assistance.

Error - 9/24/2008 3:41:13 PM | Computer Name = TOSHIBA | Source = Service Control Manager | ID = 7034
Description = The Microsoft ASPI Manager service terminated unexpectedly. It has
done this 1 time(s).

Error - 9/24/2008 3:44:52 PM | Computer Name = TOSHIBA | Source = ACPI | ID = 327684
Description = AMLI: ACPI BIOS is attempting to read from an illegal IO port address
(0x4d0), which lies in the 0x4d0 - 0x4d1 protected address range. This could lead
to system instability. Please contact your system vendor for technical assistance.

Error - 9/24/2008 3:44:52 PM | Computer Name = TOSHIBA | Source = ACPI | ID = 327685
Description = AMLI: ACPI BIOS is attempting to write to an illegal IO port address
(0x4d0), which lies in the 0x4d0 - 0x4d1 protected address range. This could lead
to system instability. Please contact your system vendor for technical assistance.


< End of report >

#4 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 PM

Posted 24 September 2008 - 05:00 PM

Hello, stan99. It looks like there is just a bit more to do. Before we get to that, I would like to bring up a few issues. First of all, there is a bad sector on your hard drive according to this entry in your event viewer.
[ System Events ]
Error - 9/24/2008 5:09:30 AM | Computer Name = TOSHIBA | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Basically, this means that you hard drive will very likely fail before long. I would suggest backing up any data you need and replacing the hard drive as soon as you can. If you didn't have a hard drive issue, I would actually suggest that you consider reformatting anyway because one or more of the things you were dealing with had backdoor/rootkit functionality.
Seeing how that is the case I won't go into a lot of the usual recommendations for things like updating the service pack, java, etc.

There's just one thing left that I'd like to deal with.

Run HijackThis.
Click on Do a system scan only.
Place a check mark next to these lines (if still present).

O21 - SSODL: VIjpDO - {FCC1D7B0-566B-7D1A-6BD2-4E60C7F6EEAA} - C:\WINDOWS\system32\moo.dll

Then close all windows except HijackThis and click Fix Checked.

Restart

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

Use Windows Explorer to find and delete this file (if present):

C:\WINDOWS\system32\moo.dll


Finally, please post a new HijackThis log, and a description of any remaining problems.

In your next reply, please include the following:
  • Log from HijackThis.


#5 drex23

drex23

    Bleeping Existence


  • Members
  • 456 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 PM

Posted 29 September 2008 - 08:49 PM

Due to the lack of feedback, this topic is closed.

If you need this topic reopened due to continuation of your original problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin your own topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users