Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC infected with Trojan.DNSchanger in system32 folder accoting to Malwarebytes' Anti-malware


  • Please log in to reply
11 replies to this topic

#1 lazarodato

lazarodato

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 16 May 2009 - 01:08 AM

Thanks for the help in advance.

when using internet explorer 8 or firefox mozilla search engine powered by google, they redirect me to random websites that were not really the links i was looking for.

also, the computer runs slower than when i bought it a 2 months ago.

I had McCafee but the virus got through it, then i uninstalled it to use AVG or Norton but they have been unsuccessful to remove the trojan.

the Malwarebytes' Anti-malware program runs, finds the trojan but is not able to remove it after restarting the computer.

I already turned off the system restore because it was an advice on malwarebytes webiste, but the trojan comes back after restart.


here is the DDS file.





DDS (Ver_09-05-14.01) - NTFSx86
Run by Lazaro at 22:47:42.31 on Fri 05/15/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.539 [GMT -7:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\igfxext.exe
C:\DOCUME~1\Lazaro\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG09.exe
C:\Documents and Settings\Lazaro\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0309&m=aoa150
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\drivers\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0\bin\jusched.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238829326281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lazaro\applic~1\mozilla\firefox\profiles\ntjdp4wj.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\lazaro\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-14 28544]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-5-14 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-5-14 258608]
R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\BPCDRVSD.SYS [2009-4-6 7776]
R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [2009-3-13 62023]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-5-14 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090508.002\IDSXpx86.sys [2009-5-14 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-5-14 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-14 101936]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [2009-3-31 151936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090515.032\NAVENG.SYS [2009-5-15 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090515.032\NAVEX15.SYS [2009-5-15 876144]
S0 jgyrtfs;jgyrtfs;c:\windows\system32\drivers\ofcmes.sys --> c:\windows\system32\drivers\ofcmes.sys [?]
S0 knzrcgz;knzrcgz;c:\windows\system32\drivers\jkfwarok.sys --> c:\windows\system32\drivers\jkfwarok.sys [?]
S0 vlnej;vlnej;c:\windows\system32\drivers\fhoqq.sys --> c:\windows\system32\drivers\fhoqq.sys [?]
S3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [2009-3-13 4538]
S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [2009-3-13 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [2009-3-13 19414]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [2009-3-13 128248]
S3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [2009-3-13 8333]

=============== Created Last 30 ================

2009-05-14 21:40 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-05-14 21:38 <DIR> --d----- c:\program files\Panda Security
2009-05-14 20:33 <DIR> --d----- c:\program files\AVG
2009-05-14 01:41 <DIR> --dsh--- c:\documents and settings\lazaro\PrivacIE
2009-05-14 01:35 <DIR> --d--r-- c:\program files\Norton Support
2009-05-14 01:22 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-05-14 01:22 <DIR> --d----- c:\program files\Norton AntiVirus
2009-05-14 01:22 <DIR> --d----- c:\program files\NortonInstaller
2009-05-14 01:04 <DIR> --dsh--- c:\documents and settings\lazaro\IETldCache
2009-05-13 20:51 <DIR> --d----- c:\windows\ie8updates
2009-05-13 20:51 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-13 20:47 <DIR> -cd-h--- c:\windows\ie8
2009-05-13 20:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-13 20:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-13 20:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-13 19:17 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-13 19:17 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-05-13 19:17 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-13 19:17 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-13 18:56 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-05-12 22:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-05-12 22:16 <DIR> --d----- c:\program files\Symantec
2009-05-12 22:16 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-05-12 22:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-05-12 22:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-05-12 19:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-05-12 18:57 <DIR> --d----- c:\docume~1\lazaro\applic~1\Malwarebytes
2009-05-12 18:39 <DIR> --d----- c:\docume~1\lazaro\applic~1\GetRightToGo
2009-05-12 14:25 82,726 a------- c:\windows\system32\Autorun.ini
2009-05-12 14:24 <DIR> --d----- c:\windows\system32\autorun
2009-05-12 14:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-12 02:02 0 a------- c:\windows\system32\commonpriv.log.lock
2009-05-12 01:55 <DIR> --d----- c:\docume~1\lazaro\applic~1\AVGTOOLBAR
2009-05-12 01:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-10 04:19 <DIR> --d----- c:\windows\system32\Adobe
2009-05-06 19:11 <DIR> --d----- c:\docume~1\lazaro\applic~1\HorizonWimba
2009-05-06 18:59 49,262 a------- c:\windows\system32\jpicpl32.cpl
2009-05-04 06:47 626,960 a----r-- c:\windows\system32\hpvaut32.dll
2009-05-04 06:47 487,424 a----r-- c:\windows\system32\hpvcp70.dll
2009-05-04 06:47 344,064 a----r-- c:\windows\system32\hpvcr70.dll
2009-05-04 06:47 44,544 a----r-- c:\windows\system32\MSXML4a.dll
2009-05-04 06:47 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-05-04 06:43 <DIR> --d----- c:\program files\common files\HP
2009-05-04 06:40 16,496 a----r-- c:\windows\system32\drivers\HPZipr12.sys
2009-05-04 06:40 51,056 a----r-- c:\windows\system32\drivers\hpzid412.sys
2009-05-04 06:40 21,488 a----r-- c:\windows\system32\drivers\HPZius12.sys
2009-05-04 06:39 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-05-04 06:39 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-05-04 06:33 <DIR> --d----- c:\program files\HP
2009-05-04 06:32 29,359 a------- c:\windows\hpoins03.dat
2009-05-04 06:32 38,868 -------- c:\windows\hpomdl03.dat
2009-05-04 06:06 232 a------- c:\docume~1\lazaro\applic~1\wklnhst.dat
2009-05-01 17:16 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-05-01 17:16 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-04-27 00:16 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-04-27 00:14 <DIR> --d----- C:\281aec8e30fc51ef69
2009-04-16 01:34 2,560 -------- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-04-03 00:31 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-01-20 11:25 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

============= FINISH: 22:48:15.28 ===============

Edited to insert Attach.txt In-Line ~ Maurice
Attach.txt follows:

DDS (Ver_09-05-14.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/31/2009 11:16:17 AM
System Uptime: 5/15/2009 10:42:40 PM (0 hours ago)

Motherboard: Acer | |
Processor: Intel® Atom™ CPU N270 @ 1.60GHz | CPU | 1596/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 143 GiB total, 129.269 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


1310
1310_Help
1310Tour
1310Trb
Acer Crystal Eye Webcam
Acer ScreenSaver
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player 11.5
AiO_Scan
AIOMinimal
AiOSoftware
Backpack Driver
Backpack SpeedyCD
Choice Guard
Copy
CreativeProjects
Critical Update for Windows Media Player 11 (KB959772)
Director
DocProc
Fax
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
HPSystemDiagnostics
InstantShare
Intel® Graphics Media Accelerator Driver
InterVideo Register Manager
InterVideo WinDVD
J2SE Runtime Environment 5.0
JMicron JMB38X Flash Media Controller
Junk Mail filter update
Launch Manager
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007 Trial
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Move Media Player
Mozilla Firefox (3.0.10)
MSVCRT
MSXML 4.0 SP2 (KB954430)
Norton AntiVirus
Overland
Panda ActiveScan 2.0
PhotoGallery
PrintScreen
QFolder
QuickProjects
Readme
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Scan
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Segoe UI
SkinsHP1
SkinsHP2
Synaptics Pointing Device Driver
TrayApp
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Windows Internet Explorer 8 (KB969497)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11

==== Event Viewer Messages From Past Week ========

5/15/2009 9:52:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: BHDrvx86 bpfinder ccHP eeCtrl Fips IDSxpx86 intelppm pavboot SRTSPX SYMTDI
5/13/2009 7:20:23 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00242B8346DE. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
5/13/2009 7:19:55 PM, error: Service Control Manager [7024] - The Norton AntiVirus service terminated with service-specific error 4294967295 (0xFFFFFFFF).
5/13/2009 7:05:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/13/2009 7:01:52 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: bpfinder Fips intelppm
5/13/2009 7:00:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/13/2009 6:05:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
5/13/2009 2:04:06 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00242B8346DE. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
5/13/2009 12:49:13 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
5/12/2009 9:56:02 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD bpfinder Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
5/12/2009 9:56:02 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/12/2009 9:56:02 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/12/2009 9:56:02 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/12/2009 9:56:02 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/12/2009 9:55:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

==== End Of File ===========================

Edited by Maurice Naggar, 16 May 2009 - 12:09 PM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 16 May 2009 - 12:45 PM

Hello lazarodato.

You should NOT have disabled System Restore. But alas you have done so already. System Restore provides a lifeline in case you get in a bad jam and have a real bad time getting Windows to run again.

Let's have you create a restore point (at this time).
  • Right click the My Computer icon on the Desktop and click on Properties.
  • Click on the System Restore tab.
  • If there is a check mark next to "Turn off System Restore on all drives", then click on the line to clear it.
  • If C is your system drive (as it is in most cases) and you see other drives monitored in the list (like D, E, etc) click on the other drives, press Settings button, and get the other drives turned off.
  • we only want to monitor the drive with Windows o.s.
If you are unable to activate System Restore or if the service is disabled, then.....
from the Start button > RUN option .... type in
services.msc

look for System Restore service
If it is listed as off or inactive, press on the link at top left to Start it.

Next, See and do as outlined here http://bertk.mvps.org/html/createrp.html

After that, also do this:
1. Go Here and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed. "CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

=
Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Logoff Windows and and select shutdown.
Power off your pc.
If it has a physical connection to a modem or router, disconnect it as well.
If you have a router, unplug it from power.


Power up the pc (while it is NOT connected to modem or router). Immediately start tapping F8 function key.
You need to get the Advanced Bottup menu, and then select SAFE mode.

In Safe mode, locate and rename Mbam.exe to something like Tango.exe
The program should be located at this folder c:\program files\Malwarebytes' Anti-Malware

While in Windows Explorer, right-click on mbam.exe and select Rename, and Rename it to Tango.exe

the run Tango (MBAM in safe mode). Do a quick scan.

When completed, logoff and Restart the pc --- still disconnected from internet.
In Normal mode, start Tango and do a new Quick scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

I will need copies of both those logs in your next reply.

Next, reconnect router if unplugged and wait for it to display all lights, and connected.
Wait about a minute or so.
Reconnect the connections of this pc to the modem or router.

Make sure that pc has internet connectivity.

Download RootRepeal:
http://rootrepeal.googlepages.com/RootRepeal.zip
  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.
Reply with copies of the MBAM scan logs (from both Safe mode and the other from normal mode)
and the RootRepeal log
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 lazarodato

lazarodato
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 16 May 2009 - 07:15 PM

Here is the Root Repeal and the two mbam scans.
Thanks, your instructions are really easy to follow.


Malwarebytes' Anti-Malware 1.36
Database version: 2139
Windows 5.1.2600 Service Pack 3

5/16/2009 4:42:04 PM
mbam-log-2009-05-16 (16-42-04).txt

Scan type: Quick Scan
Objects scanned: 86422
Time elapsed: 8 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gxvxccounter (Trojan.DNSchanger) -> Quarantined and deleted successfully.






Malwarebytes' Anti-Malware 1.36
Database version: 2139
Windows 5.1.2600 Service Pack 3

5/16/2009 4:52:23 PM
mbam-log-2009-05-16 (16-52-23).txt

Scan type: Quick Scan
Objects scanned: 87702
Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)








ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/16 17:12
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Lazaro\ntuser.dat.LOG
Status: Size mismatch (API: 36864, Raw: 1024)

Path: C:\WINDOWS\system32\gxvxcxemxfmuwvkukdmrxlvboeijfhvjkdthk.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gxvxcbwwowrrilrixjkvstymyrevpiqwbuyau.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gxvxcnxtniysvgrmtjnwyrpjtduufiaiwjcrf.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Lazaro\Local Settings\Temp\etilqs_HFQHbS3QMZTONfijl0Wk
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\Lazaro\Local Settings\Temp\etilqs_PhbHJ9PSSrOhl5CV0hxN
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Lazaro\Application Data\Mozilla\Firefox\Profiles\ntjdp4wj.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Lazaro\Local Settings\Application Data\Mozilla\Firefox\Profiles\ntjdp4wj.default\Cache\_CACHE_001_
Status: Size mismatch (API: 120316, Raw: 117434)

Path: C:\Documents and Settings\Lazaro\Local Settings\Application Data\Mozilla\Firefox\Profiles\ntjdp4wj.default\Cache\_CACHE_002_
Status: Size mismatch (API: 100230, Raw: 96035)

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 17 May 2009 - 04:20 AM

Hello Lazarodato,

I am glad to hear you find my suggestions easy to follow. You are doing good. We have a few more things to do.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for this member only : Lazarodato
Posted ImageIf you are a casual observer and not this member, do NOT try this on your system!


If at any point, if you have a question or problem, STOP & make a post to the forum.
Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here.

Close all browsers and all other programs that you have started. Save any open documents you may have open & exit open apps.
=

There are some rootkits we need to squash before we do more malware hunting. RootRepeal showed the presence of "gxvxc" rootkit Posted Image

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    C:\WINDOWS\system32\gxvxcxemxfmuwvkukdmrxlvboeijfhvjkdthk.dll
    C:\WINDOWS\system32\drivers\gxvxcbwwowrrilrixjkvstymyrevpiqwbuyau.sys
    C:\WINDOWS\system32\drivers\gxvxcnxtniysvgrmtjnwyrpjtduufiaiwjcrf.sys
    
    Drivers to delete:
    gxvxcbwwowrrilrixjkvstymyrevpiqwbuyau
    gxvxcnxtniysvgrmtjnwyrpjtduufiaiwjcrf
    gxvxcserv
    ovfsthx
    UACd.sys
    UACd
    gaopdxserv.sys
    gaopdxserv
    gaopdxl
    tdss
    tdssserv
    TDSSserv.SYS
    Service_TDSSSERV.SYS
    Legacy_TDSSSERV.SYS
    msqpdxserv.sys
    msqpdxserv
    
    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
=
  • Download OTListIt2 by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :OTLI
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :files
    C:\WINDOWS\system32\drivers\gxvxc*.sys
    C:\WINDOWS\system32\gxvxc*.dll
    C:\WINDOWS\gxvxc*.*
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
  • Return to OTLisIt2. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTListIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copies of C:\Avenger
the OTLisIt2 MovedFiles log
the C:\Combofix.txt
and tell me, How is your system now ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 lazarodato

lazarodato
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 17 May 2009 - 08:09 AM

Thanks Maurice Naggar,

Easy steps.

I used both Internet Explorer and Firefox and when i ran searches, i went directly to the websites, instead of being redirected.
Also, it seemed to run much faster than the past few days.

Here are the copies of Avenger, OTLisIt2 MovedFiles log, and Combofix.

< Edited Avenger log for brevity and readability ~ Maurice >


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gxvxcserv.sys" found!
ImagePath: \systemroot\system32\drivers\gxvxcbwwowrrilrixjkvstymyrevpiqwbuyau.sys
Start Type: 1 (System)

Rootkit scan completed.

File "C:\WINDOWS\system32\gxvxcxemxfmuwvkukdmrxlvboeijfhvjkdthk.dll" deleted successfully.
File "C:\WINDOWS\system32\drivers\gxvxcbwwowrrilrixjkvstymyrevpiqwbuyau.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\gxvxcnxtniysvgrmtjnwyrpjtduufiaiwjcrf.sys" deleted successfully.


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gxvxcbwwowrrilrixjkvstymyrevpiqwbuyau" not found!
Deletion of driver "gxvxcbwwowrrilrixjkvstymyrevpiqwbuyau" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gxvxcnxtniysvgrmtjnwyrpjtduufiaiwjcrf" not found!
Deletion of driver "gxvxcnxtniysvgrmtjnwyrpjtduufiaiwjcrf" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gxvxcserv" not found!
Deletion of driver "gxvxcserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist




Folder "C:\recycler" deleted successfully.


Completed script processing.

*******************

Finished! Terminate.

---------------------------------------------------


========== OTLISTIT ==========
Process explorer.exe killed successfully!
========== FILES ==========
File\Folder C:\WINDOWS\system32\drivers\gxvxc*.sys not found.
File\Folder C:\WINDOWS\system32\gxvxc*.dll not found.
File\Folder C:\WINDOWS\gxvxc*.* not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JETF963.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7e8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.15.8 log created on 05172009_053924

Files moved on Reboot...
File C:\WINDOWS\temp\JETF963.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_7e8.dat not found!

Registry entries deleted on Reboot...




-----------------------------------------




ComboFix 09-05-16.05 - Lazaro 05/17/2009 5:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.636 [GMT -7:00]
Running from: c:\documents and settings\Lazaro\Desktop\Combo-Fix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\autorun.ini
c:\windows\system32\gxvxccounter

.
((((((((((((((((((((((((( Files Created from 2009-04-17 to 2009-05-17 )))))))))))))))))))))))))))))))
.

2009-05-17 12:39 . 2009-05-17 12:39 -------- d-----w C:\_OTListIt
2009-05-16 23:58 . 2009-05-16 23:59 -------- d-----w C:\RootRepeal
2009-05-16 23:13 . 2009-05-16 23:13 -------- d-----w c:\program files\ERUNT
2009-05-15 16:32 . 2009-05-15 16:32 -------- d-sh--w c:\documents and settings\Coral\PrivacIE
2009-05-15 16:31 . 2009-05-15 16:31 -------- d-sh--w c:\documents and settings\Coral\IETldCache
2009-05-15 04:40 . 2008-06-20 00:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-15 04:38 . 2009-05-15 04:38 -------- d-----w c:\program files\Panda Security
2009-05-15 03:33 . 2009-05-15 03:33 -------- d-----w c:\program files\AVG
2009-05-14 08:41 . 2009-05-14 08:41 -------- d-sh--w c:\documents and settings\Lazaro\PrivacIE
2009-05-14 08:35 . 2009-05-14 08:35 -------- d-----r c:\program files\Norton Support
2009-05-14 08:22 . 2009-05-14 08:22 -------- d-----w c:\windows\system32\drivers\NAV
2009-05-14 08:22 . 2009-05-14 08:23 -------- d-----w c:\program files\Norton AntiVirus
2009-05-14 08:22 . 2009-05-14 08:22 -------- d-----w c:\program files\Windows Sidebar
2009-05-14 08:22 . 2009-05-14 08:22 -------- d-----w c:\program files\NortonInstaller
2009-05-14 08:04 . 2009-05-14 08:04 -------- d-sh--w c:\documents and settings\Lazaro\IETldCache
2009-05-14 03:51 . 2009-05-14 03:51 -------- d-----w c:\windows\ie8updates
2009-05-14 03:51 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-14 03:47 . 2009-05-14 03:50 -------- dc-h--w c:\windows\ie8
2009-05-14 03:19 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-14 03:19 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-14 03:19 . 2009-05-17 12:01 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-14 02:17 . 2009-05-14 08:23 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-05-14 02:17 . 2009-05-14 08:23 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-14 01:56 . 2009-05-13 05:16 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-05-14 01:13 . 2009-05-14 01:13 -------- d-----w c:\documents and settings\Coral\Local Settings\Application Data\Mozilla
2009-05-13 22:51 . 2009-05-13 22:51 -------- d-----w c:\documents and settings\Coral\Local Settings\Application Data\Symantec
2009-05-13 22:41 . 2009-05-13 22:41 -------- d-----w c:\documents and settings\Coral\Application Data\Malwarebytes
2009-05-13 08:59 . 2009-05-13 08:59 0 ----a-w c:\windows\nsreg.dat
2009-05-13 08:58 . 2009-05-13 08:58 -------- d-----w c:\documents and settings\Lazaro\Local Settings\Application Data\Mozilla
2009-05-13 05:27 . 2009-05-13 05:27 -------- d-----w c:\documents and settings\Lazaro\Local Settings\Application Data\Symantec
2009-05-13 05:17 . 2009-05-14 01:56 -------- d-----w c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-05-13 05:17 . 2009-05-13 05:17 -------- d-----w c:\documents and settings\Lazaro\Local Settings\Application Data\Downloaded Installations
2009-05-13 05:16 . 2009-05-14 08:32 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-13 05:16 . 2009-05-14 08:23 -------- d-----w c:\program files\Symantec
2009-05-13 05:15 . 2009-05-14 08:22 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-05-13 05:15 . 2009-05-14 08:22 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-05-13 02:04 . 2009-05-14 02:21 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-13 01:57 . 2009-05-13 01:57 -------- d-----w c:\documents and settings\Lazaro\Application Data\Malwarebytes
2009-05-13 01:39 . 2009-05-14 02:15 -------- d-----w c:\documents and settings\Lazaro\Application Data\GetRightToGo
2009-05-12 21:24 . 2009-05-12 21:25 -------- d-----w c:\windows\system32\autorun
2009-05-12 21:16 . 2009-05-12 21:16 -------- d-----w c:\documents and settings\Coral\Application Data\AVGTOOLBAR
2009-05-12 21:15 . 2009-05-12 21:15 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-12 08:55 . 2009-05-15 03:23 -------- d-----w c:\documents and settings\Lazaro\Application Data\AVGTOOLBAR
2009-05-12 08:54 . 2009-05-15 03:35 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-10 11:19 . 2009-05-10 11:22 -------- d-----w c:\windows\system32\Adobe
2009-05-08 22:02 . 2009-05-08 22:02 -------- d-----w c:\documents and settings\Coral\Local Settings\Application Data\Adobe
2009-05-07 02:11 . 2009-05-07 02:11 -------- d-----w c:\documents and settings\Lazaro\Application Data\HorizonWimba
2009-05-07 02:11 . 2009-05-07 02:11 -------- d-----w c:\windows\Sun
2009-05-07 01:59 . 2009-05-07 01:59 -------- d-----w c:\program files\Java
2009-05-07 01:56 . 2009-05-07 01:56 -------- d-----w c:\program files\Common Files\Java
2009-05-04 22:44 . 2009-05-04 22:44 -------- d-----w c:\documents and settings\Coral\Application Data\Template
2009-05-04 22:44 . 2009-05-04 22:45 74 ----a-w c:\documents and settings\Coral\Application Data\wklnhst.dat
2009-05-04 13:47 . 2003-12-11 18:15 44544 ----a-r c:\windows\system32\MSXML4a.dll
2009-05-04 13:47 . 2003-12-11 18:15 626960 ----a-r c:\windows\system32\hpvaut32.dll
2009-05-04 13:47 . 2003-12-11 18:15 487424 ----a-r c:\windows\system32\hpvcp70.dll
2009-05-04 13:47 . 2003-12-11 18:15 344064 ----a-r c:\windows\system32\hpvcr70.dll
2009-05-04 13:47 . 2009-05-04 13:47 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-05-04 13:43 . 2009-05-04 13:43 -------- d-----w c:\program files\Common Files\HP
2009-05-04 13:40 . 2004-02-26 06:18 16496 ----a-r c:\windows\system32\drivers\HPZipr12.sys
2009-05-04 13:40 . 2004-02-26 06:18 51056 ----a-r c:\windows\system32\drivers\hpzid412.sys
2009-05-04 13:40 . 2004-02-26 06:18 21488 ----a-r c:\windows\system32\drivers\HPZius12.sys
2009-05-04 13:39 . 2008-04-14 07:15 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-05-04 13:39 . 2008-04-14 07:15 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-05-04 13:33 . 2009-05-04 13:47 -------- d-----w c:\program files\HP
2009-05-04 13:32 . 2009-05-04 13:50 29359 ----a-w c:\windows\hpoins03.dat
2009-05-04 13:32 . 2004-02-26 06:17 38868 ------w c:\windows\hpomdl03.dat
2009-05-04 13:06 . 2009-05-04 13:06 -------- d-----w c:\documents and settings\Lazaro\Application Data\Template
2009-05-04 13:06 . 2009-05-04 13:10 232 ----a-w c:\documents and settings\Lazaro\Application Data\wklnhst.dat
2009-05-03 05:53 . 2009-05-03 05:53 -------- d-----w c:\documents and settings\Coral\Local Settings\Application Data\WMTools Downloaded Files
2009-05-02 20:01 . 2009-05-02 20:53 -------- d-----w c:\documents and settings\Coral\Application Data\Move Networks
2009-05-02 19:04 . 2009-05-17 02:37 -------- d-----w c:\documents and settings\Coral\Tracing
2009-05-02 00:16 . 2008-04-14 07:17 25856 -c--a-w c:\windows\system32\dllcache\usbprint.sys
2009-05-02 00:16 . 2008-04-14 07:17 25856 ----a-w c:\windows\system32\drivers\usbprint.sys
2009-04-27 07:16 . 2009-04-27 07:16 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-27 07:14 . 2009-04-27 07:15 -------- d-----w C:\281aec8e30fc51ef69
2009-04-27 07:14 . 2009-04-27 07:15 -------- d-----w c:\windows\system32\drivers\UMDF
2009-04-23 04:18 . 2009-04-23 04:18 -------- d-----w c:\documents and settings\Coral\Application Data\eSobi
2009-04-22 22:33 . 2009-05-12 23:19 -------- d-----w c:\documents and settings\Lazaro\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 22:58 . 2009-03-31 18:17 60592 ----a-w c:\documents and settings\Lazaro\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-14 08:23 . 2009-05-14 02:17 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-05-14 08:23 . 2009-05-14 02:17 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-14 03:42 . 2009-01-20 19:15 -------- d-----w c:\program files\Microsoft Works
2009-05-12 09:15 . 2009-01-20 19:28 -------- d-----w c:\program files\eSobi
2009-04-17 19:45 . 2009-03-31 14:51 60592 ----a-w c:\documents and settings\Coral\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-08 03:42 . 2009-01-20 18:45 -------- d-----w c:\program files\Common Files\Adobe
2009-04-06 08:12 . 2009-04-06 08:04 -------- d-----w c:\program files\Backpack
2009-04-06 08:11 . 2009-04-06 08:03 -------- d-----w c:\program files\SpeedyCD
2009-04-02 08:57 . 2009-04-02 08:57 -------- d-----w c:\program files\MSBuild
2009-04-02 08:56 . 2009-04-02 08:56 -------- d-----w c:\program files\Reference Assemblies
2009-03-31 18:18 . 2009-03-31 18:18 -------- d-----w c:\program files\Common Files\CrystalEye
2009-03-31 18:18 . 2009-01-20 20:05 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 11:34 . 2008-10-16 20:38 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2007-08-14 02:44 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2008-04-14 20:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2007-08-14 02:39 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2007-08-14 02:39 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2007-08-14 02:36 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2007-08-14 02:01 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2007-08-14 02:32 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2007-08-14 02:54 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2008-04-14 20:00 284160 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"AzMixerSel"="c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe" [2006-07-18 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-09-04 425984]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-05 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2009-05-07 36972]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-12-30 18082304]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/14/2009 9:40 PM 28544]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [5/14/2009 1:23 AM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [5/14/2009 1:23 AM 258608]
R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\BPCDRVSD.SYS [4/6/2009 1:03 AM 7776]
R1 bpfinder;BACKPACK Finder;c:\windows\system32\drivers\bpfinder.sys [3/13/2009 12:05 AM 62023]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [5/14/2009 1:23 AM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090508.002\IDSXpx86.sys [5/14/2009 1:29 AM 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [5/14/2009 1:23 AM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/14/2009 1:29 AM 101936]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [3/31/2009 11:18 AM 151936]
S0 jgyrtfs;jgyrtfs;c:\windows\system32\drivers\ofcmes.sys --> c:\windows\system32\drivers\ofcmes.sys [?]
S0 knzrcgz;knzrcgz;c:\windows\system32\drivers\jkfwarok.sys --> c:\windows\system32\drivers\jkfwarok.sys [?]
S0 vlnej;vlnej;c:\windows\system32\drivers\fhoqq.sys --> c:\windows\system32\drivers\fhoqq.sys [?]
S3 bpflt;BACKPACK Filter;c:\windows\system32\drivers\bpflt.sys [3/13/2009 12:05 AM 4538]
S3 bppccard;BACKPACK PC Card;c:\windows\system32\drivers\bppccard.sys [3/13/2009 12:05 AM 5493]
S3 bppnpdrv;BACKPACK Driver;c:\windows\system32\drivers\bppnpdrv.sys [3/13/2009 12:05 AM 19414]
S3 bpusbdrv;BACKPACK USB 1 Cable;c:\windows\system32\drivers\bpusbdrv.sys [3/13/2009 12:05 AM 128248]
S3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\bpusbflt.sys [3/13/2009 12:05 AM 8333]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\WebReg 20090504065232.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2003-07-07 08:43]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-M3000Mnt - M3000Rmv.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Lazaro\Application Data\Mozilla\Firefox\Profiles\ntjdp4wj.default\
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Lazaro\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 05:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
Completion time: 2009-05-17 5:54
ComboFix-quarantined-files.txt 2009-05-17 12:54

Pre-Run: 138,755,600,384 bytes free
Post-Run: 138,744,238,080 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

225 --- E O F --- 2009-05-01 12:16

Edited by Maurice Naggar, 17 May 2009 - 08:30 AM.


#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 17 May 2009 - 09:02 AM

There are 3 driver files I'd like for you to submit for online analysis:

Use your browser to go here at Virustotal website
Click the Browse button and then navigate to c:\windows\system32\drivers\ofcmes.sys , then click the Submit button.
The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Repeat the same steps for c:\windows\system32\drivers\jkfwarok.sys
Save the results, and post back here in a reply.

Repeat the same steps for c:\windows\system32\drivers\fhoqq.sys
Save the results, and post back here in a reply.
==
If you have purchased the Norton AV, then you should un-install AVG antivirus.

This system has an old version of Java Run-time.

Uninstall jre1.5 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6


uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
Open an IE window and go to http://java.sun.com/javase/downloads/index.jsp
> In top of the page (first in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 13
> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content; You do not have to install the Java Web Start ActiveX Control
> Accept the license agreement
> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.
  • Tip: Choose Custom install to select only the part(s) you need/want.
Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.

To test your Java Run-time, you may go to this page http://www.javatester.org/version.html
When all is well, you should see Java Version: 1.6.0_13 from Sun Microsystems Inc.
=

Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.
=

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
>
Reply with copy of the 3 Virustotal scan results
copy of the DrWeb CureIt report
and tell me, How is your system now ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 lazarodato

lazarodato
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 17 May 2009 - 10:06 PM

Hi Maurice Naggar,

I was unable to locate the 3 drivers for analysis in virustotal.com.

They are not located on the c:windows/system32/drivers/ folder. also, I used the search for windows explorer and also was unable to locate it.

I installed the new version of Java.

for the tweakUI and disinfector they worked properly.

for Doctor Cure it, the file did both scans and found no problems, therefore it did not create any log to save after scanning.


my computer is working fine, IE and firefox too, but my A/V Norton Antivirus keeps blocking a trojan horse (Backdoor trojan) and it is unable to remove it. i don't know if that's a problem with the antivirus or there really is a trojan.

I was planning to remove it and install AVG because i had it on my old laptop and never had a problem with it.

If you have an advice for the Antivirus program, i would gladly appreciate it. Also, if you think I made a mistake for which DoctorCureit did not find a virus, let me know how to rescan, but i am sure i follow your instructions step by step.

Thanks, and hope to hear from you soon.

lazarodato

#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 19 May 2009 - 05:56 PM

You stated

my A/V Norton Antivirus keeps blocking a trojan horse (Backdoor trojan) and it is unable to remove it.

You need to see what "trojan" or file the antivirus is referring to. Details help.

See this topic at BC forums on how to temporarily turn off the real-time scanner of your antivirus,
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


and then, do the following

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

After all is done, turn back on the one antivirus you consider your active antivirus.
Then, reply with a copy of the Sysclean.log

Edited by Maurice Naggar, 19 May 2009 - 06:13 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 lazarodato

lazarodato
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 20 May 2009 - 06:28 AM

hi,

the details about the trojan I mentioned earlier are the following.

found in 2 infected files and 1 browser cache.

details:

globalroot\systemroot\system32\gxvxcxemxfmuwvkukdmrxlvboeijfhvjkdthk.dll

globalroot\systemroot\system32\gxvxcxemxfmuwvkukdmrxlvboeijfhvjkdthk.dll

Hope this helps a bit.
I got this details straight from norton antivirus.

However, when i run Malwarebytes' Anti-malware by itself, it is unable to detect any problems.


Attached is the sysclean.log you requested.








/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2009-05-20, 03:00:06, Auto-clean mode specified.
2009-05-20, 03:00:07, Initialized Rootkit Driver version 2.2.0.1004.
2009-05-20, 03:00:07, Running scanner "C:\CDE\TSC.BIN"...
2009-05-20, 03:00:23, Scanner "C:\CDE\TSC.BIN" has finished running.
2009-05-20, 03:00:23, TSC Log:

’žD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 0 ( B u i l d 1 1 7 2 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : W e d M a y 2 0 2 0 0 9 0 3 : 0 0 : 0 8





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ C D E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ C D E \ t s c . p t n " ( v e r s i o n 1 0 3 4 ) [ s u c c e s s ]





C o m p l e t e t i m e : W e d M a y 2 0 2 0 0 9 0 3 : 0 0 : 2 3


E x e c u t e p a t t e r n c o u n t ( 3 0 5 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-05-20, 03:00:23, Running scanner "C:\CDE\VSCANTM.BIN"...
2009-05-20, 03:44:43, Scanner "C:\CDE\VSCANTM.BIN" has finished running.
2009-05-20, 03:44:43, VSCANTM Log:

2009-05-20, 03:44:43, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/20/2009 03:00:23
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 139 (400323/400323 Patterns) (2009/05/19) (613900)

Command Line: C:\CDE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\CDE\lpt$vpn.139

49176 files have been read.
49176 files have been checked.
49135 files have been scanned.
117496 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/20/2009 03:44:43 44 minutes 19 seconds (2658.26 seconds) has elapsed.(54.056 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-20, 03:44:43, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/20/2009 03:00:23
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 139 (400323/400323 Patterns) (2009/05/19) (613900)

Command Line: C:\CDE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\CDE\lpt$vpn.139

49176 files have been read.
49176 files have been checked.
49135 files have been scanned.
117496 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/20/2009 03:44:43 44 minutes 19 seconds (2658.26 seconds) has elapsed.(54.056 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-20, 03:44:43, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 5/20/2009 03:00:23
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 139 (400323/400323 Patterns) (2009/05/19) (613900)

Command Line: C:\CDE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\CDE\lpt$vpn.139

49176 files have been read.
49176 files have been checked.
49135 files have been scanned.
117496 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 5/20/2009 03:44:43 44 minutes 19 seconds (2658.26 seconds) has elapsed.(54.056 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-05-20, 03:44:43, Running SSAPI scanner ""...
2009-05-20, 04:04:43, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 7.69
SSAPI Anti-Rootkit Version: 2.2.0.1004

Spyware Scan Started: 05/20/2009 03:44:49

Detected: 0 items.

Spyware Scan Ended: 05/20/2009 04:04:43
Scan Complete. Time=1199.557373.

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 20 May 2009 - 12:18 PM

The dll (a component of a rootkit infection) was removed earlier; so Norton should not have traces of it ---unless it is finding it in a quarantine folder.
The MBAM scan was clear (again) because the rootkit + the DNS Changer have been quashed.
The Sysclean log is clean.
Run 1 more report for me, using OTListIt2 :
  • Close all open windows on the Task Bar. Click the icon for OTListit2 (for Vista, right click the icon and Run as Administrator) to start the program.
  • In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
  • Now click Run Scan at Top left and let the program run uninterrupted. It will take about 4 minutes.
  • It will produce two logs for you, one will pop up called OTListIt.txt, the other will be saved on your desktop and called Extras.txt.
  • Exit Notepad. Remember where you've saved them!
  • Exit OTListIt2 by clicking the X at top right.
Reply with a copy of OTListIt.txt

Edited by Maurice Naggar, 20 May 2009 - 12:19 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 lazarodato

lazarodato
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:54 AM

Posted 21 May 2009 - 01:29 AM

Here are the two files you requested after running OTlistIT2.exe






OTListIT.txt



OTListIt logfile created on: 5/20/2009 8:08:48 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Lazaro\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1011.88 Mb Total Physical Memory | 566.65 Mb Available Physical Memory | 56.00% Memory free
2.37 Gb Paging File | 1.98 Gb Available in Paging File | 83.55% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.20 Gb Total Space | 128.78 Gb Free Space | 89.93% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAZARITO
Current User Name: Lazaro
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/05/20 07:41:18 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2007/01/04 20:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2009/05/17 08:16:41 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/05/20 07:41:16 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe
PRC - [2009/05/20 07:41:31 | 00,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/05/20 07:41:21 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe
PRC - [2009/05/20 07:41:31 | 00,692,504 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe
PRC - [2008/04/14 13:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2008/02/28 15:00:04 | 00,166,424 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2008/02/28 15:00:14 | 00,137,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2008/02/28 15:00:16 | 00,256,536 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2008/09/03 22:46:04 | 00,425,984 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
PRC - [2008/12/30 14:58:28 | 18,082,304 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2008/04/25 09:32:08 | 01,044,480 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2008/05/13 20:14:34 | 00,821,768 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\QtZgAcer.EXE
PRC - [2003/08/04 17:28:18 | 00,049,152 | ---- | M] (Hewlett-Packard) -- C:\Program Files\HP\HP Software Update\HPWuSchd.exe
PRC - [2003/12/22 08:38:42 | 00,241,664 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
PRC - [2009/05/17 08:16:41 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/05/20 07:41:25 | 01,947,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2008/02/28 15:00:10 | 00,170,520 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxext.exe
PRC - [2009/05/19 13:16:58 | 00,212,992 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Documents and Settings\Lazaro\Local Settings\temp\RtkBtMnt.exe
PRC - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
PRC - [2009/05/17 05:19:07 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lazaro\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/08/01 08:31:11 | 00,238,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler [Disabled | Stopped])
SRV - [2009/05/20 07:41:16 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe -- (avg8emc [Auto | Running])
SRV - [2009/05/20 07:41:18 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd [Auto | Running])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/14 13:00:00 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Running])
SRV - [2007/01/04 20:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr [Auto | Running])
SRV - [2009/05/17 08:16:41 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2008/08/01 08:31:01 | 03,220,856 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate [On_Demand | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2004/02/25 23:18:00 | 00,065,795 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2008/08/20 20:47:46 | 01,318,464 | ---- | M] (Atheros Communications, Inc.) -- C:\WINDOWS\system32\DRIVERS\athw.sys -- (AR5416 [On_Demand | Running])
DRV - [2009/05/20 07:41:31 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/05/20 07:41:31 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/05/20 07:41:25 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2002/05/13 02:55:42 | 00,007,776 | ---- | M] (Micro Solutions Inc.) -- C:\WINDOWS\System32\drivers\BPCDRVSD.SYS -- (BpCdrVsd [System | Running])
DRV - [2002/10/30 04:13:14 | 00,062,023 | ---- | M] (Micro Solutions, Inc.) -- C:\WINDOWS\system32\DRIVERS\bpfinder.sys -- (bpfinder [System | Running])
DRV - [2002/10/30 04:13:26 | 00,004,538 | ---- | M] (Micro Solutions, Inc.) -- C:\WINDOWS\system32\DRIVERS\bpflt.sys -- (bpflt [On_Demand | Stopped])
DRV - [2002/10/30 04:12:48 | 00,005,493 | ---- | M] (Micro Solutions, Inc.) -- C:\WINDOWS\system32\DRIVERS\bppccard.sys -- (bppccard [On_Demand | Stopped])
DRV - [2002/10/30 04:20:36 | 00,019,414 | ---- | M] (Micro Solutions, Inc.) -- C:\WINDOWS\system32\DRIVERS\bppnpdrv.sys -- (bppnpdrv [On_Demand | Stopped])
DRV - [2002/10/30 04:20:08 | 00,128,248 | ---- | M] (Micro Solutions, Inc.) -- C:\WINDOWS\system32\DRIVERS\bpusbdrv.sys -- (bpusbdrv [On_Demand | Stopped])
DRV - [2002/10/30 04:13:36 | 00,008,333 | ---- | M] (Micro Solutions, Inc.) -- C:\WINDOWS\system32\DRIVERS\bpusbflt.sys -- (bpusbflt [On_Demand | Stopped])
DRV - [2004/12/07 23:10:00 | 00,016,896 | ---- | M] (Dritek System Inc.) -- C:\WINDOWS\system32\DRIVERS\DKbFltr.sys -- (DKbFltr [On_Demand | Running])
DRV - [2008/04/14 13:00:00 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2004/02/25 23:18:00 | 00,051,056 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2004/02/25 23:18:00 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2004/02/25 23:18:02 | 00,021,488 | R--- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2008/02/15 13:12:06 | 05,854,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\igxpmp32.sys -- (ialm [On_Demand | Running])
DRV - [2005/01/13 14:46:16 | 00,069,632 | ---- | M] () -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys [On_Demand | Running])
DRV - [2009/01/06 19:00:08 | 04,968,448 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2008/08/06 16:54:14 | 00,151,936 | ---- | M] () -- C:\WINDOWS\System32\Drivers\M3000KNT.sys -- (M3000Srv [On_Demand | Running])
DRV - [2008/04/14 13:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2008/10/30 21:14:20 | 00,117,888 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys -- (RTLE8023xp [On_Demand | Running])
DRV - [2008/04/14 13:00:00 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/04/25 09:17:10 | 00,225,024 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5
FF - prefs.js..extensions.enabledItems: {1d5287d1-8a92-0001-1f31-1cec198018d8}:2.1.0.7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/04/02 01:58:40 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/05/17 08:16:42 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/05/20 07:47:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1d5287d1-8a92-0001-1f31-1cec198018d8}: C:\PROGRAM FILES\AVG\AVG8\TOOLBARFF [2009/05/20 07:47:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/05/13 01:58:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/05/17 08:17:02 | 00,000,000 | ---D | M]

[2009/05/13 01:58:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\mozilla\Extensions
[2009/05/13 01:58:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/13 01:58:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\mozilla\Firefox\Profiles\ntjdp4wj.default\extensions
[2009/05/20 18:49:07 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/05/13 01:58:12 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/05/17 08:17:06 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/04/23 21:38:30 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/23 21:38:32 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/04/23 17:39:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/23 17:39:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/23 17:39:08 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/23 17:39:08 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/23 17:39:08 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/05/13 01:58:20 | 00,002,221 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\SafeSearch.xml
[2009/04/23 17:39:08 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/23 17:39:08 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - Reg Error: Key error. File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe (Acer Inc.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" (Hewlett-Packard Company)
O4 - HKLM..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" (Hewlett-Packard)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 (Microsoft Corporation)
O4 - HKLM..\Run: [LaunchApp] Alaunch (Acer Inc.)
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE (Dritek System Inc.)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC ()
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC (Microsoft Corporation)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1238829326281 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/20 11:11:40 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/05/17 08:35:06 | 00,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/05/20 19:43:21 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[8 C:\WINDOWS\System32\*.tmp files]
[2009/05/20 04:58:50 | 36,294,399 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/05/20 04:58:50 | 06,061,540 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/05/20 04:58:50 | 00,434,673 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/05/20 04:58:50 | 00,058,917 | ---- | C] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/05/20 04:58:50 | 00,001,511 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/05/20 04:58:49 | 00,108,552 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/05/20 04:58:49 | 00,011,952 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/05/20 04:58:48 | 00,325,896 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/05/20 04:58:48 | 00,027,784 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/05/20 04:58:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\Avg
[2009/05/20 04:58:37 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/05/20 04:54:54 | 60,939,848 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Lazaro\My Documents\cholas.exe
[2009/05/20 02:53:30 | 00,000,000 | ---D | C] -- C:\CDE
[2009/05/19 13:15:53 | 10,611,05664 | -HS- | C] () -- C:\hiberfil.sys
[2009/05/18 14:08:46 | 00,026,112 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\Hi professor Nava.doc
[2009/05/17 08:46:02 | 14,043,440 | ---- | C] (Doctor Web, Ltd.) -- C:\Documents and Settings\Lazaro\Desktop\drweb-cureit.exe
[2009/05/17 08:35:06 | 00,000,000 | RHSD | C] -- C:\autorun.inf
[2009/05/17 08:25:22 | 00,266,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\TweakUI.exe
[2009/05/17 08:25:22 | 00,160,217 | ---- | C] () -- C:\WINDOWS\System32\PowerToysLicense.rtf
[2009/05/17 08:25:11 | 00,150,192 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\TweakUiPowertoySetup.exe
[2009/05/17 08:16:33 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/05/17 08:16:01 | 16,283,032 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\jre-6u13-windows-i586-p.exe
[2009/05/17 07:11:44 | 00,016,982 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\There are 3 driver files I.docx
[2009/05/17 07:00:10 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/05/17 05:54:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Local Settings\temp
[2009/05/17 05:49:37 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/05/17 05:49:34 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/05/17 05:49:33 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/05/17 05:45:48 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/05/17 05:45:48 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/05/17 05:45:48 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/05/17 05:45:48 | 00,117,248 | ---- | C] () -- C:\WINDOWS\vFind.exe
[2009/05/17 05:45:48 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/05/17 05:45:48 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/05/17 05:45:48 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/05/17 05:45:48 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/05/17 05:45:35 | 00,000,000 | ---D | C] -- C:\Combo-Fix
[2009/05/17 05:45:20 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/05/17 05:39:24 | 00,000,000 | ---D | C] -- C:\_OTListIt
[2009/05/17 05:33:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Desktop\AVEOTLCOMBO
[2009/05/17 05:19:29 | 02,988,937 | R--- | C] () -- C:\Documents and Settings\Lazaro\Desktop\Combo-Fix.exe
[2009/05/17 05:18:50 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lazaro\Desktop\OTListIt2.exe
[2009/05/17 05:15:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Desktop\avenger
[2009/05/17 05:14:27 | 00,724,952 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\avenger.zip
[2009/05/17 05:01:03 | 00,000,697 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\Shortcut to tango.exe.lnk
[2009/05/16 16:58:48 | 00,000,000 | ---D | C] -- C:\RootRepeal
[2009/05/16 16:57:33 | 00,440,104 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\RootRepeal.zip
[2009/05/16 16:14:23 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/05/16 16:13:18 | 00,000,615 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\NTREGOPT.lnk
[2009/05/16 16:13:18 | 00,000,596 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\ERUNT.lnk
[2009/05/16 16:13:17 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/05/16 16:11:45 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Lazaro\Desktop\erunt-setup.exe
[2009/05/15 23:05:17 | 00,010,487 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\Thanks for the help in advance.docx
[2009/05/15 22:45:35 | 00,359,883 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\dds.scr
[2009/05/14 22:17:50 | 00,617,662 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\Nogales Family Scholarship Flyer.pdf
[2009/05/14 21:09:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Local Settings\Apps
[2009/05/14 20:22:21 | 00,693,528 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\avgremover.exe
[2009/05/13 20:51:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/05/13 20:51:29 | 00,102,400 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/05/13 20:47:59 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/05/13 20:19:38 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/13 20:19:35 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/13 20:19:34 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/13 19:26:34 | 02,967,816 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Lazaro\Desktop\mbam-setup.exe
[2009/05/13 18:55:10 | 00,355,974 | ---- | C] (Digital River, Inc.) -- C:\Documents and Settings\Lazaro\Desktop\Download NAV09EN1 now.exe
[2009/05/13 18:37:44 | 43,064,720 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\20090513-020-v5i32.exe
[2009/05/13 01:59:00 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/05/13 01:58:29 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Application Data\Mozilla
[2009/05/13 01:58:17 | 00,001,606 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/05/13 01:58:10 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/05/13 01:48:06 | 07,526,856 | ---- | C] (Mozilla) -- C:\Documents and Settings\Lazaro\My Documents\Firefox Setup 3.0.10.exe
[2009/05/12 22:17:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
[2009/05/12 22:16:52 | 00,000,000 | ---D | C] -- C:\Program Files\Symantec
[2009/05/12 22:16:52 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2009/05/12 22:15:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/05/12 22:15:23 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/05/12 19:04:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/05/12 18:57:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Application Data\Malwarebytes
[2009/05/12 18:40:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Desktop\Downloads
[2009/05/12 18:39:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Application Data\GetRightToGo
[2009/05/12 15:00:37 | 00,015,360 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\Discussion paragraph.doc
[2009/05/12 14:26:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/05/12 14:24:13 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\autorun
[2009/05/12 14:15:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/12 02:37:10 | 02,906,216 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Lazaro\My Documents\mbam-setup.exe
[2009/05/12 01:55:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Application Data\AVGTOOLBAR
[2009/05/12 01:54:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/05/11 15:37:32 | 00,014,149 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\There is NO Federal Law.docx
[2009/05/11 03:12:50 | 00,027,136 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\References.doc
[2009/05/10 04:19:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2009/05/07 22:53:35 | 00,095,232 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\Lazaro's Resume.doc
[2009/05/07 22:18:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\My Documents\Job Applications
[2009/05/06 19:11:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Application Data\HorizonWimba
[2009/05/06 19:11:37 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/05/06 19:11:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Application Data\Sun
[2009/05/04 06:52:32 | 00,000,434 | ---- | C] () -- C:\WINDOWS\tasks\WebReg 20090504065232.job
[2009/05/04 06:48:32 | 00,001,812 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2009/05/04 06:47:37 | 00,626,960 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\hpvaut32.dll
[2009/05/04 06:47:37 | 00,487,424 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\hpvcp70.dll
[2009/05/04 06:47:37 | 00,344,064 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\hpvcr70.dll
[2009/05/04 06:47:37 | 00,044,544 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSXML4a.dll
[2009/05/04 06:47:09 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Hewlett-Packard
[2009/05/04 06:45:45 | 00,000,808 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Director.lnk
[2009/05/04 06:43:46 | 00,000,906 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Image Zone.lnk
[2009/05/04 06:43:12 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\HP
[2009/05/04 06:39:51 | 00,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbscan.sys
[2009/05/04 06:39:51 | 00,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[2009/05/04 06:33:56 | 00,000,000 | ---D | C] -- C:\Program Files\HP
[2009/05/04 06:32:54 | 00,038,868 | ---- | C] () -- C:\WINDOWS\hpomdl03.dat
[2009/05/04 06:32:54 | 00,029,359 | ---- | C] () -- C:\WINDOWS\hpoins03.dat
[2009/05/04 06:08:27 | 00,012,288 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\berenice.wps
[2009/05/04 06:06:56 | 00,000,818 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\Microsoft Works.LNK
[2009/05/04 06:06:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Application Data\Template
[2009/05/04 06:06:45 | 00,000,232 | ---- | C] () -- C:\Documents and Settings\Lazaro\Application Data\wklnhst.dat
[2009/05/04 04:50:32 | 00,030,208 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\VIDEO WRITE UP.doc
[2009/05/04 01:45:33 | 00,030,208 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\Middle Adulthood synopsis.doc
[2009/05/01 17:16:08 | 00,025,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbprint.sys
[2009/05/01 17:16:08 | 00,025,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbprint.sys
[2009/05/01 16:52:54 | 00,005,780 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\crying_child.jpg
[2009/05/01 16:12:08 | 00,017,173 | ---- | C] () -- C:\Documents and Settings\Lazaro\Desktop\Kids.jpg
[2009/05/01 03:52:46 | 00,027,136 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\500 Video Synopsis.doc
[2009/05/01 03:49:55 | 00,061,952 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\620Asyllabus[2].doc
[2009/05/01 00:24:44 | 00,006,446 | -HS- | C] () -- C:\Documents and Settings\Lazaro\My Documents\AlbumArt_{3B1D75C8-084A-4E41-B58D-B1C137B04E3C}_Large.jpg
[2009/05/01 00:24:44 | 00,002,010 | -HS- | C] () -- C:\Documents and Settings\Lazaro\My Documents\AlbumArt_{3B1D75C8-084A-4E41-B58D-B1C137B04E3C}_Small.jpg
[2009/05/01 00:22:41 | 08,783,149 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\01 - Shout (Parts 1 & 2).mp3
[2009/05/01 00:22:41 | 04,889,490 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\01 - Ain't No Mountain High Enough (Album Version).mp3
[2009/04/30 22:34:55 | 00,009,132 | -HS- | C] () -- C:\Documents and Settings\Lazaro\My Documents\AlbumArt_{CFCD3B00-05EF-47F4-961A-CE0CB0FA1C57}_Large.jpg
[2009/04/30 22:34:55 | 00,002,467 | -HS- | C] () -- C:\Documents and Settings\Lazaro\My Documents\AlbumArt_{CFCD3B00-05EF-47F4-961A-CE0CB0FA1C57}_Small.jpg
[2009/04/30 22:32:48 | 00,009,132 | -HS- | C] () -- C:\Documents and Settings\Lazaro\My Documents\Folder.jpg
[2009/04/30 22:32:48 | 00,002,467 | -HS- | C] () -- C:\Documents and Settings\Lazaro\My Documents\AlbumArtSmall.jpg
[2009/04/30 21:47:31 | 05,293,865 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\01 - This Will Be (An Everlasting Love).mp3
[2009/04/30 21:47:30 | 06,875,152 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\01 - Bad Day.mp3
[2009/04/29 00:53:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\My Documents\Fotos Video Assignment 3
[2009/04/29 00:39:20 | 00,026,112 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\Middle Adulthood.doc
[2009/04/27 00:16:51 | 00,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2009/04/27 00:16:11 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2009/04/27 00:14:17 | 00,000,000 | ---D | C] -- C:\281aec8e30fc51ef69
[2009/04/27 00:14:15 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2009/04/27 00:14:10 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2009/04/27 00:02:46 | 00,072,704 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\SW610-Assignment_4[1].doc
[2009/04/26 17:19:35 | 00,028,160 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\Write Up MEP.doc
[2009/04/22 16:22:43 | 00,030,208 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\Table 4.doc
[2009/04/22 15:48:17 | 00,030,208 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\Table 3.doc
[2009/04/22 15:34:09 | 00,042,496 | ---- | C] () -- C:\Documents and Settings\Lazaro\My Documents\SW610-Assignment_4.2_FINAL.doc
[2009/04/22 15:33:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Lazaro\Application Data\U3
[2009/03/31 11:18:26 | 00,233,472 | ---- | C] () -- C:\WINDOWS\System32\M3000DIF.dll
[2009/03/31 11:18:26 | 00,151,936 | ---- | C] () -- C:\WINDOWS\System32\drivers\M3000KNT.sys
[2009/03/31 11:18:25 | 00,015,190 | ---- | C] () -- C:\WINDOWS\M3000Twn.ini
[2009/03/13 00:05:29 | 00,002,923 | ---- | C] () -- C:\WINDOWS\System32\bpinst.dll
[2009/02/04 15:02:04 | 00,001,233 | ---- | C] () -- C:\WINDOWS\SASETS.INI
[2009/01/20 16:12:26 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/01/20 11:11:40 | 00,000,620 | ---- | C] () -- C:\WINDOWS\win.ini
[2009/01/20 03:04:28 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2008/07/30 19:37:26 | 00,006,782 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/04/14 13:00:00 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2008/02/15 13:21:56 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2005/03/28 15:45:26 | 00,000,135 | ---- | C] () -- C:\WINDOWS\ALaunch.ini
[2004/02/25 23:18:04 | 00,565,248 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2002/11/22 03:57:26 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2002/11/22 03:57:26 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2002/11/22 03:57:26 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2002/11/22 03:57:26 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2002/11/22 03:57:26 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2002/11/22 03:57:24 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

========== Files - Modified Within 30 Days ==========

[8 C:\WINDOWS\System32\*.tmp files]
[2009/05/20 18:50:12 | 00,524,016 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/05/20 18:50:12 | 00,443,034 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/20 18:50:12 | 00,072,134 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/05/20 18:48:27 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Lazaro\Local Settings\desktop.ini
[2009/05/20 18:47:59 | 36,294,399 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/05/20 18:47:27 | 00,058,917 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/05/20 18:45:43 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/20 18:45:40 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/20 18:45:39 | 10,611,05664 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/20 07:41:31 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/05/20 07:41:31 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/05/20 07:41:31 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/05/20 07:41:25 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/05/20 05:02:13 | 00,434,673 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/05/20 04:58:50 | 06,061,540 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\avi7.avg
[2009/05/20 04:58:50 | 00,001,511 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG Free 8.5.lnk
[2009/05/18 14:53:17 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\Hi professor Nava.doc
[2009/05/17 08:46:02 | 14,043,440 | ---- | M] (Doctor Web, Ltd.) -- C:\Documents and Settings\Lazaro\Desktop\drweb-cureit.exe
[2009/05/17 08:25:16 | 00,150,192 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\TweakUiPowertoySetup.exe
[2009/05/17 08:16:09 | 16,283,032 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\jre-6u13-windows-i586-p.exe
[2009/05/17 07:11:45 | 00,016,982 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\There are 3 driver files I.docx
[2009/05/17 05:53:17 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/05/17 05:49:37 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/05/17 05:21:37 | 02,988,937 | R--- | M] () -- C:\Documents and Settings\Lazaro\Desktop\Combo-Fix.exe
[2009/05/17 05:19:07 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lazaro\Desktop\OTListIt2.exe
[2009/05/17 05:14:42 | 00,724,952 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\avenger.zip
[2009/05/17 05:01:03 | 00,000,697 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\Shortcut to tango.exe.lnk
[2009/05/16 16:57:38 | 00,440,104 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\RootRepeal.zip
[2009/05/16 16:13:18 | 00,000,615 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\NTREGOPT.lnk
[2009/05/16 16:13:18 | 00,000,596 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\ERUNT.lnk
[2009/05/16 16:12:11 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Lazaro\Desktop\erunt-setup.exe
[2009/05/15 23:05:17 | 00,010,487 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\Thanks for the help in advance.docx
[2009/05/15 22:45:35 | 00,359,883 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\dds.scr
[2009/05/14 22:17:50 | 00,617,662 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\Nogales Family Scholarship Flyer.pdf
[2009/05/14 20:22:27 | 00,693,528 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\avgremover.exe
[2009/05/14 17:50:08 | 00,117,248 | ---- | M] () -- C:\WINDOWS\vFind.exe
[2009/05/14 15:44:02 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/14 01:04:45 | 00,000,077 | -HS- | M] () -- C:\Documents and Settings\Lazaro\My Documents\desktop.ini
[2009/05/14 00:54:41 | 00,249,496 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/05/13 20:51:25 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/05/13 19:27:26 | 02,967,816 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Lazaro\Desktop\mbam-setup.exe
[2009/05/13 18:55:15 | 00,355,974 | ---- | M] (Digital River, Inc.) -- C:\Documents and Settings\Lazaro\Desktop\Download NAV09EN1 now.exe
[2009/05/13 18:38:21 | 43,064,720 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\20090513-020-v5i32.exe
[2009/05/13 01:59:00 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/05/13 01:58:17 | 00,001,606 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/05/13 01:57:47 | 07,526,856 | ---- | M] (Mozilla) -- C:\Documents and Settings\Lazaro\My Documents\Firefox Setup 3.0.10.exe
[2009/05/12 16:20:23 | 00,015,360 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\Discussion paragraph.doc
[2009/05/11 15:37:32 | 00,014,149 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\There is NO Federal Law.docx
[2009/05/11 04:06:34 | 01,182,208 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\Gay and Lesbian Adoption.ppt
[2009/05/11 03:12:50 | 00,027,136 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\References.doc
[2009/05/07 22:53:37 | 00,095,232 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\Lazaro's Resume.doc
[2009/05/07 00:16:29 | 24,699,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/05/04 06:52:34 | 00,000,434 | ---- | M] () -- C:\WINDOWS\tasks\WebReg 20090504065232.job
[2009/05/04 06:50:00 | 00,029,359 | ---- | M] () -- C:\WINDOWS\hpoins03.dat
[2009/05/04 06:49:58 | 00,000,620 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/05/04 06:48:32 | 00,001,812 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2009/05/04 06:45:45 | 00,000,808 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Director.lnk
[2009/05/04 06:45:18 | 00,000,906 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\HP Image Zone.lnk
[2009/05/04 06:10:57 | 00,000,232 | ---- | M] () -- C:\Documents and Settings\Lazaro\Application Data\wklnhst.dat
[2009/05/04 06:08:27 | 00,012,288 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\berenice.wps
[2009/05/04 06:06:56 | 00,000,818 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\Microsoft Works.LNK
[2009/05/04 05:53:37 | 00,030,208 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\VIDEO WRITE UP.doc
[2009/05/04 03:55:49 | 00,030,208 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\Middle Adulthood synopsis.doc
[2009/05/04 03:25:05 | 00,009,132 | -HS- | M] () -- C:\Documents and Settings\Lazaro\My Documents\Folder.jpg
[2009/05/04 03:25:05 | 00,009,132 | -HS- | M] () -- C:\Documents and Settings\Lazaro\My Documents\AlbumArt_{CFCD3B00-05EF-47F4-961A-CE0CB0FA1C57}_Large.jpg
[2009/05/04 03:25:05 | 00,002,467 | -HS- | M] () -- C:\Documents and Settings\Lazaro\My Documents\AlbumArtSmall.jpg
[2009/05/04 03:25:05 | 00,002,467 | -HS- | M] () -- C:\Documents and Settings\Lazaro\My Documents\AlbumArt_{CFCD3B00-05EF-47F4-961A-CE0CB0FA1C57}_Small.jpg
[2009/05/01 16:51:19 | 00,005,780 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\crying_child.jpg
[2009/05/01 16:10:31 | 00,017,173 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\Kids.jpg
[2009/05/01 03:52:47 | 00,027,136 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\500 Video Synopsis.doc
[2009/05/01 03:52:01 | 04,889,490 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\01 - Ain't No Mountain High Enough (Album Version).mp3
[2009/05/01 03:51:44 | 00,061,952 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\620Asyllabus[2].doc
[2009/05/01 00:24:44 | 00,006,446 | -HS- | M] () -- C:\Documents and Settings\Lazaro\My Documents\AlbumArt_{3B1D75C8-084A-4E41-B58D-B1C137B04E3C}_Large.jpg
[2009/05/01 00:24:44 | 00,002,010 | -HS- | M] () -- C:\Documents and Settings\Lazaro\My Documents\AlbumArt_{3B1D75C8-084A-4E41-B58D-B1C137B04E3C}_Small.jpg
[2009/05/01 00:13:10 | 08,783,149 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\01 - Shout (Parts 1 & 2).mp3
[2009/04/30 22:38:13 | 05,293,865 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\01 - This Will Be (An Everlasting Love).mp3
[2009/04/30 20:52:38 | 06,875,152 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\01 - Bad Day.mp3
[2009/04/29 00:39:21 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\Middle Adulthood.doc
[2009/04/27 00:20:44 | 00,000,786 | ---- | M] () -- C:\Documents and Settings\Lazaro\Desktop\Windows Media Player.lnk
[2009/04/27 00:19:47 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2009/04/27 00:19:47 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2009/04/27 00:15:15 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/04/27 00:14:15 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2009/04/27 00:02:47 | 00,072,704 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\SW610-Assignment_4[1].doc
[2009/04/26 19:04:34 | 00,028,160 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\Write Up MEP.doc
[2009/04/24 22:30:39 | 00,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/04/22 16:34:06 | 00,030,208 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\Table 4.doc
[2009/04/22 16:34:02 | 00,030,208 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\Table 3.doc
[2009/04/22 15:31:34 | 00,042,496 | ---- | M] () -- C:\Documents and Settings\Lazaro\My Documents\SW610-Assignment_4.2_FINAL.doc

========== LOP Check ==========

[2009/05/20 04:56:37 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/05/13 18:56:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
[2009/04/07 20:42:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/05/20 04:58:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg8
[2009/02/04 14:54:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eSobi
[2009/05/12 23:08:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2009/05/12 14:15:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/12 01:58:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/05/09 03:07:18 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/05/13 20:44:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2009/05/20 08:26:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/05/13 19:21:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/02/04 14:54:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
[2009/05/20 08:26:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/04/02 00:55:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/05/13 01:58:29 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Lazaro\Application Data
[2009/03/31 11:29:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\Adobe
[2009/05/20 19:12:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\AVGTOOLBAR
[2009/04/01 18:15:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\eSobi
[2009/05/13 19:15:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\GetRightToGo
[2009/04/01 18:03:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\Google
[2009/05/06 19:11:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\HorizonWimba
[2009/02/04 14:54:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\Identities
[2009/02/04 14:54:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\InstallShield
[2009/02/04 14:54:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\Macromedia
[2009/05/12 18:57:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\Malwarebytes
[2009/05/20 04:57:06 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Lazaro\Application Data\Microsoft
[2009/05/17 06:33:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\Move Networks
[2009/05/13 01:58:58 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\Mozilla
[2009/05/06 19:11:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\Sun
[2009/05/04 06:06:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\Template
[2009/05/12 16:19:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Lazaro\Application Data\U3
[2008/04/14 13:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/05/20 18:45:43 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/05/04 06:52:34 | 00,000,434 | ---- | M] () -- C:\WINDOWS\Tasks\WebReg 20090504065232.job

========== Purity Check ==========

< End of report >






-----------------------------------------------------------




Extras.Txt



OTListIt Extras logfile created on: 5/20/2009 8:08:48 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Lazaro\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1011.88 Mb Total Physical Memory | 566.65 Mb Available Physical Memory | 56.00% Memory free
2.37 Gb Paging File | 1.98 Gb Available in Paging File | 83.55% Paging File free
Paging file location(s): C:\pagefile.sys 1512 3024 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 143.20 Gb Total Space | 128.78 Gb Free Space | 89.93% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAZARITO
Current User Name: Lazaro
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/14 13:00:00 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/12/02 22:44:52 | 00,582,992 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
[2008/12/02 22:53:08 | 01,170,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync
[2008/12/02 23:41:54 | 03,882,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/14 13:00:00 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008/11/24 22:16:44 | 01,020,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote
[2008/12/02 22:44:52 | 00,582,992 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
[2008/12/02 22:53:08 | 01,170,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync
[2008/12/02 23:41:54 | 03,882,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2009/05/20 07:41:16 | 00,908,568 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
[2009/05/20 05:06:22 | 01,085,208 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
[2009/05/20 07:41:21 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{18E0918E-1060-48f3-925C-56C82E88551B}" = HP PSC & OfficeJet 3.5
"{1F7473D9-6C0B-4F5A-8FA4-AB8AD78CBE54}" = DocProc
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22988B2A-374A-4A7B-B795-A1AFF2046BE9}" = PhotoGallery
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{257EC58E-03FD-472B-A9B6-93F23A3C4CB0}" = Scan
"{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron JMB38X Flash Media Controller
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{29B50D30-EAFC-4cea-9F76-3A0E3729E9B0}" = SkinsHP1
"{34957B51-9676-41CE-9E52-44AE91B73F1C}" = HP Software Update
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{415B8A4E-0EA2-4C69-975C-EEE07B837FD7}" = Unload
"{47C25360-AEBC-4B21-B233-87CE653B3369}" = AIOMinimal
"{48242276-DB89-42e8-9678-BD4280D7B99A}" = Copy
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{55DCBED7-5710-4939-A928-4CBD9AB09EBB}" = 1310_Help
"{5786D2C8-A4C4-4DDB-B671-8ED2A53310EC}" = 1310Tour
"{57C7C46A-D35D-492d-A328-4F8C9B5B4B52}" = PrintScreen
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{6864A62D-3EF3-415F-9922-240EED34B4C0}" = Fax
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{723C033E-63EA-4227-BAB2-0AA8693C16EB}" = Director
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{745A92AF-53B4-41A7-91C3-9B026B1D5897}" = InstantShare
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver
"{81DD5688-695A-4c1d-AE7D-368BF857725A}" = TrayApp
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99D48FBB-2DEF-49A9-BCC9-C5AF63DD2643}" = AiOSoftware
"{9B03C535-3AEA-4ef2-B326-0A01A2207034}" = CreativeProjects
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AEC20FEC-47D8-4DEA-85D7-0B7E5D905D11}" = AiO_Scan
"{BC339BFD-F550-471a-8D26-4D08126C62F7}" = SkinsHP2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CBE3E0AF-73BB-4c21-8B96-B09E003EDE7F}" = QuickProjects
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D186329B-1B4D-408D-ABEC-EA5CE1F182C9}" = Overland
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{E443F067-3345-482C-BD7A-12675A53D292}" = Readme
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E80F62FF-5D3C-4A19-8409-9721F2928206}" = LiveUpdate (Symantec Corporation)
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F730A60D-F6DA-4653-9C6E-548F7A3A5EE0}" = 1310Trb
"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
"{F7952CA2-A925-4CA1-A934-A46E8EC9CA18}" = Acer Crystal Eye Webcam
"{F9B0968A-810E-484C-B81D-7F19DC2CBBF5}" = 1310
"{FBBF532A-47AC-457d-AC06-0D3163D8911E}" = WebReg
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AVG8Uninstall" = AVG Free 8.5
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ERUNT_is1" = ERUNT 1.1j
"HDMI" = Intel® Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007 Trial
"HP Photo & Imaging" = HP Image Zone 3.5
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Micro Solutions" = Backpack Driver
"Micro Solutions SpeedyCD" = Backpack SpeedyCD
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.10)" = Mozilla Firefox (3.0.10)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PsuedoLiveUpdate" = LiveUpdate (Symantec Corporation)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Tweak UI 2.10" = Tweak UI
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/9/2009 12:04:41 AM | Computer Name = LAZARITO | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 5/9/2009 12:07:42 AM | Computer Name = LAZARITO | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 5/9/2009 12:07:42 AM | Computer Name = LAZARITO | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/9/2009 6:07:12 AM | Computer Name = LAZARITO | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 7.0.6000.16827, faulting
module flash10b.ocx, version 10.0.22.87, fault address 0x000c1890.

Error - 5/9/2009 6:07:17 AM | Computer Name = LAZARITO | Source = Application Error | ID = 1001
Description = Fault bucket 1228545236.

Error - 5/12/2009 11:33:30 PM | Computer Name = LAZARITO | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 5/12/2009 11:33:30 PM | Computer Name = LAZARITO | Source = PerfNet | ID = 2002
Description = Unable to open the Redirector service. Redirector performance data
will
not be returned. Error code returned is in data DWORD 0.

Error - 5/12/2009 11:33:32 PM | Computer Name = LAZARITO | Source = WmiAdapter | ID = 4099
Description = Open of service failed.

Error - 5/13/2009 6:12:28 PM | Computer Name = LAZARITO | Source = Application Hang | ID = 1002
Description = Hanging application ccSvcHst.exe, version 108.1.0.24, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/13/2009 6:12:52 PM | Computer Name = LAZARITO | Source = Application Hang | ID = 1001
Description = Fault bucket 1168821417.

[ System Events ]
Error - 5/17/2009 6:06:47 PM | Computer Name = LAZARITO | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 5/17/2009 6:06:47 PM | Computer Name = LAZARITO | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD BHDrvx86 bpfinder ccHP eeCtrl Fips IDSxpx86 intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss
SRTSPX
SYMTDI
Tcpip

Error - 5/17/2009 8:45:39 PM | Computer Name = LAZARITO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 5/17/2009 8:45:59 PM | Computer Name = LAZARITO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/18/2009 4:48:15 PM | Computer Name = LAZARITO | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 00242B8346DE. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.

Error - 5/19/2009 12:47:29 AM | Computer Name = LAZARITO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/19/2009 12:47:45 AM | Computer Name = LAZARITO | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
BHDrvx86 bpfinder ccHP eeCtrl Fips IDSxpx86 intelppm SRTSPX SYMTDI

Error - 5/19/2009 1:48:40 AM | Computer Name = LAZARITO | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 5/19/2009 4:19:26 PM | Computer Name = LAZARITO | Source = ACPIEC | ID = 327681
Description = \Device\ACPIEC: The embedded controller (EC) hardware didn't respond
within the timeout period. This may indicate an error in the EC hardware or firmware,
or possibly a poorly designed BIOS which accesses the EC in an unsafe manner.
The EC driver will retry the failed transaction if possible.

Error - 5/20/2009 9:38:35 AM | Computer Name = LAZARITO | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 00242B8346DE. The following
error occurred: %%121. Your computer will continue to try and obtain an address on
its own from the network address (DHCP) server.


< End of report >

#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:54 AM

Posted 21 May 2009 - 07:37 AM

There is one file that we need to delete. Otherwise, your last report looks good. The DNS Changer was removed much earlier and the rootkit as well. Your system is good to go after these steps:
  • Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
  • Return to OTLisIt2. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.
=

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you need to un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
OK & Exit out of Control Panel

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix Posted Image), put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after x and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, type or copy/paste combo-fix /u and then click OK.
  • Please double-click OTListIt2.exe to start it.
  • Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTListIt2 attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
We are finished here. Best regards.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users