Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple POPups in Mozilla


  • This topic is locked This topic is locked
19 replies to this topic

#1 likuid99

likuid99

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 14 December 2008 - 11:02 PM

Windows XP Pro - SP2

Getting popups and page changes to ad sites every few minutes. Seems to happen alot when attempting to view videos (java/flash) and things lock up.
I have already downloaded Combofix and installed the Windows Recovery and ran combofix once. Seemed to help at first but problem is coming back.
So here's my RSIT log and info file:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Cisco at 2008-12-14 21:36:32
Microsoft Windows XP Professional Service Pack 2
System drive C: has 25 GB (65%) free of 38 GB
Total RAM: 1023 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:42 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Firefox\firefox.exe
F:\Download - Firefox\RSIT.exe
C:\Program Files\trend micro\Cisco.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://securera.edwardjones.com/vdesk/term...,2008,0122,2004
O16 - DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} (F5 Virtual Sandbox Class) - https://securera.edwardjones.com/vdesk/term...,2008,0122,2006
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://securera.edwardjones.com/vdesk/term...,2008,0122,2005
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://securera.edwardjones.com/vdesk/term...,2008,0122,2004
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://securera.edwardjones.com/policy/dow...,2008,0122,2007
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

--
End of file - 5931 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Symantec NetDetect.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-10-04 48752]
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe [2005-11-15 85744]
"WINDVDPatch"=C:\WINDOWS\system32\CTHELPER.EXE [2002-07-02 24576]
"UpdReg"=C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]
"Jet Detection"=C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe [2001-11-29 28672]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-04-27 180269]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2005-05-20 4620288]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2005-05-20 86016]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-01-03 50528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
F:\Program Files\AIM\aim.exe [2005-08-05 67160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe [2008-01-03 50528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2006-09-01 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe [2005-04-13 36975]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-04-27 180269]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
F:\Program Files\Winamp\winampa.exe [2008-04-01 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Series 700 Startup.lnk]
C:\PROGRA~1\HEWLET~1\HPOFFI~1\Bin\HPOstr05.exe [2001-10-24 1175552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Cisco^Start Menu^Programs^Startup^Alarm++.lnk]
F:\PROGRA~1\ALARM_~1\Alarm.exe [2005-02-17 1036288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Cisco^Start Menu^Programs^Startup^MEMonitor.lnk]
C:\PROGRA~1\VERIZO~1\VCASTM~1\MEMONI~1.EXE [2007-07-04 947544]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Cisco^Start Menu^Programs^Startup^Shortcut to ARiD (2).lnk]
F:\SC\STEALT~1\ARiD.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\System32\NavLogon.dll [2005-11-15 43760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"ForceClassicControlPanel"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"F:\Program Files\LimeWire\LimeWire.exe"="F:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"F:\Program Files\BitTornado\btdownloadgui.exe"="F:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:ccApp"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\SETUP.EXE


======List of files/folders created in the last 1 months======

2008-12-14 21:36:33 ----D---- C:\Program Files\trend micro
2008-12-14 21:36:32 ----D---- C:\rsit
2008-12-09 01:25:42 ----A---- C:\ComboFix.txt
2008-12-09 01:22:03 ----A---- C:\Boot.bak
2008-12-09 01:21:56 ----RASHD---- C:\cmdcons
2008-12-09 00:59:04 ----A---- C:\WINDOWS\zip.exe
2008-12-09 00:59:04 ----A---- C:\WINDOWS\VFIND.exe
2008-12-09 00:59:04 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-12-09 00:59:04 ----A---- C:\WINDOWS\SWSC.exe
2008-12-09 00:59:04 ----A---- C:\WINDOWS\SWREG.exe
2008-12-09 00:59:04 ----A---- C:\WINDOWS\sed.exe
2008-12-09 00:59:04 ----A---- C:\WINDOWS\NIRCMD.exe
2008-12-09 00:59:04 ----A---- C:\WINDOWS\grep.exe
2008-12-09 00:59:04 ----A---- C:\WINDOWS\fdsv.exe
2008-12-09 00:59:01 ----D---- C:\WINDOWS\ERDNT
2008-12-09 00:59:01 ----D---- C:\Qoobox
2008-12-08 13:05:45 ----D---- C:\Program Files\Hijackthis
2008-12-01 14:52:35 ----A---- C:\WINDOWS\system32\ebc1323c-.txt
2008-11-25 01:17:16 ----A---- C:\gmw5vr.exe
2008-11-24 13:54:48 ----A---- C:\gf76zy.exe
2008-11-17 15:37:25 ----D---- C:\Documents and Settings\Cisco\Application Data\Malwarebytes
2008-11-17 15:37:19 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes

======List of files/folders modified in the last 1 months======

2008-12-14 21:36:36 ----D---- C:\WINDOWS\Prefetch
2008-12-14 21:36:33 ----RD---- C:\Program Files
2008-12-14 21:33:33 ----D---- C:\WINDOWS\Temp
2008-12-13 22:07:14 ----A---- C:\WINDOWS\{00000002-00000000-00000004-00001102-00000002-80651102}.BAK
2008-12-13 15:46:10 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-13 15:45:25 ----A---- C:\WINDOWS\HPOTBX05.INI
2008-12-13 15:45:23 ----A---- C:\WINDOWS\HPODJC05.INI
2008-12-13 06:27:11 ----D---- C:\WINDOWS\system32\CatRoot2
2008-12-11 23:41:25 ----D---- C:\WINDOWS\system32
2008-12-11 22:12:19 ----D---- C:\Program Files\Common Files\Symantec Shared
2008-12-10 13:42:54 ----A---- C:\WINDOWS\NeroDigital.ini
2008-12-09 01:25:44 ----D---- C:\WINDOWS
2008-12-09 01:24:15 ----A---- C:\WINDOWS\system.ini
2008-12-09 01:23:46 ----D---- C:\WINDOWS\system32\drivers
2008-12-09 01:23:46 ----D---- C:\Program Files\Common Files
2008-12-09 01:23:45 ----D---- C:\WINDOWS\AppPatch
2008-12-09 01:22:03 ----RASH---- C:\boot.ini
2008-12-09 01:02:45 ----D---- C:\WINDOWS\system32\config
2008-12-09 00:18:29 ----A---- C:\WINDOWS\HPOCSS05.INI
2008-12-08 13:57:30 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 12:14:17 ----A---- C:\WINDOWS\win.ini
2008-12-07 18:22:36 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-12-07 18:22:34 ----SHD---- C:\WINDOWS\Installer
2008-12-07 18:22:20 ----D---- C:\WINDOWS\WinSxS
2008-12-07 18:21:51 ----D---- C:\Program Files\Windows Live
2008-12-07 18:16:07 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-12-07 18:04:36 ----D---- C:\Documents and Settings
2008-12-03 21:52:49 ----SD---- C:\WINDOWS\Tasks
2008-11-17 15:54:00 ----RSHDC---- C:\WINDOWS\system32\dllcache

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-03 37376]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-10-19 195728]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\PfModNT.sys []
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\System32\drivers\ctac32k.sys [2002-07-19 127948]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2002-07-19 837548]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\System32\drivers\ctprxy2k.sys [2002-07-19 11068]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\drivers\ctsfm2k.sys [2002-07-19 213860]
R3 Dot4;IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2004-08-03 207360]
R3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\System32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
R3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\System32\drivers\emupia2k.sys [2002-07-19 156604]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2002-07-24 998004]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081214.003\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081214.003\navex15.sys []
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-05-20 2826944]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2002-07-19 195432]
R3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2005-10-19 12944]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2005-10-19 109200]
R3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2005-10-19 31888]
R3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20081210.002\symidsco.sys []
R3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2005-10-19 28304]
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-10-19 24720]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-03 17024]
S2 zumbus;Zune Bus Enumerator Driver; C:\WINDOWS\system32\DRIVERS\zumbus.sys []
S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\System32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 FVNETusb;Linksys Wireless-B USB Network Adapter v2.8 Driver; C:\WINDOWS\system32\DRIVERS\vnet58lx.sys [2004-03-26 122112]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM); C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2007-07-03 80552]
S3 sscdmdfl;SAMSUNG Mobile Modem Filter; C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2007-07-03 11944]
S3 sscdmdm;SAMSUNG Mobile Modem Drivers; C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2007-07-03 106792]
S3 sscdserd;SAMSUNG Mobile Modem Diagnostic Serial Port (WDM); C:\WINDOWS\system32\DRIVERS\sscdserd.sys [2007-07-03 86824]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2008-03-27 503008]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2005-10-04 185968]
R2 ccProxy;Symantec Network Proxy; C:\Program Files\Common Files\Symantec Shared\ccProxy.exe [2005-10-04 239216]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2005-10-04 177776]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe [2005-11-15 20208]
R2 ISSVC;IS Service; C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe [2005-11-09 79488]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-23 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2005-05-20 127043]
R2 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2005-10-19 214672]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe [2005-11-15 1756912]
R2 SymSecurePort;Symantec SecurePort; C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe [2005-11-09 161408]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-03 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2005-10-04 83568]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]
S3 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2005-03-30 992864]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.04 2008-12-14 21:36:46

======Uninstall list======

-->"C:\Program Files\Creative\SBLive\Program\Ctzapxx.EXE" /X /U /S
-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNNMP.exe /UNINSTALL
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A731533B-B325-4D9C-91A4-D93C8E294C19}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
AIM 6-->C:\Program Files\AIM6\uninst.exe
Alarm++-->F:\Program Files\Alarm++\Uninstal.exe
AOL Instant Messenger-->F:\Program Files\AIM\uninstll.exe -LOG= F:\Program Files\AIM\install.log -OEM=
BitTornado 0.3.17-->F:\Program Files\BitTornado\uninst.exe
dBpoweramp Music Converter-->"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat
Diet Analysis Plus 8.0-->F:\Program Files\Diet Analysis Plus 8.0\uninst.exe
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
GSpot Codec Information Appliance-->F:\Codecs\gspot\Uninstall.exe
Hijackthis 1.99.1-->"C:\Program Files\Hijackthis\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
HP OfficeJet Series 700 (Remove Only)-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP OfficeJet Series 700\uninst.dll"
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
J2SE Runtime Environment 5.0 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java™ 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
K-Lite Codec Pack 2.71 Standard-->"F:\Codecs\K-Lite Codec Pack\unins000.exe"
LimeWire 4.16.6-->"F:\Program Files\LimeWire\uninstall.exe"
LiveUpdate 2.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Flash Player 8-->C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Malwarebytes' Anti-Malware-->"F:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows XP Video Decoder Checkup Utility-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\DECCHECK.inf,Uninstall
Mozilla Firefox (1.5.0.12)-->F:\PROGRA~1\FIREFOX\uninstall\uninstall.exe /ua "1.5.0.12 (en-US)"
Mozilla Thunderbird (1.5.0.14)-->C:\Program Files\Mozilla Thunderbird\uninstall\uninstall.exe /ua "1.5.0.14 (en-US)"
Nero Suite-->C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
QuickTime-->MsiExec.exe /I{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{E9ED0801-253D-4FE9-AB20-F63DEFE72547}
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922760)-->"C:\WINDOWS\$NtUninstallKB922760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925454)-->"C:\WINDOWS\$NtUninstallKB925454$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928090)-->"C:\WINDOWS\$NtUninstallKB928090$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929969)-->"C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Sound Blaster Live! Web 2K/XP-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}\Setup.exe" -l0x9
Spybot - Search & Destroy 1.4-->"C:\Bevoware\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.4-->"C:\Bevoware\SpywareBlaster\unins000.exe"
Starcraft-->C:\WINDOWS\SCunin.exe C:\WINDOWS\SCunin.dat
Symantec Client Security-->MsiExec.exe /I{D75D48AF-E2D5-49EF-9571-EE7AFB6565B4}
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
V CAST Music Manager -->C:\PROGRA~1\VERIZO~1\VCASTM~1\Setup.exe /remove /q0
Winamp-->"F:\Program Files\Winamp\UninstWA.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
Xvid 1.1.2 final uninstall-->"F:\Codecs\Xvid\unins000.exe"

======Security center information======

AV: Symantec AntiVirus Corporate Edition
FW: Symantec Client Firewall

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=0801
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 AM

Posted 22 December 2008 - 07:48 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following so I can have a look at the current condition of your machine.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
Download and Run OTViewit
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Run Kaspersky Online Scanner
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

In your next reply please include the following:
  • OTViewIt.txt
  • Extra.txt
  • Kaspersky's Log

Important Note: For other users who are reading this topic,the instructions provided in this topic are for the original topic starter ONLY. Even if you have similar problems or even log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic and feel free to link to any relevant topics as needed.Please Do NOT follow the instructions provided for this topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 AM

Posted 25 December 2008 - 12:41 PM

Hi.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5 days the topic will need to be closed.

Thanks for understanding. :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 AM

Posted 27 December 2008 - 05:36 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 AM

Posted 27 December 2008 - 06:49 PM

Hello.

Topic Re-Opened upon user's request.

Please post back with the logs I asked for in my previous post.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 likuid99

likuid99
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 27 December 2008 - 07:15 PM

OTViewIt logfile created on: 12/27/2008 2:27:12 PM - Run 2
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Cisco\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 540.14 Mb Available Physical Memory | 52.80% Memory free
2.40 Gb Paging File | 2.06 Gb Available in Paging File | 85.56% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 24.22 Gb Free Space | 65.03% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 620.40 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 186.31 Gb Total Space | 95.89 Gb Free Space | 51.47% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HAL2000
Current User Name: Cisco
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2005/10/04 11:42:46 | 00,239,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
[2005/10/04 11:42:50 | 00,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
[2005/11/15 12:27:44 | 00,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
[2005/11/09 23:59:20 | 00,079,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
[2005/05/20 02:41:08 | 00,127,043 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2005/10/19 16:39:34 | 00,214,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
[2005/11/15 12:27:54 | 01,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
[2005/10/04 11:42:42 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
[2005/11/09 23:59:54 | 00,161,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
[2005/10/04 11:42:40 | 00,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[2005/11/15 12:28:04 | 00,085,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe
[2002/07/02 16:56:00 | 00,024,576 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTHELPER.EXE
[2006/04/27 18:29:52 | 00,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2008/12/23 20:19:14 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cisco\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2005/10/04 11:42:42 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
[2005/10/04 11:42:46 | 00,239,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe -- (ccProxy [Auto | Running])
[2005/10/04 11:42:48 | 00,083,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
[2005/10/04 11:42:50 | 00,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2005/11/15 12:27:44 | 00,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
[2005/11/09 23:59:20 | 00,079,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe -- (ISSVC [Auto | Running])
[2005/05/20 02:41:08 | 00,127,043 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2005/11/15 12:27:56 | 00,169,200 | ---- | M] (symantec) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
[2005/10/19 16:39:34 | 00,214,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [Auto | Running])
[2005/03/30 20:48:22 | 00,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [On_Demand | Stopped])
[2005/11/15 12:27:54 | 01,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
[2005/11/09 23:59:54 | 00,161,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe -- (SymSecurePort [Auto | Running])

========== Driver Services ==========

[2004/08/03 22:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp [Boot | Running])
[2004/08/03 21:59:22 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\amdk7.sys -- (AmdK7 [System | Running])
[2002/07/19 09:46:28 | 00,127,948 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Running])
[2002/07/19 09:47:52 | 00,837,548 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
[2001/08/17 06:19:20 | 00,003,712 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk [On_Demand | Stopped])
[2002/07/19 09:48:08 | 00,011,068 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Running])
[2002/07/19 09:48:22 | 00,213,860 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
[2004/08/03 21:58:30 | 00,207,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4.sys -- (Dot4 [On_Demand | Running])
[2001/08/17 12:47:32 | 00,012,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4Prt.sys -- (Dot4Print [On_Demand | Running])
[2008/09/02 02:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
[2001/08/17 11:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC [On_Demand | Running])
[2002/07/19 09:48:32 | 00,156,604 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia [On_Demand | Running])
[2008/09/02 02:00:00 | 00,099,376 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
[2004/03/26 12:08:54 | 00,122,112 | ---- | M] (Cisco-Linksys LLC.) -- C:\WINDOWS\system32\drivers\vnet58lx.sys -- (FVNETusb [On_Demand | Stopped])
[2004/08/03 22:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Running])
[2002/07/24 12:52:26 | 00,998,004 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
[2008/11/11 03:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20081226.002\naveng.sys -- (NAVENG [On_Demand | Running])
[2008/11/11 03:00:00 | 00,876,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20081226.002\navex15.sys -- (NAVEX15 [On_Demand | Running])
[2005/05/20 02:41:04 | 02,826,944 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2002/07/19 09:48:04 | 00,195,432 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[1999/12/17 00:00:00 | 00,006,752 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT [Auto | Running])
[2001/08/23 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/03/07 17:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2005/08/26 13:22:48 | 00,334,984 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
[2005/08/26 13:22:50 | 00,053,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [System | Running])
[2001/08/23 06:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2005/03/30 20:48:20 | 00,372,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
[2007/07/03 17:54:24 | 00,080,552 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus [On_Demand | Stopped])
[2007/07/03 17:57:24 | 00,011,944 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl [On_Demand | Stopped])
[2007/07/03 17:58:20 | 00,106,792 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm [On_Demand | Stopped])
[2007/07/03 17:59:10 | 00,086,824 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdserd.sys -- (sscdserd [On_Demand | Stopped])
[2005/10/19 16:38:40 | 00,012,944 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symdns.sys -- (SYMDNS [On_Demand | Running])
[2005/09/16 23:20:06 | 00,108,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[2005/10/19 16:38:46 | 00,109,200 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symfw.sys -- (SYMFW [On_Demand | Running])
[2005/10/19 16:38:54 | 00,031,888 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symids.sys -- (SYMIDS [On_Demand | Running])
[2008/09/12 07:33:22 | 00,250,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SymcData\scfidsdefs\20081214.001\SymIDSCo.sys -- (SYMIDSCO [On_Demand | Running])
[2005/10/19 16:38:50 | 00,028,304 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symndis.sys -- (SYMNDIS [On_Demand | Running])
[2005/10/19 16:38:58 | 00,024,720 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV [On_Demand | Running])
[2005/10/19 16:39:04 | 00,195,728 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI [System | Running])
[2008/03/27 15:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://www.google.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O3) Toolbars ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" ()
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
"UpdReg"=C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe (Symantec Corporation)
"WINDVDPatch"=CTHELPER.EXE (Creative Technology Ltd)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0
"HideStartupScripts"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"ForceClassicControlPanel"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"ForceClassicControlPanel"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"HideLegacyLogonScripts"=0
"HideLogoffScripts"=0
"HideStartupScripts"=0
"RunLogonScriptSync"=1
"RunStartupScriptSync"=0

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 18:58:38 | 10,080,960 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 18:58:38 | 10,080,960 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}: Button: AIM -- F:\Program Files\AIM\aim.exe [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
22 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
22 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{31E68DE2-5548-4B23-88F0-C51E6A0F695E}: https://support.microsoft.com/OAS/ActiveX/odc.cab -- Microsoft PID Sniffer
{57C76689-F052-487B-A19F-855AFDDF28EE}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2004 -- F5 Networks Policy Agent Host Class
{7E73BE8F-FD87-44EC-8E22-023D5FF960FF}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2006 -- F5 Virtual Sandbox Class
{CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2005 -- F5 Networks SuperHost Class
{E0FF21FA-B857-45C5-8621-F120A0C17FF2}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2004 -- F5 Networks Host Control
{E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D}: https://securera.edwardjones.com/policy/dow...,2008,0122,2007 -- F5 Networks OS Policy Agent

========== (O17) DNS Name Servers ==========

{7CF52ECB-6146-49A0-99D8-3C42AD0A2EF9} (Servers: | Description: Linksys Wireless-B USB Network Adapter v2.8)
{BA4755C8-204B-4AD9-972A-78BF775C9BC7} (Servers: | Description: Linksys Wireless-B USB Network Adapter v2.8)
{D2F2FA22-EABC-403A-8197-9F883C0559B5} (Servers: | Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible))

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
NavLogon: "DllName" = C:\WINDOWS\System32\NavLogon.dll -- C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2006/04/26 22:06:19 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTORUN.INF [[autorun] | OPEN=SETUP.EXE | ICON=BW.ICO | ]
[1998/12/13 01:43:32 | 00,000,040 | R--- | M] () -- E:\AUTORUN.INF -- [ CDFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun\command]
""=E:\SETUP.EXE -- [1998/11/30 23:04:40 | 00,025,600 | R--- | M] ()

========== Files/Folders - Created Within 30 Days ==========

[6 C:\WINDOWS\*.tmp files]
[2008/12/27 13:48:40 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2008/12/23 20:20:22 | 00,305,705 | ---- | C] () -- C:\Documents and Settings\Cisco\Desktop\RSIT.exe
[2008/12/23 20:20:13 | 00,000,515 | ---- | C] () -- C:\Documents and Settings\Cisco\Desktop\Shortcut to ComboFix.lnk
[2008/12/23 20:20:00 | 00,423,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Cisco\Desktop\OTViewIt.exe
[2008/12/18 00:13:03 | 00,027,648 | ---- | C] () -- C:\Documents and Settings\Cisco\My Documents\panel.doc
[2008/12/14 21:36:33 | 00,000,000 | ---D | C] -- C:\Program Files\trend micro
[2008/12/14 21:36:32 | 00,000,000 | ---D | C] -- C:\rsit
[2008/12/12 02:27:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Cisco\My Documents\New Folder
[2008/12/09 01:22:03 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2008/12/09 01:22:00 | 00,260,272 | ---- | C] () -- C:\cmldr
[2008/12/09 01:21:56 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2008/12/09 00:59:04 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2008/12/09 00:59:04 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2008/12/09 00:59:04 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2008/12/09 00:59:04 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2008/12/09 00:59:04 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2008/12/09 00:59:04 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2008/12/09 00:59:04 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2008/12/09 00:59:04 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2008/12/09 00:59:04 | 00,028,672 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2008/12/09 00:59:01 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2008/12/09 00:59:01 | 00,000,000 | ---D | C] -- C:\Qoobox
[2008/12/08 13:05:45 | 00,000,650 | ---- | C] () -- C:\Documents and Settings\Cisco\Desktop\Hijackthis.lnk
[2008/12/08 13:05:45 | 00,000,000 | ---D | C] -- C:\Program Files\Hijackthis
[2008/12/07 18:04:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Cisco\Desktop\InterWebs
[2008/12/06 14:46:21 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2008/12/06 14:46:21 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2008/12/01 14:46:51 | 00,000,000 | -HSD | C] -- C:\Documents and Settings\Cisco\Local Settings\Application Data\.#
[2008/11/28 15:23:53 | 00,000,786 | ---- | C] () -- C:\Documents and Settings\Cisco\Desktop\Shortcut to Routine.doc.lnk

========== Files - Modified Within 30 Days ==========

[6 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2008/12/27 14:14:52 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/26 23:40:19 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2008/12/26 23:40:19 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2008/12/26 23:40:19 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2008/12/26 23:40:19 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2008/12/26 23:40:19 | 00,001,072 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2008/12/26 23:40:19 | 00,001,072 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2008/12/26 23:40:19 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000004-00001102-00000002-80651102}.dat
[2008/12/26 23:40:19 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000004-00001102-00000002-80651102}.dat
[2008/12/26 19:09:52 | 03,374,782 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000004-00001102-00000002-80651102}.CDF
[2008/12/26 19:09:52 | 03,374,782 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000004-00001102-00000002-80651102}.BAK
[2008/12/26 19:09:44 | 00,013,700 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/12/26 18:09:42 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/12/26 18:09:35 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/12/26 18:09:30 | 10,727,46496 | -HS- | M] () -- C:\hiberfil.sys
[2008/12/26 03:32:18 | 00,000,040 | ---- | M] () -- C:\WINDOWS\System32\profile.dat
[2008/12/26 03:32:00 | 06,919,458 | -H-- | M] () -- C:\Documents and Settings\Cisco\Local Settings\Application Data\IconCache.db
[2008/12/23 20:20:13 | 00,000,515 | ---- | M] () -- C:\Documents and Settings\Cisco\Desktop\Shortcut to ComboFix.lnk
[2008/12/23 20:19:14 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cisco\Desktop\OTViewIt.exe
[2008/12/23 05:25:47 | 00,000,962 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\MyAlarms.alm
[2008/12/18 12:44:47 | 00,096,768 | ---- | M] () -- C:\Documents and Settings\Cisco\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/18 00:13:04 | 00,027,648 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\panel.doc
[2008/12/17 13:51:12 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/12/17 13:12:37 | 00,000,533 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/12/17 13:12:37 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2008/12/17 13:12:37 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2008/12/14 21:36:07 | 00,305,705 | ---- | M] () -- C:\Documents and Settings\Cisco\Desktop\RSIT.exe
[2008/12/10 23:05:04 | 00,002,141 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/12/09 01:14:19 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2008/12/09 01:02:58 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\pekigoba
[2008/12/08 13:05:45 | 00,000,650 | ---- | M] () -- C:\Documents and Settings\Cisco\Desktop\Hijackthis.lnk
[2008/12/08 12:14:17 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2008/12/07 18:22:20 | 00,000,899 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\My Sharing Folders.lnk
[2008/12/06 14:46:21 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2008/12/02 23:27:26 | 00,023,552 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\Routine.doc
[2008/11/28 15:23:53 | 00,000,786 | ---- | M] () -- C:\Documents and Settings\Cisco\Desktop\Shortcut to Routine.doc.lnk
< End of report >

OTViewIt Extras logfile created on: 12/27/2008 2:27:12 PM - Run 2
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Cisco\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 540.14 Mb Available Physical Memory | 52.80% Memory free
2.40 Gb Paging File | 2.06 Gb Available in Paging File | 85.56% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 24.22 Gb Free Space | 65.03% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 620.40 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 186.31 Gb Total Space | 95.89 Gb Free Space | 51.47% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HAL2000
Current User Name: Cisco
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify"=1
"AntiVirusDisableNotify"=1
"UpdatesDisableNotify"=1
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/03 23:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
File not found -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/03 23:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/02/08 15:32:57 | 00,147,456 | ---- | M] (Lime Wire, LLC) -- F:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
[2006/11/03 01:17:27 | 00,010,800 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
[2006/10/18 19:30:18 | 00,087,552 | ---- | M] () -- F:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui
[2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2005/10/04 11:42:40 | 00,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:ccApp

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/03/22 20:58:01 | 08,140,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 21:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}"=Sound Blaster Live! Web 2K/XP
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}"=Microsoft Silverlight
"{91110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}"=Microsoft Application Error Reporting
"{AC76BA86-7AD7-1033-7B44-A70000000000}"=Adobe Reader 7.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{D050D7362D214723AD585B541FFB6C11}"=DivX Content Uploader
"{D75D48AF-E2D5-49EF-9571-EE7AFB6565B4}"=Symantec Client Security
"{E9ED0801-253D-4FE9-AB20-F63DEFE72547}"=SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}"=QuickTime
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"AIM_6"=AIM 6
"Alarm++"=Alarm++
"AOL Instant Messenger"=AOL Instant Messenger
"BitTornado"=BitTornado 0.3.17
"dBpoweramp Music Converter"=dBpoweramp Music Converter
"DECCHECK"=Microsoft Windows XP Video Decoder Checkup Utility
"Diet Analysis Plus"=Diet Analysis Plus 8.0
"GSpot"=GSpot Codec Information Appliance
"HijackThis"=HijackThis 1.99.1
"Hijackthis_is1"=Hijackthis 1.99.1
"HP OfficeJet Series 700"=HP OfficeJet Series 700 (Remove Only)
"InstallShield_{E9ED0801-253D-4FE9-AB20-F63DEFE72547}"=SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"InterActual Player"=InterActual Player
"KLiteCodecPack_is1"=K-Lite Codec Pack 2.71 Standard
"LimeWire"=LimeWire 4.16.6
"LiveUpdate"=LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Mozilla Firefox (1.5.0.12)"=Mozilla Firefox (1.5.0.12)
"Mozilla Thunderbird (1.5.0.14)"=Mozilla Thunderbird (1.5.0.14)
"NeroMultiInstaller!UninstallKey"=Nero Suite
"NVIDIA Drivers"=NVIDIA Drivers
"RealPlayer 6.0"=RealPlayer
"ShockwaveFlash"=Macromedia Flash Player 8
"Spybot - Search & Destroy_is1"=Spybot - Search & Destroy 1.4
"SpywareBlaster_is1"=SpywareBlaster v3.4
"Starcraft"=Starcraft
"Wdf01005"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Winamp"=Winamp
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 10
"Windows XP Service Pack"=Windows XP Service Pack 2
"WMFDist11"=Windows Media Format 11 runtime
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1"=Xvid 1.1.2 final uninstall

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/13/2008 12:44:08 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan.Vundo in File: c:\system volume information\_restore{6cbdb862-0933-4e91-bb9b-be7b0523d27e}\RP620\A0080322.dll
by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The
file was quarantined successfully.

Error - 12/13/2008 12:44:10 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Trojan.Vundo in File: C:\System Volume
Information\_restore{6CBDB862-0933-4E91-BB9B-BE7B0523D27E}\RP620\A0080322.dll by:
Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 12/13/2008 1:45:13 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Trojan.Vundo in File: C:\System Volume
Information\_restore{6CBDB862-0933-4E91-BB9B-BE7B0523D27E}\RP620\A0080323.dll by:
Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 12/13/2008 1:45:13 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan.Vundo in File: c:\system volume information\_restore{6cbdb862-0933-4e91-bb9b-be7b0523d27e}\RP620\A0080323.dll
by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The
file was quarantined successfully.

Error - 12/13/2008 1:45:15 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Trojan.Vundo in File: C:\System Volume
Information\_restore{6CBDB862-0933-4E91-BB9B-BE7B0523D27E}\RP620\A0080323.dll by:
Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 12/13/2008 4:38:06 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Trojan.Vundo in File: C:\System Volume
Information\_restore{6CBDB862-0933-4E91-BB9B-BE7B0523D27E}\RP620\A0080324.dll by:
Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 12/13/2008 4:38:06 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan.Vundo in File: c:\system volume information\_restore{6cbdb862-0933-4e91-bb9b-be7b0523d27e}\RP620\A0080324.dll
by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The
file was quarantined successfully.

Error - 12/13/2008 4:38:09 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Trojan.Vundo in File: C:\System Volume
Information\_restore{6CBDB862-0933-4E91-BB9B-BE7B0523D27E}\RP620\A0080324.dll by:
Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 12/14/2008 12:08:32 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Trojan.Vundo in File: Unavailable by:
Invalid : (15) scan. Action: Leave Alone succeeded. Action Description: The file
was left unchanged.

Error - 12/14/2008 12:08:38 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Trojan.Vundo in File: Unavailable by:
Invalid : (15) scan. Action: Delete failed : Leave Alone failed. Action Description:


[ System Events ]
Error - 12/23/2008 5:28:34 AM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/23/2008 4:24:42 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/23/2008 8:40:40 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 12/23/2008 11:32:22 PM | Computer Name = HAL2000 | Source = DCOM | ID = 10010
Description = The server {520CCA63-51A5-11D3-9144-00104BA11C5E} did not register
with DCOM within the required timeout.

Error - 12/24/2008 11:00:32 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/25/2008 4:56:13 AM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 12/25/2008 3:36:05 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 12/26/2008 1:48:04 AM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 12/26/2008 8:09:57 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/27/2008 3:20:30 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.


< End of report >


Saturday, December 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 27, 2008 17:31:12
Records in database: 1521283
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
Scan statistics
Files scanned 52598
Threat name 11
Infected objects 16
Suspicious objects 4
Duration of the scan 01:45:28

File name Threat name Threats count
C:\Documents and Settings\Cisco\Application Data\Sun\Java\Deployment\cache\6.0\23\d372ed7-2f9bfaa7 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Cisco\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-2410c622 Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Cisco\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-44f16ab9 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Cisco\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-1e41f4fb Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Cisco\Application Data\Sun\Java\Deployment\cache\6.0\9\46b81009-440d874a Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Cisco\Application Data\Thunderbird\Profiles\8jpnil89.default\Mail\Local Folders\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Cisco\Application Data\Thunderbird\Profiles\8jpnil89.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\gf76zy.exe Infected: Trojan.Win32.Agent.aqkz 1
C:\gmw5vr.exe Infected: Trojan.Win32.Agent.aqkz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dehokiju.dll.vir Infected: Trojan.Win32.Monder.aenb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dubapaje.dll.vir Infected: Trojan.Win32.Monder.abst 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\giletisa.dll.vir Infected: Trojan.Win32.Monder.abjq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ramuzovi.dll.vir Infected: Trojan.Win32.Monder.aena 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winusime.dll.vir Infected: Trojan.Win32.Monder.ackt 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\zumidiba.dll.vir Infected: Trojan-Spy.Win32.Agent.gcc 1
F:\Download - Lime\its trick instrumental.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
F:\Download - Lime\Lil Wayne - Tha Carter III - 06 - Phone Home(1).mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
F:\Download - Lime\warpigs cake.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
The selected area was scanned.

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 AM

Posted 29 December 2008 - 07:48 PM

Hello again.

I'm really sorry for the delay. I wasn't feeling well :thumbsup:

Your log looks okay to me, some entries/files we need to take care of. Do you have any problems recently?

I see you ran COmbofix. Could you post back with the Combofix log it can be found at C:\Combofix.txt

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case BitTornado 0.3.17 and LimeWire 4.16.6). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Kaspersky found some java infected cache, some files and also some music files you downloaded that seems to be downloaded from Lime Wire.

Post back with:
-Combofix log
-Description of any problems


With regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 likuid99

likuid99
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 30 December 2008 - 05:17 PM

Hope you are feeling better.

I had initially run combofix on December 9, which is a while back now so I went ahead and ran it again just now. My problems do seem to have dissapeared for the time being, only the occasional popup instead of complete changing of my webpage.
The Combofix log:

ComboFix 08-12-29.02 - Cisco 2008-12-30 15:59:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.536 [GMT -6:00]
Running from: f:\download - firefox\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: Symantec Client Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))
.

2008-12-27 14:36 . 2008-12-27 14:36 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-14 21:36 . 2008-12-14 21:36 <DIR> d-------- C:\rsit
2008-12-14 21:36 . 2008-12-14 21:36 <DIR> d-------- c:\program files\trend micro
2008-12-06 14:46 . 2008-12-17 13:51 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-06 14:46 . 2008-12-06 14:46 1,409 --a------ c:\windows\QTFont.for
2008-11-25 01:17 . 2008-11-25 01:17 27,648 --a------ C:\gmw5vr.exe
2008-11-24 13:54 . 2008-11-24 13:54 27,648 --a------ C:\gf76zy.exe
2008-11-17 15:37 . 2008-11-17 15:37 <DIR> d-------- c:\documents and settings\Cisco\Application Data\Malwarebytes
2008-11-17 15:37 . 2008-11-17 15:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-17 15:37 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-17 15:37 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-14 19:44 . 2008-11-14 19:44 18,750 --a------ c:\documents and settings\All Users\Application Data\wodowuxeji.bin
2008-11-14 19:44 . 2008-11-14 19:44 17,189 --a------ c:\documents and settings\All Users\Application Data\ejocop.com
2008-11-14 14:54 . 2008-11-14 14:54 19,408 --a------ c:\program files\Common Files\fapepapyqi.sys
2008-11-14 14:54 . 2008-11-14 14:54 19,204 --a------ c:\documents and settings\All Users\Application Data\awuxyjiwi.com
2008-11-14 14:54 . 2008-11-14 14:54 19,137 --a------ c:\windows\umezikogaj._dl
2008-11-14 14:54 . 2008-11-14 14:54 19,111 --a------ c:\windows\system32\ifokequ.db
2008-11-14 14:54 . 2008-11-14 14:54 18,582 --a------ c:\documents and settings\Cisco\Application Data\ykarihoru.bat
2008-11-14 14:54 . 2008-11-14 14:54 18,036 --a------ c:\documents and settings\All Users\Application Data\sarebis.scr
2008-11-14 14:54 . 2008-11-14 14:54 17,976 --a------ c:\documents and settings\Cisco\Application Data\ylef.pif
2008-11-14 14:54 . 2008-11-14 14:54 17,964 --a------ c:\documents and settings\All Users\Application Data\ebycoc.bat
2008-11-14 14:54 . 2008-11-14 14:54 17,787 --a------ c:\windows\iret.exe
2008-11-14 14:54 . 2008-11-14 14:54 17,634 --a------ c:\program files\Common Files\upas.dll
2008-11-14 14:54 . 2008-11-14 14:54 17,345 --a------ c:\program files\Common Files\pywofif.bat
2008-11-14 14:54 . 2008-11-14 14:54 15,384 --a------ c:\windows\isybituk.ban
2008-11-14 14:54 . 2008-11-14 14:54 14,546 --a------ c:\windows\tyhuhovulo.vbs
2008-11-14 14:54 . 2008-11-14 14:54 13,605 --a------ c:\windows\ewuvyxy.lib
2008-11-14 14:54 . 2008-11-14 14:54 12,796 --a------ c:\windows\yqylege.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 20:36 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-27 20:36 --------- d-----w c:\program files\Java
2008-12-24 06:27 --------- d-----w c:\documents and settings\Cisco\Application Data\LimeWire
2008-12-16 03:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-08 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 00:21 --------- d-----w c:\program files\Windows Live
2008-12-08 00:16 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-14 20:54 14,951 ----a-w c:\program files\Common Files\lejuhebihe.dl
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-09_ 1.24.29.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-23 21:39:27 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-27 20:36:35 144,792 ----a-w c:\windows\system32\java.exe
- 2008-10-23 21:39:27 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-27 20:36:35 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-10-23 21:39:27 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-27 20:36:35 148,888 ----a-w c:\windows\system32\javaws.exe
- 2007-11-21 00:52:38 2,884,992 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll
- 2007-11-21 00:52:40 218,496 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2008-03-10 03:21:08 70,264 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-12-14 09:36:10 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-12-27 20:36:55 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_bf8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-11-15 85744]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-27 180269]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-20 4620288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-05-20 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Series 700 Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Series 700 Startup.lnk
backup=c:\windows\pss\HP OfficeJet Series 700 Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cisco^Start Menu^Programs^Startup^Alarm++.lnk]
path=c:\documents and settings\Cisco\Start Menu\Programs\Startup\Alarm++.lnk
backup=c:\windows\pss\Alarm++.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cisco^Start Menu^Programs^Startup^MEMonitor.lnk]
path=c:\documents and settings\Cisco\Start Menu\Programs\Startup\MEMonitor.lnk
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cisco^Start Menu^Programs^Startup^Shortcut to ARiD (2).lnk]
path=c:\documents and settings\Cisco\Start Menu\Programs\Startup\Shortcut to ARiD (2).lnk
backup=c:\windows\pss\Shortcut to ARiD (2).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 14:08 67160 f:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 10:15 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 14:57 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-04-27 18:29 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 12:49 36352 f:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"nogikopomo"=Rundll32.exe "c:\windows\system32\tahalopu.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"f:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
S3 SavRoam;SAVRoam;"c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe" [2005-11-15 169200]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\SETUP.EXE

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2006-04-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 16:32]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_03\bin\jusched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Cisco\Application Data\Mozilla\Firefox\Profiles\0p7l4jbw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.igoogle.com

ATTENTION: FIREFOX POLICES IS IN FORCE
f:\program files\Firefox\\greprefs\all.js - pref("general.useragent.contentlocale", "chrome://navigator-region/locale/region.properties");
f:\program files\Firefox\\greprefs\all.js - pref("accessibility.typeaheadfind.soundURL", "default");
f:\program files\Firefox\\greprefs\all.js - pref("browser.tabs.warnOnCloseOther", true);
f:\program files\Firefox\\greprefs\all.js - pref("browser.tabs.loadGroup", 1);
f:\program files\Firefox\\greprefs\all.js - pref("browser.tabs.loadOnNewTab", 0);
f:\program files\Firefox\\greprefs\all.js - pref("browser.windows.loadOnNewWindow", 1);
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.HTMLDocument.open.get", "allAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.Location.reload.get", "allAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.Window.Components", "allAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.Window.document.get", "allAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.commandDispatcher", "noAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerForCommand", "noAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.insertControllerAt", "noAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.removeControllerAt", "noAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerAt", "noAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.appendController", "noAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.removeController", "noAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerId", "noAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerById", "noAccess");
f:\program files\Firefox\\greprefs\all.js - pref("capability.policy.default.XULControllers.getControllerCount", "noAccess");
f:\program files\Firefox\\greprefs\all.js - pref("dom.disable_window_open_feature.resizable", false);
f:\program files\Firefox\\greprefs\all.js - pref("network.http.max-connections", 24);
f:\program files\Firefox\\greprefs\all.js - pref("network.http.max-connections-per-server", 8);
f:\program files\Firefox\\greprefs\all.js - pref("network.http.max-persistent-connections-per-server", 2);
f:\program files\Firefox\\greprefs\all.js - pref("network.http.max-persistent-connections-per-proxy", 4);
f:\program files\Firefox\\greprefs\all.js - pref("network.http.accept.default", "text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5");
f:\program files\Firefox\\greprefs\all.js - pref("network.dns.ipv4OnlyDomains", ".doubleclick.net");
f:\program files\Firefox\\greprefs\all.js - pref("network.standard-url.encode-utf8", false);
f:\program files\Firefox\\greprefs\all.js - pref("network.image.warnAboutImages", false);
f:\program files\Firefox\\greprefs\all.js - pref("network.proxy.autoconfig_url", "");
f:\program files\Firefox\\greprefs\all.js - pref("network.cookie.p3p", "ffffaaaa");
f:\program files\Firefox\\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
f:\program files\Firefox\\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
f:\program files\Firefox\\greprefs\all.js - pref("ime.password.onFocus.dontCare", false);
f:\program files\Firefox\\greprefs\all.js - pref("ime.password.onBlur.dontCare", false);
f:\program files\Firefox\\greprefs\all.js - pref("ui.key.generalAccessKey", 18);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.enable_ssl2", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc4_128", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc2_128", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl2.des_ede3_192", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl2.des_64", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc4_40", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl2.rc2_40", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_fips_des_sha", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_des_sha", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_1024_rc4_56_sha", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_1024_des_cbc_sha", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_rc4_40_md5", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl3.rsa_rc2_40_md5", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl3.dhe_rsa_des_sha", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ssl3.dhe_dss_des_sha", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.default_personal_cert", "Select Automatically");
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.warn_entering_secure", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.warn_leaving_secure", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.warn_submit_insecure", true);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.OCSP.enabled", 0);
f:\program files\Firefox\\greprefs\security-prefs.js - pref("security.ui.enable", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("startup.homepage_override_url","chrome://browser-region/locale/region.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.skin", "chrome://mozapps/content/extensions/extensions.xul?type=themes");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.chrome", "chrome://mozapps/content/extensions/extensions.xul?type=extensions");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.type.skin", "Extension:Manager-themes");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("xpinstall.dialog.progress.type.chrome", "Extension:Manager-extensions");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("extensions.getMoreExtensionsURL", "chrome://mozapps/locale/extensions/extensions.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("extensions.getMoreThemesURL", "chrome://mozapps/locale/extensions/extensions.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("app.update.url.manual", "http://www.mozilla.org/products/firefox/");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("app.update.url.details", "chrome://browser-region/locale/region.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("app.update.nagTimer.download", 86400);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("app.update.nagTimer.restart", 1800);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("extensions.update.url", "chrome://mozapps/locale/extensions/extensions.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("extensions.getMoreExtensionsURL", "chrome://mozapps/locale/extensions/extensions.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("extensions.getMoreThemesURL", "chrome://mozapps/locale/extensions/extensions.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("keyword.URL", "http://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.startup.homepage", "resource:/browserconfig.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.search.defaulturl", "chrome://browser-region/locale/region.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.search.order.Yahoo.1", "chrome://branding/content/searchconfig.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.search.order.Yahoo.2", "chrome://branding/content/searchconfig.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.search.order.Yahoo", "chrome://branding/content/searchconfig.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.search.basic.min_ver", "0.0");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.link.open_newwindow", 2);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.tabs.opentabfor.urlbar", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.related.enabled", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.related.autoload", 1); // 0 = Always, 1 = After first use, 2 = Never
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.related.provider", "http://www-rl.netscape.com/wtgn?");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.related.disabledForDomains", "");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.goBrowsing.enabled", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("dom.disable_window_open_feature.location", false);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("dom.disable_window_flip", false);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.trim_user_and_password", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("privacy.item.history", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("privacy.item.formdata", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("privacy.item.passwords", false);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("privacy.item.downloads", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("privacy.item.cookies", false);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("privacy.item.cache", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("privacy.item.siteprefs", false);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("privacy.item.sessions", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("network.cookie.enableForCurrentSessionOnly", false);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("network.cookie.denyRemovedCookies", false);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.throbber.url","chrome://browser-region/locale/region.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("alerts.height", 50);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("signon.prefillForms", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("security.warn_entering_secure.show_once", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("security.warn_leaving_secure.show_once", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("security.warn_submit_insecure.show_once", true);
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.display.screen_resolution", 96);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-30 16:01:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-30 16:03:05
ComboFix-quarantined-files.txt 2008-12-30 22:02:19
ComboFix2.txt 2008-12-09 07:25:42

Pre-Run: 25,687,392,256 bytes free
Post-Run: 25,804,640,256 bytes free

290

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 AM

Posted 31 December 2008 - 05:20 PM

Hello again.

I feel somewhat better now..

Glad your computer is better. I see you ran Combofix 3 times...

I would still like the first run even if your computer is better as I still see some signs of vundo files..

It can be found at C:\Qoobox\Combofix3.txt<-This file

Post back with the first run of Combofix log. Also post back with a new OTViewiT logs as it has been a while. I apologize I couldn't reply earlier, busy these days..

Post back with:
-Combofix3 log
-OTViewIT logs


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 likuid99

likuid99
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 01 January 2009 - 12:23 AM

Ok, well, i dont have a Combofix3 because i think when i initially ran the program, due to poor instruction reading on my part, i hadnt installed the windows recovery console yet and i cancelled it. Then i installed the console and completed the scan. Therefore i have Combofix2 in the location you specified. Here it is followed by the new OTViewIt and Extras files.

ComboFix 08-12-07.04 - Cisco 2008-12-09 1:23:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.573 [GMT -6:00]
Running from: f:\download - firefox\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Cisco\Cookies\iwusycyk.db
c:\documents and settings\Cisco\Cookies\kykugiboc.ban
c:\documents and settings\Cisco\Local Settings\Temporary Internet Files\ezijene.db
c:\documents and settings\Cisco\Local Settings\Temporary Internet Files\nawom.dat
c:\documents and settings\Cisco\Local Settings\Temporary Internet Files\puge.inf
c:\documents and settings\Cisco\Local Settings\Temporary Internet Files\ylisulug.bat
c:\windows\system32\dehokiju.dll
c:\windows\system32\dubapaje.dll
c:\windows\system32\emisuniw.ini
c:\windows\system32\giletisa.dll
c:\windows\system32\jitodujo.dll
c:\windows\system32\jovijora.dll
c:\windows\system32\kuzokutu.dll
c:\windows\system32\miwusote.dll
c:\windows\system32\ramuzovi.dll
c:\windows\system32\tahalopu.dll
c:\windows\system32\tomuzipu.dll
c:\windows\system32\winusime.dll
c:\windows\system32\zumidiba.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-06 14:46 . 2008-12-06 14:46 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-06 14:46 . 2008-12-06 14:46 1,409 --a------ c:\windows\QTFont.for
2008-11-25 01:17 . 2008-11-25 01:17 27,648 --a------ C:\gmw5vr.exe
2008-11-24 13:54 . 2008-11-24 13:54 27,648 --a------ C:\gf76zy.exe
2008-11-17 15:37 . 2008-11-17 15:37 <DIR> d-------- c:\documents and settings\Cisco\Application Data\Malwarebytes
2008-11-17 15:37 . 2008-11-17 15:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-17 15:37 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-17 15:37 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-14 19:44 . 2008-11-14 19:44 18,750 --a------ c:\documents and settings\All Users\Application Data\wodowuxeji.bin
2008-11-14 19:44 . 2008-11-14 19:44 17,189 --a------ c:\documents and settings\All Users\Application Data\ejocop.com
2008-11-14 14:54 . 2008-11-14 14:54 19,408 --a------ c:\program files\Common Files\fapepapyqi.sys
2008-11-14 14:54 . 2008-11-14 14:54 19,204 --a------ c:\documents and settings\All Users\Application Data\awuxyjiwi.com
2008-11-14 14:54 . 2008-11-14 14:54 19,137 --a------ c:\windows\umezikogaj._dl
2008-11-14 14:54 . 2008-11-14 14:54 19,111 --a------ c:\windows\system32\ifokequ.db
2008-11-14 14:54 . 2008-11-14 14:54 18,582 --a------ c:\documents and settings\Cisco\Application Data\ykarihoru.bat
2008-11-14 14:54 . 2008-11-14 14:54 18,036 --a------ c:\documents and settings\All Users\Application Data\sarebis.scr
2008-11-14 14:54 . 2008-11-14 14:54 17,976 --a------ c:\documents and settings\Cisco\Application Data\ylef.pif
2008-11-14 14:54 . 2008-11-14 14:54 17,964 --a------ c:\documents and settings\All Users\Application Data\ebycoc.bat
2008-11-14 14:54 . 2008-11-14 14:54 17,787 --a------ c:\windows\iret.exe
2008-11-14 14:54 . 2008-11-14 14:54 17,634 --a------ c:\program files\Common Files\upas.dll
2008-11-14 14:54 . 2008-11-14 14:54 17,345 --a------ c:\program files\Common Files\pywofif.bat
2008-11-14 14:54 . 2008-11-14 14:54 15,384 --a------ c:\windows\isybituk.ban
2008-11-14 14:54 . 2008-11-14 14:54 14,546 --a------ c:\windows\tyhuhovulo.vbs
2008-11-14 14:54 . 2008-11-14 14:54 13,605 --a------ c:\windows\ewuvyxy.lib
2008-11-14 14:54 . 2008-11-14 14:54 12,796 --a------ c:\windows\yqylege.db

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 00:21 --------- d-----w c:\program files\Windows Live
2008-12-08 00:16 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-06 09:43 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-14 20:54 14,951 ----a-w c:\program files\Common Files\lejuhebihe.dl
2008-11-12 19:07 --------- d-----w c:\documents and settings\Cisco\Application Data\LimeWire
2008-10-23 21:39 410,976 ----a-w c:\windows\system32\deploytk.dll
2008-10-23 21:39 --------- d-----w c:\program files\Java
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-09-07 20:22 87,552 --sha-w c:\windows\system32\gizogili.dll
2008-09-06 21:43 94,208 --sha-w c:\windows\system32\jobanuhi.dll
2008-09-07 20:22 94,208 --sha-w c:\windows\system32\mivojefu.dll
2008-09-06 09:42 93,184 --sha-w c:\windows\system32\rezuzubo.dll
2008-09-05 20:52 93,184 --sha-w c:\windows\system32\rukorege.dll
2008-09-06 09:42 88,064 --sha-w c:\windows\system32\suyagumu.dll
2008-09-06 21:43 85,504 --sha-w c:\windows\system32\tuyapepo.dll
2008-09-05 20:52 85,504 --sha-w c:\windows\system32\yagibara.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-11-15 85744]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-27 180269]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-20 4620288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-05-20 86016]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Series 700 Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Series 700 Startup.lnk
backup=c:\windows\pss\HP OfficeJet Series 700 Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cisco^Start Menu^Programs^Startup^Alarm++.lnk]
path=c:\documents and settings\Cisco\Start Menu\Programs\Startup\Alarm++.lnk
backup=c:\windows\pss\Alarm++.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cisco^Start Menu^Programs^Startup^MEMonitor.lnk]
path=c:\documents and settings\Cisco\Start Menu\Programs\Startup\MEMonitor.lnk
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cisco^Start Menu^Programs^Startup^Shortcut to ARiD (2).lnk]
path=c:\documents and settings\Cisco\Start Menu\Programs\Startup\Shortcut to ARiD (2).lnk
backup=c:\windows\pss\Shortcut to ARiD (2).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 14:08 67160 f:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 10:15 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 14:57 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-04-13 02:48 36975 c:\program files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-04-27 18:29 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 12:49 36352 f:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"nogikopomo"=Rundll32.exe "c:\windows\system32\tahalopu.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"f:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
S3 SavRoam;SAVRoam;"c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe" [2005-11-15 169200]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2006-04-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 16:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{d444a239-3345-4905-b8fa-27e9c250f9ba} - c:\windows\system32\jitodujo.dll
HKLM-Run-nwiz - nwiz.exe
MSConfigStartUp-brastk - c:\windows\system32\brastk.exe
MSConfigStartUp-CPMe3d1c5de - c:\windows\system32\kuzokutu.dll
MSConfigStartUp-e0e2f642 - c:\windows\system32\winusime.dll
MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
MSConfigStartUp-nogikopomo - c:\windows\system32\tahalopu.dll
MSConfigStartUp-Orb - c:\program files\Winamp Remote\bin\OrbTray.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-ViewMgr - c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
MSConfigStartUp-Zune Launcher - c:\program files\Zune\ZuneLauncher.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Cisco\Application Data\Mozilla\Firefox\Profiles\0p7l4jbw.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.igoogle.com
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 01:24:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-09 1:25:40
ComboFix-quarantined-files.txt 2008-12-09 07:24:54

Pre-Run: 26,297,602,048 bytes free
Post-Run: 26,285,158,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

211


OTViewIt logfile created on: 12/31/2008 11:07:26 PM - Run 3
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Cisco\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 555.61 Mb Available Physical Memory | 54.31% Memory free
2.40 Gb Paging File | 2.07 Gb Available in Paging File | 86.25% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 23.89 Gb Free Space | 64.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 620.40 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 186.31 Gb Total Space | 96.92 Gb Free Space | 52.02% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HAL2000
Current User Name: Cisco
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2005/10/04 11:42:46 | 00,239,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
[2005/10/04 11:42:50 | 00,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
[2005/11/15 12:27:44 | 00,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
[2005/11/09 23:59:20 | 00,079,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
[2008/12/27 14:36:35 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
[2005/05/20 02:41:08 | 00,127,043 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2005/10/19 16:39:34 | 00,214,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
[2005/11/15 12:27:54 | 01,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
[2005/10/04 11:42:42 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
[2005/11/09 23:59:54 | 00,161,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
[2005/10/04 11:42:40 | 00,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[2005/11/15 12:28:04 | 00,085,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe
[2002/07/02 16:56:00 | 00,024,576 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTHELPER.EXE
[2006/04/27 18:29:52 | 00,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[2008/12/27 14:36:35 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2004/08/03 23:56:58 | 00,218,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
[2008/12/23 20:19:14 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cisco\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2005/10/04 11:42:42 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
[2005/10/04 11:42:46 | 00,239,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe -- (ccProxy [Auto | Running])
[2005/10/04 11:42:48 | 00,083,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
[2005/10/04 11:42:50 | 00,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2005/11/15 12:27:44 | 00,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
[2005/11/09 23:59:20 | 00,079,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe -- (ISSVC [Auto | Running])
[2008/12/27 14:36:35 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2005/05/20 02:41:08 | 00,127,043 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2005/11/15 12:27:56 | 00,169,200 | ---- | M] (symantec) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
[2005/10/19 16:39:34 | 00,214,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [Auto | Running])
[2005/03/30 20:48:22 | 00,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [On_Demand | Stopped])
[2005/11/15 12:27:54 | 01,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
[2005/11/09 23:59:54 | 00,161,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe -- (SymSecurePort [Auto | Running])

========== Driver Services ==========

[2004/08/03 22:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp [Boot | Running])
[2004/08/03 21:59:22 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\amdk7.sys -- (AmdK7 [System | Running])
[2002/07/19 09:46:28 | 00,127,948 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Running])
[2002/07/19 09:47:52 | 00,837,548 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
[2001/08/17 06:19:20 | 00,003,712 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk [On_Demand | Stopped])
[2002/07/19 09:48:08 | 00,011,068 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Running])
[2002/07/19 09:48:22 | 00,213,860 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
[2004/08/03 21:58:30 | 00,207,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4.sys -- (Dot4 [On_Demand | Running])
[2001/08/17 12:47:32 | 00,012,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4Prt.sys -- (Dot4Print [On_Demand | Running])
[2008/09/02 02:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
[2001/08/17 11:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC [On_Demand | Running])
[2002/07/19 09:48:32 | 00,156,604 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia [On_Demand | Running])
[2008/09/02 02:00:00 | 00,099,376 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
[2004/03/26 12:08:54 | 00,122,112 | ---- | M] (Cisco-Linksys LLC.) -- C:\WINDOWS\system32\drivers\vnet58lx.sys -- (FVNETusb [On_Demand | Stopped])
[2004/08/03 22:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Running])
[2002/07/24 12:52:26 | 00,998,004 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
[2008/11/11 03:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20081228.003\naveng.sys -- (NAVENG [On_Demand | Running])
[2008/11/11 03:00:00 | 00,876,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20081228.003\navex15.sys -- (NAVEX15 [On_Demand | Running])
[2005/05/20 02:41:04 | 02,826,944 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2002/07/19 09:48:04 | 00,195,432 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[1999/12/17 00:00:00 | 00,006,752 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT [Auto | Running])
[2001/08/23 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/03/07 17:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2005/08/26 13:22:48 | 00,334,984 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
[2005/08/26 13:22:50 | 00,053,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [System | Running])
[2001/08/23 06:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2005/03/30 20:48:20 | 00,372,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
[2007/07/03 17:54:24 | 00,080,552 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus [On_Demand | Stopped])
[2007/07/03 17:57:24 | 00,011,944 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl [On_Demand | Stopped])
[2007/07/03 17:58:20 | 00,106,792 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm [On_Demand | Stopped])
[2007/07/03 17:59:10 | 00,086,824 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdserd.sys -- (sscdserd [On_Demand | Stopped])
[2005/10/19 16:38:40 | 00,012,944 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symdns.sys -- (SYMDNS [On_Demand | Running])
[2005/09/16 23:20:06 | 00,108,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[2005/10/19 16:38:46 | 00,109,200 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symfw.sys -- (SYMFW [On_Demand | Running])
[2005/10/19 16:38:54 | 00,031,888 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symids.sys -- (SYMIDS [On_Demand | Running])
[2008/09/12 07:33:22 | 00,250,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SymcData\scfidsdefs\20081214.001\SymIDSCo.sys -- (SYMIDSCO [On_Demand | Running])
[2005/10/19 16:38:50 | 00,028,304 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symndis.sys -- (SYMNDIS [On_Demand | Running])
[2005/10/19 16:38:58 | 00,024,720 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV [On_Demand | Running])
[2005/10/19 16:39:04 | 00,195,728 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI [System | Running])
[2008/03/27 15:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://www.google.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1006\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1006\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1006\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (HKLM) -- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

========== (O3) Toolbars ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" ()
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
"UpdReg"=C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe (Symantec Corporation)
"WINDVDPatch"=CTHELPER.EXE (Creative Technology Ltd)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"= File not found

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"ForceClassicControlPanel"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"ForceClassicControlPanel"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 18:58:38 | 10,080,960 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 18:58:38 | 10,080,960 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1006\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: Reg Error: Key does not exist or could not be opened. File not found

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}: Button: AIM -- F:\Program Files\AIM\aim.exe [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1006\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
22 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
22 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{31E68DE2-5548-4B23-88F0-C51E6A0F695E}: https://support.microsoft.com/OAS/ActiveX/odc.cab -- Microsoft PID Sniffer
{57C76689-F052-487B-A19F-855AFDDF28EE}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2004 -- F5 Networks Policy Agent Host Class
{7E73BE8F-FD87-44EC-8E22-023D5FF960FF}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2006 -- F5 Virtual Sandbox Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://javadl.sun.com/webapps/download/AutoDL?BundleId=26688 -- Java Plug-in 1.6.0_11
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2005 -- F5 Networks SuperHost Class
{E0FF21FA-B857-45C5-8621-F120A0C17FF2}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2004 -- F5 Networks Host Control
{E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D}: https://securera.edwardjones.com/policy/dow...,2008,0122,2007 -- F5 Networks OS Policy Agent

========== (O17) DNS Name Servers ==========

{7CF52ECB-6146-49A0-99D8-3C42AD0A2EF9} (Servers: | Description: Linksys Wireless-B USB Network Adapter v2.8)
{BA4755C8-204B-4AD9-972A-78BF775C9BC7} (Servers: | Description: Linksys Wireless-B USB Network Adapter v2.8)
{D2F2FA22-EABC-403A-8197-9F883C0559B5} (Servers: | Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible))

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
NavLogon: "DllName" = C:\WINDOWS\System32\NavLogon.dll -- C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2006/04/26 22:06:19 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTORUN.INF [[autorun] | OPEN=SETUP.EXE | ICON=BW.ICO | ]
[1998/12/13 01:43:32 | 00,000,040 | R--- | M] () -- E:\AUTORUN.INF -- [ CDFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun\command]
""=E:\SETUP.EXE -- [1998/11/30 23:04:40 | 00,025,600 | R--- | M] ()

========== Files/Folders - Created Within 30 Days ==========

[6 C:\WINDOWS\*.tmp files]
[2008/12/30 16:52:31 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2008/12/27 17:17:20 | 00,006,692 | ---- | C] () -- C:\Documents and Settings\Cisco\Desktop\kasper.html
[2008/12/23 20:20:22 | 00,305,705 | ---- | C] () -- C:\Documents and Settings\Cisco\Desktop\RSIT.exe
[2008/12/23 20:20:13 | 00,000,515 | ---- | C] () -- C:\Documents and Settings\Cisco\Desktop\Shortcut to ComboFix.lnk
[2008/12/23 20:20:00 | 00,423,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Cisco\Desktop\OTViewIt.exe
[2008/12/18 00:13:03 | 00,027,648 | ---- | C] () -- C:\Documents and Settings\Cisco\My Documents\panel.doc
[2008/12/14 21:36:33 | 00,000,000 | ---D | C] -- C:\Program Files\trend micro
[2008/12/14 21:36:32 | 00,000,000 | ---D | C] -- C:\rsit
[2008/12/12 02:27:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Cisco\My Documents\New Folder
[2008/12/09 01:22:03 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2008/12/09 01:22:00 | 00,260,272 | ---- | C] () -- C:\cmldr
[2008/12/09 01:21:56 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2008/12/09 00:59:04 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2008/12/09 00:59:04 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2008/12/09 00:59:04 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2008/12/09 00:59:04 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2008/12/09 00:59:04 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2008/12/09 00:59:04 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2008/12/09 00:59:04 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2008/12/09 00:59:04 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2008/12/09 00:59:04 | 00,028,672 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2008/12/09 00:59:01 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2008/12/09 00:59:01 | 00,000,000 | ---D | C] -- C:\Qoobox
[2008/12/08 13:05:45 | 00,000,000 | ---D | C] -- C:\Program Files\Hijackthis
[2008/12/06 14:46:21 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2008/12/06 14:46:21 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for

========== Files - Modified Within 30 Days ==========

[6 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2008/12/31 23:05:37 | 03,374,782 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000004-00001102-00000002-80651102}.CDF
[2008/12/31 23:05:37 | 03,374,782 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000004-00001102-00000002-80651102}.BAK
[2008/12/31 23:05:27 | 00,013,700 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/12/31 16:22:59 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2008/12/31 16:22:59 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2008/12/31 16:22:59 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2008/12/31 16:22:59 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2008/12/31 16:22:59 | 00,001,072 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2008/12/31 16:22:59 | 00,001,072 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2008/12/31 16:22:59 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000004-00001102-00000002-80651102}.dat
[2008/12/31 16:22:59 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000004-00001102-00000002-80651102}.dat
[2008/12/30 22:58:40 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/12/30 22:58:32 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/12/30 22:58:24 | 10,727,46496 | -HS- | M] () -- C:\hiberfil.sys
[2008/12/30 17:21:15 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/30 16:48:13 | 00,000,040 | ---- | M] () -- C:\WINDOWS\System32\profile.dat
[2008/12/30 16:01:37 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2008/12/27 17:17:20 | 00,006,692 | ---- | M] () -- C:\Documents and Settings\Cisco\Desktop\kasper.html
[2008/12/26 03:32:00 | 06,919,458 | -H-- | M] () -- C:\Documents and Settings\Cisco\Local Settings\Application Data\IconCache.db
[2008/12/23 20:20:13 | 00,000,515 | ---- | M] () -- C:\Documents and Settings\Cisco\Desktop\Shortcut to ComboFix.lnk
[2008/12/23 20:19:14 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cisco\Desktop\OTViewIt.exe
[2008/12/23 05:25:47 | 00,000,962 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\MyAlarms.alm
[2008/12/18 12:44:47 | 00,096,768 | ---- | M] () -- C:\Documents and Settings\Cisco\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/18 00:13:04 | 00,027,648 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\panel.doc
[2008/12/17 13:51:12 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/12/17 13:12:37 | 00,000,533 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/12/17 13:12:37 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2008/12/14 21:36:07 | 00,305,705 | ---- | M] () -- C:\Documents and Settings\Cisco\Desktop\RSIT.exe
[2008/12/10 23:05:04 | 00,002,141 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/12/09 01:14:19 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2008/12/09 01:02:58 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\pekigoba
[2008/12/08 12:14:17 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2008/12/07 18:22:20 | 00,000,899 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\My Sharing Folders.lnk
[2008/12/06 14:46:21 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2008/12/02 23:27:26 | 00,023,552 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\Routine.doc
< End of report >


OTViewIt Extras logfile created on: 12/31/2008 11:07:26 PM - Run 3
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Cisco\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 555.61 Mb Available Physical Memory | 54.31% Memory free
2.40 Gb Paging File | 2.07 Gb Available in Paging File | 86.25% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 23.89 Gb Free Space | 64.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 620.40 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 186.31 Gb Total Space | 96.92 Gb Free Space | 52.02% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HAL2000
Current User Name: Cisco
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify"=1
"AntiVirusDisableNotify"=1
"UpdatesDisableNotify"=1
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/03 23:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
File not found -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/03 23:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/02/08 15:32:57 | 00,147,456 | ---- | M] (Lime Wire, LLC) -- F:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
[2006/11/03 01:17:27 | 00,010,800 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
[2006/10/18 19:30:18 | 00,087,552 | ---- | M] () -- F:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui
[2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2005/10/04 11:42:40 | 00,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:ccApp

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/03/22 20:58:01 | 08,140,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 21:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}"=Java™ 6 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}"=Sound Blaster Live! Web 2K/XP
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}"=Microsoft Silverlight
"{91110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}"=Microsoft Application Error Reporting
"{AC76BA86-7AD7-1033-7B44-A70000000000}"=Adobe Reader 7.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{D050D7362D214723AD585B541FFB6C11}"=DivX Content Uploader
"{D75D48AF-E2D5-49EF-9571-EE7AFB6565B4}"=Symantec Client Security
"{E9ED0801-253D-4FE9-AB20-F63DEFE72547}"=SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}"=QuickTime
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"AIM_6"=AIM 6
"Alarm++"=Alarm++
"AOL Instant Messenger"=AOL Instant Messenger
"BitTornado"=BitTornado 0.3.17
"dBpoweramp Music Converter"=dBpoweramp Music Converter
"DECCHECK"=Microsoft Windows XP Video Decoder Checkup Utility
"Diet Analysis Plus"=Diet Analysis Plus 8.0
"GSpot"=GSpot Codec Information Appliance
"HijackThis"=HijackThis 1.99.1
"HP OfficeJet Series 700"=HP OfficeJet Series 700 (Remove Only)
"InstallShield_{E9ED0801-253D-4FE9-AB20-F63DEFE72547}"=SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"InterActual Player"=InterActual Player
"KLiteCodecPack_is1"=K-Lite Codec Pack 2.71 Standard
"LimeWire"=LimeWire 4.16.6
"LiveUpdate"=LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Mozilla Firefox (1.5.0.12)"=Mozilla Firefox (1.5.0.12)
"Mozilla Thunderbird (1.5.0.14)"=Mozilla Thunderbird (1.5.0.14)
"NeroMultiInstaller!UninstallKey"=Nero Suite
"NVIDIA Drivers"=NVIDIA Drivers
"RealPlayer 6.0"=RealPlayer
"ShockwaveFlash"=Macromedia Flash Player 8
"Spybot - Search & Destroy_is1"=Spybot - Search & Destroy 1.4
"SpywareBlaster_is1"=SpywareBlaster v3.4
"Starcraft"=Starcraft
"Wdf01005"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Winamp"=Winamp
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 10
"Windows XP Service Pack"=Windows XP Service Pack 2
"WMFDist11"=Windows Media Format 11 runtime
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1"=Xvid 1.1.2 final uninstall

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/13/2008 4:38:06 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Trojan.Vundo in File: c:\system volume information\_restore{6cbdb862-0933-4e91-bb9b-be7b0523d27e}\RP620\A0080324.dll
by: Auto-Protect scan. Action: Quarantine succeeded. Action Description: The
file was quarantined successfully.

Error - 12/13/2008 4:38:09 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Trojan.Vundo in File: C:\System Volume
Information\_restore{6CBDB862-0933-4E91-BB9B-BE7B0523D27E}\RP620\A0080324.dll by:
Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description:
The file was quarantined successfully.

Error - 12/14/2008 12:08:32 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Threat: Trojan.Vundo in File: Unavailable by:
Invalid : (15) scan. Action: Leave Alone succeeded. Action Description: The file
was left unchanged.

Error - 12/14/2008 12:08:38 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Trojan.Vundo in File: Unavailable by:
Invalid : (15) scan. Action: Delete failed : Leave Alone failed. Action Description:


Error - 12/30/2008 7:10:42 PM | Computer Name = HAL2000 | Source = .NET Runtime | ID = 0
Description =

Error - 12/30/2008 7:14:24 PM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\gf76zy.exe by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
The file was left unchanged.

Error - 12/30/2008 7:14:52 PM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\gf76zy.exe by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
The file was left unchanged.

Error - 12/30/2008 7:24:33 PM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\gf76zy.exe by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
The file was left unchanged.

Error - 1/1/2009 1:00:31 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\gf76zy.exe by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
The file was left unchanged.

Error - 1/1/2009 1:00:40 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\gf76zy.exe by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
The file was left unchanged.

[ System Events ]
Error - 12/27/2008 6:01:36 PM | Computer Name = HAL2000 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 12/29/2008 2:56:18 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 12/30/2008 3:52:24 PM | Computer Name = HAL2000 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 74.192.68.208 on
the Network Card with network address 00E081271AB6.

Error - 12/30/2008 3:52:56 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 12/30/2008 6:50:27 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/30/2008 10:30:35 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 12/31/2008 12:58:55 AM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/31/2008 2:34:36 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 12/31/2008 3:07:56 PM | Computer Name = HAL2000 | Source = DCOM | ID = 10010
Description = The server {46986115-84D6-459C-8F95-52DD653E532E} did not register
with DCOM within the required timeout.

Error - 1/1/2009 12:28:39 AM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.


< End of report >

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 AM

Posted 02 January 2009 - 11:50 AM

Hello again.

The Combofix you have right now is outdated, let's uninstall it and re-download it and run it again. This time please run it ONLY ONCE.

Uninstall ComboFix

Remove Combofix now that we're going to download the newer version we are going to remove it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • When shown the disclaimer, Select "2"
Uninstalling ComboFix will remove all components related to Combofix, from your computer.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Please post back with:
-Combofix log (RUN ONLY ONCE PLEASE)
-New OTViewIT logs


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 likuid99

likuid99
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 03 January 2009 - 02:48 PM

Thanks again for your help. I really dont understand the scans and what they detect etc.. but i notice some items that associated with Zune. I do not own a zune it was installed by someone else without my permission, i attempted to uninstall it but it seems there are things left. Any help with getting rid of that as well (provided its not any extra trouble) would be greatly appreciated.

ComboFix 09-01-02.01 - Cisco 2009-01-03 13:36:32.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.563 [GMT -6:00]
Running from: c:\documents and settings\Cisco\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: Symantec Client Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2008-12-31 13:07 . 2008-12-31 13:32 <DIR> d-------- c:\documents and settings\E\Application Data\Winamp
2008-12-31 02:34 . 2008-12-31 02:34 <DIR> d-------- c:\documents and settings\E\Application Data\.BitTornado
2008-12-31 00:25 . 2008-12-31 00:25 <DIR> d-------- c:\documents and settings\E\Application Data\acccore
2008-12-30 17:10 . 2008-12-31 23:04 <DIR> d-------- c:\documents and settings\E
2008-12-27 14:36 . 2008-12-27 14:36 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-14 21:36 . 2008-12-14 21:36 <DIR> d-------- C:\rsit
2008-12-14 21:36 . 2008-12-14 21:36 <DIR> d-------- c:\program files\trend micro
2008-12-06 14:46 . 2008-12-17 13:51 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-06 14:46 . 2008-12-06 14:46 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-27 20:36 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-27 20:36 --------- d-----w c:\program files\Java
2008-12-24 06:27 --------- d-----w c:\documents and settings\Cisco\Application Data\LimeWire
2008-12-16 03:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-08 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 00:21 --------- d-----w c:\program files\Windows Live
2008-12-08 00:16 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-25 07:17 27,648 ----a-w C:\gmw5vr.exe
2008-11-24 19:54 27,648 ----a-w C:\gf76zy.exe
2008-11-17 21:37 --------- d-----w c:\documents and settings\Cisco\Application Data\Malwarebytes
2008-11-17 21:37 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-15 01:44 18,750 ----a-w c:\documents and settings\All Users\Application Data\wodowuxeji.bin
2008-11-15 01:44 17,189 ----a-w c:\documents and settings\All Users\Application Data\ejocop.com
2008-11-14 20:54 19,408 ----a-w c:\program files\Common Files\fapepapyqi.sys
2008-11-14 20:54 19,204 ----a-w c:\documents and settings\All Users\Application Data\awuxyjiwi.com
2008-11-14 20:54 18,582 ----a-w c:\documents and settings\Cisco\Application Data\ykarihoru.bat
2008-11-14 20:54 18,036 ----a-w c:\documents and settings\All Users\Application Data\sarebis.scr
2008-11-14 20:54 17,976 ----a-w c:\documents and settings\Cisco\Application Data\ylef.pif
2008-11-14 20:54 17,964 ----a-w c:\documents and settings\All Users\Application Data\ebycoc.bat
2008-11-14 20:54 17,787 ----a-w c:\windows\iret.exe
2008-11-14 20:54 17,634 ----a-w c:\program files\Common Files\upas.dll
2008-11-14 20:54 17,345 ----a-w c:\program files\Common Files\pywofif.bat
2008-11-14 20:54 14,951 ----a-w c:\program files\Common Files\lejuhebihe.dl
2008-11-14 20:54 14,546 ----a-w c:\windows\tyhuhovulo.vbs
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-11-15 85744]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-04-27 180269]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-20 4620288]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-05-20 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Series 700 Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Series 700 Startup.lnk
backup=c:\windows\pss\HP OfficeJet Series 700 Startup.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cisco^Start Menu^Programs^Startup^Alarm++.lnk]
path=c:\documents and settings\Cisco\Start Menu\Programs\Startup\Alarm++.lnk
backup=c:\windows\pss\Alarm++.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cisco^Start Menu^Programs^Startup^MEMonitor.lnk]
path=c:\documents and settings\Cisco\Start Menu\Programs\Startup\MEMonitor.lnk
backup=c:\windows\pss\MEMonitor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cisco^Start Menu^Programs^Startup^Shortcut to ARiD (2).lnk]
path=c:\documents and settings\Cisco\Start Menu\Programs\Startup\Shortcut to ARiD (2).lnk
backup=c:\windows\pss\Shortcut to ARiD (2).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 14:08 67160 f:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 10:15 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 10:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-01 14:57 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-04-27 18:29 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 12:49 36352 f:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"nogikopomo"=Rundll32.exe "c:\windows\system32\tahalopu.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"f:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"f:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
S3 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2006-04-26 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2005-03-31 16:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Cisco\Application Data\Mozilla\Firefox\Profiles\0p7l4jbw.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - component: f:\program files\Firefox\\components\xpinstal.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
f:\program files\Firefox\\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
f:\program files\Firefox\\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
f:\program files\Firefox\\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 13:38:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-03 13:39:36
ComboFix-quarantined-files.txt 2009-01-03 19:39:04
ComboFix2.txt 2008-12-30 22:03:06

Pre-Run: 27,882,344,448 bytes free
Post-Run: 28,061,749,248 bytes free

167


OTViewIt logfile created on: 1/3/2009 1:42:18 PM - Run 4
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Cisco\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 573.74 Mb Available Physical Memory | 56.08% Memory free
2.40 Gb Paging File | 2.08 Gb Available in Paging File | 86.49% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 26.15 Gb Free Space | 70.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 620.40 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 186.31 Gb Total Space | 96.92 Gb Free Space | 52.02% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HAL2000
Current User Name: Cisco
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2005/10/04 11:42:46 | 00,239,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
[2005/10/04 11:42:50 | 00,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
[2005/11/15 12:27:44 | 00,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
[2005/11/09 23:59:20 | 00,079,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
[2008/12/27 14:36:35 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
[2005/05/20 02:41:08 | 00,127,043 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2005/10/19 16:39:34 | 00,214,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
[2005/11/15 12:27:54 | 01,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
[2005/10/04 11:42:42 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
[2005/11/09 23:59:54 | 00,161,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
[2005/10/04 11:42:40 | 00,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[2005/11/15 12:28:04 | 00,085,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe
[2006/04/27 18:29:52 | 00,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[2008/12/27 14:36:35 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2008/12/23 20:19:14 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cisco\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2005/10/04 11:42:42 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
[2005/10/04 11:42:46 | 00,239,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe -- (ccProxy [Auto | Running])
[2005/10/04 11:42:48 | 00,083,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
[2005/10/04 11:42:50 | 00,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2005/11/15 12:27:44 | 00,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
[2005/11/09 23:59:20 | 00,079,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe -- (ISSVC [Auto | Running])
[2008/12/27 14:36:35 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2005/05/20 02:41:08 | 00,127,043 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2005/11/15 12:27:56 | 00,169,200 | ---- | M] (symantec) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
[2005/10/19 16:39:34 | 00,214,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [Auto | Running])
[2005/03/30 20:48:22 | 00,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [On_Demand | Stopped])
[2005/11/15 12:27:54 | 01,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
[2005/11/09 23:59:54 | 00,161,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe -- (SymSecurePort [Auto | Running])

========== Driver Services ==========

[2004/08/03 22:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp [Boot | Running])
[2004/08/03 21:59:22 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\amdk7.sys -- (AmdK7 [System | Running])
[2002/07/19 09:46:28 | 00,127,948 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Running])
[2002/07/19 09:47:52 | 00,837,548 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
[2001/08/17 06:19:20 | 00,003,712 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk [On_Demand | Stopped])
[2002/07/19 09:48:08 | 00,011,068 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Running])
[2002/07/19 09:48:22 | 00,213,860 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
[2004/08/03 21:58:30 | 00,207,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4.sys -- (Dot4 [On_Demand | Running])
[2001/08/17 12:47:32 | 00,012,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4Prt.sys -- (Dot4Print [On_Demand | Running])
[2008/09/02 02:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
[2001/08/17 11:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC [On_Demand | Running])
[2002/07/19 09:48:32 | 00,156,604 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia [On_Demand | Running])
[2008/09/02 02:00:00 | 00,099,376 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
[2004/03/26 12:08:54 | 00,122,112 | ---- | M] (Cisco-Linksys LLC.) -- C:\WINDOWS\system32\drivers\vnet58lx.sys -- (FVNETusb [On_Demand | Stopped])
[2004/08/03 22:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Running])
[2002/07/24 12:52:26 | 00,998,004 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
[2008/11/11 03:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090102.006\naveng.sys -- (NAVENG [On_Demand | Running])
[2008/11/11 03:00:00 | 00,876,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090102.006\navex15.sys -- (NAVEX15 [On_Demand | Running])
[2005/05/20 02:41:04 | 02,826,944 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2002/07/19 09:48:04 | 00,195,432 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[1999/12/17 00:00:00 | 00,006,752 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT [Auto | Running])
[2001/08/23 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/03/07 17:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2005/08/26 13:22:48 | 00,334,984 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
[2005/08/26 13:22:50 | 00,053,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [System | Running])
[2001/08/23 06:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2005/03/30 20:48:20 | 00,372,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
[2007/07/03 17:54:24 | 00,080,552 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus [On_Demand | Stopped])
[2007/07/03 17:57:24 | 00,011,944 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl [On_Demand | Stopped])
[2007/07/03 17:58:20 | 00,106,792 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm [On_Demand | Stopped])
[2007/07/03 17:59:10 | 00,086,824 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdserd.sys -- (sscdserd [On_Demand | Stopped])
[2005/10/19 16:38:40 | 00,012,944 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symdns.sys -- (SYMDNS [On_Demand | Running])
[2005/09/16 23:20:06 | 00,108,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[2005/10/19 16:38:46 | 00,109,200 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symfw.sys -- (SYMFW [On_Demand | Running])
[2005/10/19 16:38:54 | 00,031,888 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symids.sys -- (SYMIDS [On_Demand | Running])
[2008/09/12 07:33:22 | 00,250,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SymcData\scfidsdefs\20081214.001\SymIDSCo.sys -- (SYMIDSCO [On_Demand | Running])
[2005/10/19 16:38:50 | 00,028,304 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symndis.sys -- (SYMNDIS [On_Demand | Running])
[2005/10/19 16:38:58 | 00,024,720 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV [On_Demand | Running])
[2005/10/19 16:39:04 | 00,195,728 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI [System | Running])
[2008/03/27 15:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://www.google.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (HKLM) -- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

========== (O3) Toolbars ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" ()
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
"UpdReg"=C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe (Symantec Corporation)
"WINDVDPatch"=CTHELPER.EXE (Creative Technology Ltd)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"ForceClassicControlPanel"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"ForceClassicControlPanel"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 18:58:38 | 10,080,960 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 18:58:38 | 10,080,960 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}: Button: AIM -- F:\Program Files\AIM\aim.exe [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
22 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
22 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{31E68DE2-5548-4B23-88F0-C51E6A0F695E}: https://support.microsoft.com/OAS/ActiveX/odc.cab -- Microsoft PID Sniffer
{57C76689-F052-487B-A19F-855AFDDF28EE}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2004 -- F5 Networks Policy Agent Host Class
{7E73BE8F-FD87-44EC-8E22-023D5FF960FF}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2006 -- F5 Virtual Sandbox Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://javadl.sun.com/webapps/download/AutoDL?BundleId=26688 -- Java Plug-in 1.6.0_11
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2005 -- F5 Networks SuperHost Class
{E0FF21FA-B857-45C5-8621-F120A0C17FF2}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2004 -- F5 Networks Host Control
{E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D}: https://securera.edwardjones.com/policy/dow...,2008,0122,2007 -- F5 Networks OS Policy Agent

========== (O17) DNS Name Servers ==========

{7CF52ECB-6146-49A0-99D8-3C42AD0A2EF9} (Servers: | Description: Linksys Wireless-B USB Network Adapter v2.8)
{BA4755C8-204B-4AD9-972A-78BF775C9BC7} (Servers: | Description: Linksys Wireless-B USB Network Adapter v2.8)
{D2F2FA22-EABC-403A-8197-9F883C0559B5} (Servers: | Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible))

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
NavLogon: "DllName" = C:\WINDOWS\System32\NavLogon.dll -- C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2006/04/26 22:06:19 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTORUN.INF [[autorun] | OPEN=SETUP.EXE | ICON=BW.ICO | ]
[1998/12/13 01:43:32 | 00,000,040 | R--- | M] () -- E:\AUTORUN.INF -- [ CDFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun\command]
""=E:\SETUP.EXE -- [1998/11/30 23:04:40 | 00,025,600 | R--- | M] ()

========== Files/Folders - Created Within 30 Days ==========

[6 C:\WINDOWS\*.tmp files]
[2009/01/03 13:35:55 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/01/03 13:35:55 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/01/03 13:35:55 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/01/03 13:35:55 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/01/03 13:35:55 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009/01/03 13:35:55 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/01/03 13:35:55 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/01/03 13:35:55 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009/01/03 13:35:55 | 00,028,672 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/01/03 13:35:50 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/01/03 13:34:09 | 02,888,012 | R--- | C] () -- C:\Documents and Settings\Cisco\Desktop\ComboFix.exe
[2008/12/27 17:17:20 | 00,006,692 | ---- | C] () -- C:\Documents and Settings\Cisco\Desktop\kasper.html
[2008/12/23 20:20:22 | 00,305,705 | ---- | C] () -- C:\Documents and Settings\Cisco\Desktop\RSIT.exe
[2008/12/23 20:20:00 | 00,423,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Cisco\Desktop\OTViewIt.exe
[2008/12/18 00:13:03 | 00,027,648 | ---- | C] () -- C:\Documents and Settings\Cisco\My Documents\panel.doc
[2008/12/14 21:36:33 | 00,000,000 | ---D | C] -- C:\Program Files\trend micro
[2008/12/14 21:36:32 | 00,000,000 | ---D | C] -- C:\rsit
[2008/12/12 02:27:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Cisco\My Documents\New Folder
[2008/12/09 01:22:03 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2008/12/09 01:22:00 | 00,260,272 | ---- | C] () -- C:\cmldr
[2008/12/09 01:21:56 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2008/12/09 00:59:01 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2008/12/08 13:05:45 | 00,000,000 | ---D | C] -- C:\Program Files\Hijackthis
[2008/12/06 14:46:21 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2008/12/06 14:46:21 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for

========== Files - Modified Within 30 Days ==========

[6 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/01/03 13:39:37 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/01/03 13:38:17 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/01/03 13:33:42 | 02,888,012 | R--- | M] () -- C:\Documents and Settings\Cisco\Desktop\ComboFix.exe
[2009/01/03 13:28:38 | 03,374,782 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000004-00001102-00000002-80651102}.CDF
[2009/01/03 13:28:38 | 03,374,782 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000004-00001102-00000002-80651102}.BAK
[2009/01/03 13:28:15 | 00,013,700 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/01/03 13:27:49 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/01/03 13:27:44 | 10,727,46496 | -HS- | M] () -- C:\hiberfil.sys
[2009/01/03 04:55:39 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2009/01/03 04:55:39 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2009/01/03 04:55:39 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2009/01/03 04:55:39 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2009/01/03 04:55:39 | 00,001,072 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/01/03 04:55:39 | 00,001,072 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/01/03 04:55:39 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000004-00001102-00000002-80651102}.dat
[2009/01/03 04:55:39 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000004-00001102-00000002-80651102}.dat
[2009/01/03 04:55:23 | 00,000,040 | ---- | M] () -- C:\WINDOWS\System32\profile.dat
[2009/01/02 23:52:47 | 00,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2009/01/01 23:49:15 | 06,911,906 | -H-- | M] () -- C:\Documents and Settings\Cisco\Local Settings\Application Data\IconCache.db
[2008/12/30 17:21:15 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/27 17:17:20 | 00,006,692 | ---- | M] () -- C:\Documents and Settings\Cisco\Desktop\kasper.html
[2008/12/23 20:19:14 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cisco\Desktop\OTViewIt.exe
[2008/12/23 05:25:47 | 00,000,962 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\MyAlarms.alm
[2008/12/18 12:44:47 | 00,096,768 | ---- | M] () -- C:\Documents and Settings\Cisco\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/18 00:13:04 | 00,027,648 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\panel.doc
[2008/12/17 13:51:12 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/12/17 13:12:37 | 00,000,533 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/12/17 13:12:37 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2008/12/14 21:36:07 | 00,305,705 | ---- | M] () -- C:\Documents and Settings\Cisco\Desktop\RSIT.exe
[2008/12/10 23:05:04 | 00,002,141 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/12/09 01:14:19 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2008/12/09 01:02:58 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\pekigoba
[2008/12/08 12:14:17 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2008/12/07 18:22:20 | 00,000,899 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\My Sharing Folders.lnk
[2008/12/06 14:46:21 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
< End of report >


OTViewIt Extras logfile created on: 1/3/2009 1:42:18 PM - Run 4
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Cisco\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 573.74 Mb Available Physical Memory | 56.08% Memory free
2.40 Gb Paging File | 2.08 Gb Available in Paging File | 86.49% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 26.15 Gb Free Space | 70.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 620.40 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 186.31 Gb Total Space | 96.92 Gb Free Space | 52.02% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HAL2000
Current User Name: Cisco
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify"=0
"AntiVirusDisableNotify"=1
"UpdatesDisableNotify"=1
"AntiVirusOverride"=0
"FirewallOverride"=0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring"=1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall"=0
"DisableNotifications"=0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2004/08/03 23:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
File not found -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
File not found -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/08/03 23:56:58 | 00,140,800 | ---- | M] (Microsoft Corporation) -- %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
[2008/02/08 15:32:57 | 00,147,456 | ---- | M] (Lime Wire, LLC) -- F:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire
[2006/11/03 01:17:27 | 00,010,800 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
[2006/10/18 19:30:18 | 00,087,552 | ---- | M] () -- F:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui
[2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2005/10/04 11:42:40 | 00,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:ccApp

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== HKEY_USERS Protocol Defaults ==========


[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
msdaipp: [HKLM - No CLSID value]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\] - Protocol Handlers
[2003/07/11 01:25:22 | 00,842,816 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/03/22 20:58:01 | 08,140,480 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (mso-offdap11:{32505114-5902-49B2-880A-1F7738E5A384} (HKLM) [Data Page Plugable Protocal mso-offdap11 Handler])

========== (O18) Protocol Filters ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\] - Protocol Filters
[2003/07/14 21:45:12 | 00,039,488 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL text/xml:{807553E5-5146-11D5-A672-00B0D022E945} (HKLM) [Reg Error: Value does not exist or could not be read.]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}"=Java™ 6 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3FCAADB8-EB1B-11D6-AB2D-0090271A23A2}"=Sound Blaster Live! Web 2K/XP
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}"=Microsoft Silverlight
"{91110409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office Professional Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}"=Microsoft Application Error Reporting
"{AC76BA86-7AD7-1033-7B44-A70000000000}"=Adobe Reader 7.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{D050D7362D214723AD585B541FFB6C11}"=DivX Content Uploader
"{D75D48AF-E2D5-49EF-9571-EE7AFB6565B4}"=Symantec Client Security
"{E9ED0801-253D-4FE9-AB20-F63DEFE72547}"=SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8}"=QuickTime
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"AIM_6"=AIM 6
"Alarm++"=Alarm++
"AOL Instant Messenger"=AOL Instant Messenger
"BitTornado"=BitTornado 0.3.17
"dBpoweramp Music Converter"=dBpoweramp Music Converter
"DECCHECK"=Microsoft Windows XP Video Decoder Checkup Utility
"Diet Analysis Plus"=Diet Analysis Plus 8.0
"GSpot"=GSpot Codec Information Appliance
"HijackThis"=HijackThis 1.99.1
"HP OfficeJet Series 700"=HP OfficeJet Series 700 (Remove Only)
"InstallShield_{E9ED0801-253D-4FE9-AB20-F63DEFE72547}"=SAMSUNG Mobile USB DRIVER(4.40.7.0) v1.6
"InterActual Player"=InterActual Player
"KLiteCodecPack_is1"=K-Lite Codec Pack 2.71 Standard
"LimeWire"=LimeWire 4.16.6
"LiveUpdate"=LiveUpdate 2.6 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Mozilla Firefox (1.5.0.12)"=Mozilla Firefox (1.5.0.12)
"Mozilla Thunderbird (1.5.0.14)"=Mozilla Thunderbird (1.5.0.14)
"NeroMultiInstaller!UninstallKey"=Nero Suite
"NVIDIA Drivers"=NVIDIA Drivers
"RealPlayer 6.0"=RealPlayer
"ShockwaveFlash"=Macromedia Flash Player 8
"Spybot - Search & Destroy_is1"=Spybot - Search & Destroy 1.4
"SpywareBlaster_is1"=SpywareBlaster v3.4
"Starcraft"=Starcraft
"Wdf01005"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007"=Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Winamp"=Winamp
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows Media Player"=Windows Media Player 10
"Windows XP Service Pack"=Windows XP Service Pack 2
"WMFDist11"=Windows Media Format 11 runtime
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xvid_is1"=Xvid 1.1.2 final uninstall

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/14/2008 12:08:38 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Threat: Trojan.Vundo in File: Unavailable by:
Invalid : (15) scan. Action: Delete failed : Leave Alone failed. Action Description:


Error - 12/30/2008 7:10:42 PM | Computer Name = HAL2000 | Source = .NET Runtime | ID = 0
Description =

Error - 12/30/2008 7:14:24 PM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\gf76zy.exe by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
The file was left unchanged.

Error - 12/30/2008 7:14:52 PM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\gf76zy.exe by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
The file was left unchanged.

Error - 12/30/2008 7:24:33 PM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\gf76zy.exe by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
The file was left unchanged.

Error - 1/1/2009 1:00:31 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\gf76zy.exe by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
The file was left unchanged.

Error - 1/1/2009 1:00:40 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\gf76zy.exe by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
The file was left unchanged.

Error - 1/1/2009 1:19:30 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\gmw5vr.exe by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
The file was left unchanged.

Error - 1/1/2009 1:19:40 AM | Computer Name = HAL2000 | Source = Symantec AntiVirus | ID = 16711685
Description = Threat Found!Threat: Downloader in File: C:\gf76zy.exe by: Auto-Protect
scan. Action: Clean failed : Quarantine failed : Access denied. Action Description:
The file was left unchanged.

Error - 1/3/2009 1:52:29 AM | Computer Name = HAL2000 | Source = .NET Runtime | ID = 0
Description =

[ System Events ]
Error - 12/30/2008 6:50:27 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/30/2008 10:30:35 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 12/31/2008 12:58:55 AM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 12/31/2008 2:34:36 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 12/31/2008 3:07:56 PM | Computer Name = HAL2000 | Source = DCOM | ID = 10010
Description = The server {46986115-84D6-459C-8F95-52DD653E532E} did not register
with DCOM within the required timeout.

Error - 1/1/2009 12:28:39 AM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 1/1/2009 3:13:40 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 1/2/2009 3:59:42 AM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 1/2/2009 6:34:21 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2

Error - 1/3/2009 3:28:16 PM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2


< End of report >

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 AM

Posted 03 January 2009 - 09:08 PM

Hello

Thanks again for your help. I really dont understand the scans and what they detect etc.. but i notice some items that associated with Zune. I do not own a zune it was installed by someone else without my permission, i attempted to uninstall it but it seems there are things left. Any help with getting rid of that as well (provided its not any extra trouble) would be greatly appreciated.

Where are you seeing that there's thing associated with "Zune"?

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    File::
    C:\gmw5vr.exe
    C:\gf76zy.exe
    c:\documents and settings\All Users\Application Data\wodowuxeji.bin
    c:\documents and settings\All Users\Application Data\ejocop.com
    c:\program files\Common Files\fapepapyqi.sys
    c:\documents and settings\All Users\Application Data\awuxyjiwi.com
    c:\documents and settings\Cisco\Application Data\ykarihoru.bat
    c:\documents and settings\All Users\Application Data\sarebis.scr
    c:\documents and settings\Cisco\Application Data\ylef.pif
    c:\documents and settings\All Users\Application Data\ebycoc.bat
    c:\windows\iret.exe
    c:\program files\Common Files\upas.dll
    c:\program files\Common Files\pywofif.bat
    c:\program files\Common Files\lejuhebihe.dl
    c:\windows\tyhuhovulo.vbs
    c:\windows\system32\tahalopu.dll
    
    Folder::
    c:\documents and settings\All Users\Application Data\Viewpoint
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "nogikopomo"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000000
    "UpdatesDisableNotify"=dword:00000000
    
    [HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
    
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Please post back with:
-Combofix log
-New OTViewiT logs
-Problems you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 likuid99

likuid99
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 04 January 2009 - 10:59 PM

Error - 12/31/2008 12:58:55 AM | Computer Name = HAL2000 | Source = Service Control Manager | ID = 7000
Description = The Zune Bus Enumerator Driver service failed to start due to the
following error: %%2


That is one of the Zune items I am speaking of, at the end of the Extras file from OTViewIt.

I ran Combofix according to your instructions with the text file and it took longer and ran Findstr(?), and also deleted several files. It did not prompt or auto restart my pc. Then I ran OTViewit and due to an accident my computer was restarted before i was able to save the Extras or Combofix Log.
I figured it was best to just stop there and ask.

Problems I have been having. Well, I have heard that it is safer to run day to day on your pc on a limited(windows) account incase security is breached, helping prevent access to certain files. So I have set up one (am I mistaken in this assumption?) and in doing so I had a new "Download" alert file pop up with my Symantec Antivirus, as well as problems just having the firewall on. While on either my limited or admin account the firewall kept auto turning off. I then recieved an error message telling me I should reinstall my Symantec software. However today I have had no such problems, firewall and antivirus started up. Closed them before running combofix.
My svchost.exe, Rtvscan.exe, ccApp processes are all using 40mb or so a piece, this seems really high and seems to be related to my Symantec problems. (not sure about ccApp though, not sure what that is)

So thats about it, I really apologize sincerely for botching up this step hopefully it isn't serious. Here is my OTViewIt file as well. I really appreciate the assistance, thank you.

OTViewIt logfile created on: 1/4/2009 9:06:12 PM - Run 5
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Cisco\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.98 Mb Total Physical Memory | 540.47 Mb Available Physical Memory | 52.83% Memory free
2.40 Gb Paging File | 2.06 Gb Available in Paging File | 85.52% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 26.08 Gb Free Space | 70.01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 620.40 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 186.31 Gb Total Space | 96.92 Gb Free Space | 52.02% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HAL2000
Current User Name: Cisco
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2005/10/04 11:42:46 | 00,239,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
[2005/10/04 11:42:50 | 00,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
[2005/11/15 12:27:44 | 00,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
[2005/11/09 23:59:20 | 00,079,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
[2008/12/27 14:36:35 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
[2005/05/20 02:41:08 | 00,127,043 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2005/10/19 16:39:34 | 00,214,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
[2005/11/15 12:27:54 | 01,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
[2005/10/04 11:42:42 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
[2005/11/09 23:59:54 | 00,161,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
[2005/10/04 11:42:40 | 00,048,752 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[2005/11/15 12:28:04 | 00,085,744 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\VPTray.exe
[2006/04/27 18:29:52 | 00,180,269 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[2008/12/27 14:36:35 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe
[2004/08/03 23:56:56 | 00,069,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\notepad.exe
[2004/08/03 23:56:58 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
[2008/12/23 20:19:14 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cisco\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2005/10/04 11:42:42 | 00,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr [Auto | Running])
[2005/10/04 11:42:46 | 00,239,216 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe -- (ccProxy [Auto | Running])
[2005/10/04 11:42:48 | 00,083,568 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc [On_Demand | Stopped])
[2005/10/04 11:42:50 | 00,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr [Auto | Running])
[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2005/11/15 12:27:44 | 00,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe -- (DefWatch [Auto | Running])
[2005/11/09 23:59:20 | 00,079,488 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe -- (ISSVC [Auto | Running])
[2008/12/27 14:36:35 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2005/05/20 02:41:08 | 00,127,043 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
[2005/11/15 12:27:56 | 00,169,200 | ---- | M] (symantec) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe -- (SavRoam [On_Demand | Stopped])
[2005/10/19 16:39:34 | 00,214,672 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [Auto | Running])
[2005/03/30 20:48:22 | 00,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc [On_Demand | Stopped])
[2005/11/15 12:27:54 | 01,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus [Auto | Running])
[2005/11/09 23:59:54 | 00,161,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe -- (SymSecurePort [Auto | Running])

========== Driver Services ==========

[2004/08/03 22:07:44 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\drivers\amdagp.sys -- (amdagp [Boot | Running])
[2004/08/03 21:59:22 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\amdk7.sys -- (AmdK7 [System | Running])
[2002/07/19 09:46:28 | 00,127,948 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctac32k.sys -- (ctac32k [On_Demand | Running])
[2002/07/19 09:47:52 | 00,837,548 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctaud2k.sys -- (ctaud2k [On_Demand | Running])
[2001/08/17 06:19:20 | 00,003,712 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctljystk.sys -- (ctljystk [On_Demand | Stopped])
[2002/07/19 09:48:08 | 00,011,068 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys -- (ctprxy2k [On_Demand | Running])
[2002/07/19 09:48:22 | 00,213,860 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k [On_Demand | Running])
[2004/08/03 21:58:30 | 00,207,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4.sys -- (Dot4 [On_Demand | Running])
[2001/08/17 12:47:32 | 00,012,928 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\Dot4Prt.sys -- (Dot4Print [On_Demand | Running])
[2008/09/02 02:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
[2001/08/17 11:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINDOWS\system32\drivers\el90xbc5.sys -- (EL90XBC [On_Demand | Running])
[2002/07/19 09:48:32 | 00,156,604 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\emupia2k.sys -- (emupia [On_Demand | Running])
[2008/09/02 02:00:00 | 00,099,376 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
[2004/03/26 12:08:54 | 00,122,112 | ---- | M] (Cisco-Linksys LLC.) -- C:\WINDOWS\system32\drivers\vnet58lx.sys -- (FVNETusb [On_Demand | Stopped])
[2004/08/03 22:08:22 | 00,010,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum [On_Demand | Running])
[2002/07/24 12:52:26 | 00,998,004 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys -- (ha10kx2k [On_Demand | Running])
[2008/11/11 03:00:00 | 00,089,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090104.003\naveng.sys -- (NAVENG [On_Demand | Running])
[2008/11/11 03:00:00 | 00,876,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090104.003\navex15.sys -- (NAVEX15 [On_Demand | Running])
[2005/05/20 02:41:04 | 02,826,944 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2002/07/19 09:48:04 | 00,195,432 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv [On_Demand | Running])
[1999/12/17 00:00:00 | 00,006,752 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\PFMODNT.SYS -- (PfModNT [Auto | Running])
[2001/08/23 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/03/07 17:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2005/08/26 13:22:48 | 00,334,984 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\savrt.sys -- (SAVRT [System | Running])
[2005/08/26 13:22:50 | 00,053,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec Client Security\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL [System | Running])
[2001/08/23 06:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2005/03/30 20:48:20 | 00,372,832 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv [On_Demand | Stopped])
[2007/07/03 17:54:24 | 00,080,552 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdbus.sys -- (sscdbus [On_Demand | Stopped])
[2007/07/03 17:57:24 | 00,011,944 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdmdfl.sys -- (sscdmdfl [On_Demand | Stopped])
[2007/07/03 17:58:20 | 00,106,792 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdmdm.sys -- (sscdmdm [On_Demand | Stopped])
[2007/07/03 17:59:10 | 00,086,824 | R--- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\sscdserd.sys -- (sscdserd [On_Demand | Stopped])
[2005/10/19 16:38:40 | 00,012,944 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symdns.sys -- (SYMDNS [On_Demand | Running])
[2005/09/16 23:20:06 | 00,108,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[2005/10/19 16:38:46 | 00,109,200 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symfw.sys -- (SYMFW [On_Demand | Running])
[2005/10/19 16:38:54 | 00,031,888 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symids.sys -- (SYMIDS [On_Demand | Running])
[2008/09/12 07:33:22 | 00,250,224 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SymcData\scfidsdefs\20081214.001\SymIDSCo.sys -- (SYMIDSCO [On_Demand | Running])
[2005/10/19 16:38:50 | 00,028,304 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symndis.sys -- (SYMNDIS [On_Demand | Running])
[2005/10/19 16:38:58 | 00,024,720 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV [On_Demand | Running])
[2005/10/19 16:39:04 | 00,195,728 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI [System | Running])
[2008/03/27 15:27:46 | 00,503,008 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\wdf01000.sys -- (Wdf01000 [On_Demand | Stopped])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://go.microsoft.com/fwlink/?LinkId=69157
"Default_Search_URL"=http://go.microsoft.com/fwlink/?LinkId=54896
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://go.microsoft.com/fwlink/?LinkId=54896
"Start Page"=http://www.google.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main]
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.google.com

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0

========== (O1) Hosts File ==========

HOSTS File = (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (HKLM) -- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation)
"Jet Detection"="C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" ()
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc.)
"UpdReg"=C:\WINDOWS\UpdReg.EXE (Creative Technology Ltd.)
"vptray"=C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe (Symantec Corporation)
"WINDVDPatch"=CTHELPER.EXE (Creative Technology Ltd)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)

========== (O4) Startup Folders ==========


========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDrives"=0
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableRegistryTools"=0

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"ForceClassicControlPanel"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=323
"ForceClassicControlPanel"=1
"NoDrives"=0
"NoDriveAutoRun"=67108863

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 18:58:38 | 10,080,960 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\Software\Microsoft\Internet Explorer\MenuExt\]
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [2004/05/18 18:58:38 | 10,080,960 | ---- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}: Button: Research -- %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}: Button: AIM -- F:\Program Files\AIM\aim.exe [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Button: Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}: Menu: Windows Messenger -- %ProgramFiles%\Messenger\msmsgs.exe [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 21:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} [HKLM] -> F:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 14:08:26 | 00,067,160 | ---- | M] (America Online, Inc.)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2004/10/13 10:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
22 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_USERS\S-1-5-21-1757981266-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
22 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{31E68DE2-5548-4B23-88F0-C51E6A0F695E}: https://support.microsoft.com/OAS/ActiveX/odc.cab -- Microsoft PID Sniffer
{57C76689-F052-487B-A19F-855AFDDF28EE}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2004 -- F5 Networks Policy Agent Host Class
{7E73BE8F-FD87-44EC-8E22-023D5FF960FF}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2006 -- F5 Virtual Sandbox Class
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://javadl.sun.com/webapps/download/AutoDL?BundleId=26688 -- Java Plug-in 1.6.0_11
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2005 -- F5 Networks SuperHost Class
{E0FF21FA-B857-45C5-8621-F120A0C17FF2}: https://securera.edwardjones.com/vdesk/term...,2008,0122,2004 -- F5 Networks Host Control
{E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D}: https://securera.edwardjones.com/policy/dow...,2008,0122,2007 -- F5 Networks OS Policy Agent

========== (O17) DNS Name Servers ==========

{7CF52ECB-6146-49A0-99D8-3C42AD0A2EF9} (Servers: | Description: Linksys Wireless-B USB Network Adapter v2.8)
{BA4755C8-204B-4AD9-972A-78BF775C9BC7} (Servers: | Description: Linksys Wireless-B USB Network Adapter v2.8)
{D2F2FA22-EABC-403A-8197-9F883C0559B5} (Servers: | Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible))

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
NavLogon: "DllName" = C:\WINDOWS\System32\NavLogon.dll -- C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2006/04/26 22:06:19 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTORUN.INF [[autorun] | OPEN=SETUP.EXE | ICON=BW.ICO | ]
[1998/12/13 01:43:32 | 00,000,040 | R--- | M] () -- E:\AUTORUN.INF -- [ CDFS ]

========== MountPoints2 ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell]
""=AutoRun

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun]
""=Auto&Play


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\Shell\AutoRun\command]
""=E:\SETUP.EXE -- [1998/11/30 23:04:40 | 00,025,600 | R--- | M] ()

========== Files/Folders - Created Within 30 Days ==========

[6 C:\WINDOWS\*.tmp files]
[2009/01/03 13:35:55 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/01/03 13:35:55 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/01/03 13:35:55 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/01/03 13:35:55 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/01/03 13:35:55 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009/01/03 13:35:55 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/01/03 13:35:55 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/01/03 13:35:55 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009/01/03 13:35:55 | 00,028,672 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/01/03 13:35:50 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/01/03 13:34:09 | 02,888,012 | R--- | C] () -- C:\Documents and Settings\Cisco\Desktop\ComboFix.exe
[2008/12/27 17:17:20 | 00,006,692 | ---- | C] () -- C:\Documents and Settings\Cisco\Desktop\kasper.html
[2008/12/23 20:20:22 | 00,305,705 | ---- | C] () -- C:\Documents and Settings\Cisco\Desktop\RSIT.exe
[2008/12/23 20:20:00 | 00,423,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Cisco\Desktop\OTViewIt.exe
[2008/12/18 00:13:03 | 00,027,648 | ---- | C] () -- C:\Documents and Settings\Cisco\My Documents\panel.doc
[2008/12/14 21:36:33 | 00,000,000 | ---D | C] -- C:\Program Files\trend micro
[2008/12/14 21:36:32 | 00,000,000 | ---D | C] -- C:\rsit
[2008/12/12 02:27:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Cisco\My Documents\New Folder
[2008/12/09 01:22:03 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2008/12/09 01:22:00 | 00,260,272 | ---- | C] () -- C:\cmldr
[2008/12/09 01:21:56 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2008/12/09 00:59:01 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2008/12/08 13:05:45 | 00,000,000 | ---D | C] -- C:\Program Files\Hijackthis
[2008/12/06 14:46:21 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2008/12/06 14:46:21 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for

========== Files - Modified Within 30 Days ==========

[6 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/01/04 21:04:10 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/01/04 21:02:51 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/01/04 20:54:35 | 03,374,782 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000004-00001102-00000002-80651102}.CDF
[2009/01/04 20:54:35 | 03,374,782 | ---- | M] () -- C:\WINDOWS\{00000002-00000000-00000004-00001102-00000002-80651102}.BAK
[2009/01/04 20:54:11 | 00,013,700 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/01/04 20:52:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/01/04 20:51:57 | 10,727,46496 | -HS- | M] () -- C:\hiberfil.sys
[2009/01/04 03:51:31 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2009/01/04 03:51:31 | 00,025,296 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2009/01/04 03:51:31 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXStateBkp-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2009/01/04 03:51:31 | 00,016,516 | ---- | M] () -- C:\WINDOWS\System32\BMXState-{00000002-00000000-00000004-00001102-00000002-80651102}.rfx
[2009/01/04 03:51:31 | 00,001,072 | ---- | M] () -- C:\WINDOWS\System32\settingsbkup.sfm
[2009/01/04 03:51:31 | 00,001,072 | ---- | M] () -- C:\WINDOWS\System32\settings.sfm
[2009/01/04 03:51:31 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000004-00001102-00000002-80651102}.dat
[2009/01/04 03:51:31 | 00,000,024 | ---- | M] () -- C:\WINDOWS\System32\DVCState-{00000002-00000000-00000004-00001102-00000002-80651102}.dat
[2009/01/04 03:51:14 | 00,000,040 | ---- | M] () -- C:\WINDOWS\System32\profile.dat
[2009/01/04 03:50:49 | 06,912,790 | -H-- | M] () -- C:\Documents and Settings\Cisco\Local Settings\Application Data\IconCache.db
[2009/01/03 13:33:42 | 02,888,012 | R--- | M] () -- C:\Documents and Settings\Cisco\Desktop\ComboFix.exe
[2009/01/02 23:52:47 | 00,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2008/12/30 17:21:15 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/27 17:17:20 | 00,006,692 | ---- | M] () -- C:\Documents and Settings\Cisco\Desktop\kasper.html
[2008/12/23 20:19:14 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cisco\Desktop\OTViewIt.exe
[2008/12/23 05:25:47 | 00,000,962 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\MyAlarms.alm
[2008/12/18 12:44:47 | 00,096,768 | ---- | M] () -- C:\Documents and Settings\Cisco\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/18 00:13:04 | 00,027,648 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\panel.doc
[2008/12/17 13:51:12 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/12/17 13:12:37 | 00,000,533 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/12/17 13:12:37 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2008/12/14 21:36:07 | 00,305,705 | ---- | M] () -- C:\Documents and Settings\Cisco\Desktop\RSIT.exe
[2008/12/10 23:05:04 | 00,002,141 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/12/09 01:14:19 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2008/12/09 01:02:58 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\pekigoba
[2008/12/08 12:14:17 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2008/12/07 18:22:20 | 00,000,899 | ---- | M] () -- C:\Documents and Settings\Cisco\My Documents\My Sharing Folders.lnk
[2008/12/06 14:46:21 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
< End of report >

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 AM

Posted 05 January 2009 - 05:16 PM

Hello.

I ran Combofix according to your instructions with the text file and it took longer and ran Findstr(?), and also deleted several files. It did not prompt or auto restart my pc. Then I ran OTViewit and due to an accident my computer was restarted before i was able to save the Extras or Combofix Log.

What do you mean by Findstr and it took longer? It was suppose to delete several files. It seems most of them go removed.
Run OTViewIT again if it didn't work..

Problems I have been having. Well, I have heard that it is safer to run day to day on your pc on a limited(windows) account incase security is breached, helping prevent access to certain files. So I have set up one (am I mistaken in this assumption?) and in doing so I had a new "Download" alert file pop up with my Symantec Antivirus, as well as problems just having the firewall on. While on either my limited or admin account the firewall kept auto turning off. I then recieved an error message telling me I should reinstall my Symantec software. However today I have had no such problems, firewall and antivirus started up. Closed them before running combofix.
My svchost.exe, Rtvscan.exe, ccApp processes are all using 40mb or so a piece, this seems really high and seems to be related to my Symantec problems. (not sure about ccApp though, not sure what that is)

Yes, using a limited account it safer. What were you downloading when you got the download alert from symantec? Glad you security programs are working well now :thumbsup:

Well you need to understand that your Symantec is a security suite. I personally am not a fan of Internet Securities because due to the fact they hog alot of resources due to experiences with it before. It slows down my computer, especially during it's scans, takes almost forever to finish. That may be the reason why your computer is slowing down.

Please answer my questions and add anything else you want. I'll see what else there's to do in the next post.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users