Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware I cant get off


  • This topic is locked This topic is locked
18 replies to this topic

#1 treypal

treypal

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 17 September 2009 - 09:54 AM

Keeps crashing internet explorer, and firefox, computer is running slow, etc.

DDS log.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 9:40:11.89 on Thu 09/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.206 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: ckpNotify - ckpNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\j88gft5t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-3 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-3 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-3 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-3 297752]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-12-18 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-12-18 108392]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-12-17 36400]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-12-18 47640]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-2-1 2440120]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-12-17 109072]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-12-17 671408]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-2 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-12-17 2234320]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090901.023\NAVENG.SYS [2009-9-2 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090901.023\NAVEX15.SYS [2009-9-2 1323568]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-3-7 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-3-7 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-3-7 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-3-7 59520]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-09-15 10:21 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-09-15 10:20 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-09-15 10:20 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-15 10:20 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-09-15 10:20 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-09-15 10:19 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-09-15 10:19 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-09-15 09:15 <DIR> --d----- c:\windows\system32\scripting
2009-09-15 09:15 <DIR> --d----- c:\windows\l2schemas
2009-09-15 09:15 <DIR> --d----- c:\windows\system32\en
2009-09-15 09:15 <DIR> --d----- c:\windows\system32\bits
2009-09-14 16:26 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-09-08 13:25 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-09-08 13:25 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 13:25 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-08 13:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-08 13:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-09-15 09:21 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-28 08:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 08:40 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-28 23:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 23:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-28 23:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 23:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 13:55 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-14 10:58 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-12 12:21 4,874,240 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-12 12:21 233,472 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 12:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 12:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 12:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 12:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 12:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 12:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 12:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 12:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 12:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 12:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 06:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-22 06:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 06:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 06:49 117,248 -------- c:\windows\system32\dllcache\mqtgsvc.exe
2009-06-22 06:49 19,968 -------- c:\windows\system32\dllcache\mqbkup.exe
2009-06-22 06:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-22 06:49 4,608 -------- c:\windows\system32\dllcache\mqsvc.exe
2009-06-22 06:48 91,776 -------- c:\windows\system32\dllcache\mqac.sys
2009-06-22 01:44 726,528 a------- c:\windows\system32\dllcache\jscript.dll

============= FINISH: 9:41:13.15 ===============



Root Repeal:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/17 09:46
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA1DF000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AF2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA926C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090901.023\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf87a9710

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x82457c40

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf87a9840

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x82eafab8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xfeab9b88

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xf87a9970

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0xfe892ab0]
Process: System Address: 0xffba08d0 Size: 1613

Object: Hidden Code [ETHREAD: 0xfe892838]
Process: System Address: 0xffb8dbe0 Size: 1060

Object: Hidden Code [ETHREAD: 0xfe8925c0]
Process: System Address: 0xffbd5d00 Size: 769

Object: Hidden Code [ETHREAD: 0xfe892348]
Process: System Address: 0xffb6e110 Size: 2758

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]
Process: System Address: 0xffb61756 Size: 58

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]
Process: System Address: 0xffb61756 Size: 58

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]
Process: System Address: 0xffb5d1ac Size: 1758

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]
Process: System Address: 0xffb5d1ac Size: 1758

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xffb61768 Size: 40

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xffb61762 Size: 46

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xffb6175c Size: 52

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]
Process: System Address: 0xffb61768 Size: 40

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]
Process: System Address: 0xffb61774 Size: 28

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xffb6177a Size: 22

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]
Process: System Address: 0xffb6176e Size: 34

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0xffb61756 Size: 58

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0xffb61756 Size: 58

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0xffb5d1ac Size: 1758

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0xffb5d1ac Size: 1758

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xffb61768 Size: 40

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xffb61762 Size: 46

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xffb6175c Size: 52

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0xffb61768 Size: 40

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0xffb61774 Size: 28

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xffb6177a Size: 22

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0xffb6176e Size: 34

Shadow SSDT
-------------------
#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0xfe827570

==EOF==


Thanks for your help!

BC AdBot (Login to Remove)

 


#2 DocSatan

DocSatan

    Bleepin' Wanna-Be


  • Members
  • 2,156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston, Ma.
  • Local time:06:19 AM

Posted 03 October 2009 - 07:36 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

#3 treypal

treypal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 05 October 2009 - 09:34 AM

I am still having problems with this computer. IE will not run at all, and firefox will run, but will not allow you to download anything, it keeps crashing. Also having a Huge PF and I cannot find the reason why.


DDS Log:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Administrator at 9:05:53.78 on Mon 10/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.48 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wupdmgr.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_9
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: ckpNotify - ckpNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\j88gft5t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-3 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-3 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-3 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-3 297752]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-12-18 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-12-18 108392]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [2007-12-17 36400]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-8-3 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-12-18 47640]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-2-1 2440120]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [2007-12-17 109072]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [2007-12-17 671408]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-2 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [2007-12-17 2234320]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091001.037\NAVENG.SYS [2009-10-2 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091001.037\NAVEX15.SYS [2009-10-2 1323568]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-3-7 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-3-7 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-3-7 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-3-7 59520]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-10-02 15:33 <DIR> a-dshr-- C:\cmdcons
2009-10-02 15:31 229,888 a------- c:\windows\PEV.exe
2009-10-02 15:31 161,792 a------- c:\windows\SWREG.exe
2009-10-02 15:31 98,816 a------- c:\windows\sed.exe
2009-10-02 15:31 <DIR> --d----- C:\ComboFix
2009-09-15 10:21 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-09-15 10:20 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-09-15 10:20 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-15 10:20 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-09-15 10:20 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-09-15 10:19 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-09-15 10:19 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-09-15 09:15 <DIR> --d----- c:\windows\system32\scripting
2009-09-15 09:15 <DIR> --d----- c:\windows\l2schemas
2009-09-15 09:15 <DIR> --d----- c:\windows\system32\en
2009-09-15 09:15 <DIR> --d----- c:\windows\system32\bits
2009-09-14 16:26 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-09-08 13:25 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-09-08 13:25 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 13:25 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-08 13:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-08 13:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-09-15 09:21 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-28 08:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 08:40 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-28 23:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 23:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-28 23:37 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-07-28 23:37 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 13:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 13:55 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-14 10:58 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-12 12:21 4,874,240 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-12 12:21 233,472 -------- c:\windows\system32\dllcache\wmpdxm.dll

============= FINISH: 9:06:51.40 ===============

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:19 PM

Posted 10 October 2009 - 03:09 AM

Hi treypal,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Please perform all the steps fully and in the order they are written.
  • I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
    1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
    2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
    Therefore please go to add/remove in the control panel and remove either AVG or Norton. Tell me also which one you uninstalled.

  • Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Open a notepad (Start > Run and type in Notepad ) make sure the wordwrap under Format menu is not selected.
    Copy and paste the text in code box into it.

    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}]
    @="Microsoft Url Search Hook"
    
    [HKEY_CLASSES_ROOT\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}\InProcServer32]
    @="C:\\WINDOWS\\system32\\ieframe.dll"
    "ThreadingModel"="Apartment"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
    • Save the file to the desktop as regfix.reg
    • Make sure the Save as type field says All files.
    • Locate regfix.reg on the desktop and double-click on it and confirm.
    • A window pops up asking if you are sure to add the file to the registry. Click Yes.
    • You get another window popup saying that regfix.reg successfully added to the registry.
    Note: You have to turn off any registry protector software you have in order the changes to be taken place.

  • Reboot the computer and tell me if Internet Explorer is still not running.

  • Please download MBR.EXE by GMER. Save the file in your Root directory (C:\).

    Go to Start -> Run, type cmd and click OK.
    Copy and paste the following lines one by one in the open command window and press Enter after each line:

    cd\
    c:\mbr.exe -t
    c:\mbr.log


    A log file (c:\mbr.log) will open. Post the contents of it to your reply.

  • You have run ComboFix which is not recommended to run without the supervision of a trained helper. I need to see its log:

    Please go to start -> Run. Copy and paste the bold line in the run-box and click OK:

    C:\ComboFix.txt

    If a text file opens up, copy and paste the content to your reply.


#5 treypal

treypal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 12 October 2009 - 02:13 PM

MBAM log:

Malwarebytes' Anti-Malware 1.41
Database version: 2945
Windows 5.1.2600 Service Pack 3

10/12/2009 9:34:12 AM
mbam-log-2009-10-12 (09-34-12).txt

Scan type: Quick Scan
Objects scanned: 133085
Time elapsed: 7 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Combofix:
ComboFix 09-10-01.05 - Administrator 10/02/2009 15:34.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.347 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\System\Uninstall
c:\windows\Installer\2bcceab6.msp
c:\windows\ModemLog_PANTECH USB Modem .txt
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.

2009-09-15 15:21 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-09-15 15:20 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-09-15 15:20 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-15 15:20 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-09-15 15:20 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-09-15 15:19 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-09-15 15:19 . 2009-10-02 19:47 -------- d-----w- c:\windows\LastGood
2009-09-15 15:19 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-09-15 14:15 . 2009-09-15 14:15 -------- d-----w- c:\windows\system32\scripting
2009-09-15 14:15 . 2009-09-15 14:15 -------- d-----w- c:\windows\l2schemas
2009-09-15 14:15 . 2009-09-15 14:15 -------- d-----w- c:\windows\system32\en
2009-09-15 14:15 . 2009-09-15 14:15 -------- d-----w- c:\windows\system32\bits
2009-09-14 21:26 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 18:25 . 2009-09-08 18:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-08 18:25 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 18:25 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 18:25 . 2009-09-08 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 18:25 . 2009-09-14 19:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 19:58 . 2006-12-07 23:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-02 14:31 . 2007-12-18 17:24 -------- d-----w- c:\program files\LogMeIn
2009-10-01 20:38 . 2007-12-17 16:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-09-15 19:00 . 2006-01-26 22:44 -------- d-----w- c:\program files\MSN Messenger
2009-09-15 13:43 . 2009-07-15 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-28 13:40 . 2009-02-03 16:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:40 . 2009-02-03 16:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-28 13:40 . 2009-02-03 16:58 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 09:01 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-11 23:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-11 23:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 18:55 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 15:58 . 2009-07-14 15:58 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-14 15:58 . 2009-07-14 15:58 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-12 17:21 . 2004-08-11 23:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 21:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-28 2007832]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2008-3-7 1738032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-06-19 19:01 24669 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-23 19:38 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SymCorpUI.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/3/2009 11:59 AM 108552]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [12/17/2007 4:50 PM 109072]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [12/17/2007 4:50 PM 2234320]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/3/2009 11:58 AM 335240]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/3/2009 11:58 AM 297752]
S2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [12/17/2007 4:49 PM 36400]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [12/18/2007 12:25 PM 47640]
S2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [12/17/2007 4:49 PM 671408]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/2/2009 4:33 AM 102448]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [3/7/2008 12:23 PM 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [3/7/2008 12:23 PM 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [3/7/2008 12:23 PM 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [3/7/2008 12:23 PM 59520]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\User_Feed_Synchronization-{EA73162F-8F47-4CBA-B9E1-E07B87C6F277}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 15:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1984886284-1438626582-588946948-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e7,1e,a6,b1,f7,41,86,41,ae,44,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e7,1e,a6,b1,f7,41,86,41,ae,44,0b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\LMIinit.dll
.
Completion time: 2009-10-02 15:39
ComboFix-quarantined-files.txt 2009-10-02 20:39

Pre-Run: 56,132,702,208 bytes free
Post-Run: 56,113,274,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

204 --- E O F --- 2009-09-16 08:06



MBR.log
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0xFFB1D1AC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0xffb2175c
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> 0xffb5e790
Warning: possible MBR rootkit infection !
MBR rootkit code detected !
malicious code @ sector 0x94faafc size 0x1fe !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
PE file found in sector at 0x094FAAFC !

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:19 PM

Posted 12 October 2009 - 04:15 PM

Hi treypal,

Thanks for the logs.

We both want to get the job done properly. Please read the instruction fully and tell me about the steps you performed and give feedback about the questions asked unless you are angry with me and don't want to talk to me. Thanks. :(
  • To remove the leftovers please download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • Disable AVG Resident Shield:
    • Double click AVG system tray icon to open AVG.
    • In Overview section double click Resident Shield.
    • Uncheck Resident Shield Active.
    • Press Save Changes.

      Note: It is important to activate the resident shield immediately after running ComboFix.
  • Delete your copy of ComboFix from the desktop if you still have it and download ComboFix from one of these locations. Also make sure there is internet connection as ComboFix checks the version to make sure it is updated.:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#7 treypal

treypal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 12 October 2009 - 06:51 PM

ComboFix 09-10-11.03 - Administrator 10/12/2009 18:29.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.195 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\11c43c.msi

.
((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-12 19:07 . 2009-10-12 19:06 71680 ----a-w- C:\mbr.exe
2009-09-15 15:21 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-09-15 15:20 . 2008-05-08 14:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-09-15 15:20 . 2008-10-24 11:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-09-15 15:20 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-09-15 15:20 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-09-15 15:19 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-09-15 15:19 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-09-15 14:15 . 2009-09-15 14:15 -------- d-----w- c:\windows\system32\scripting
2009-09-15 14:15 . 2009-09-15 14:15 -------- d-----w- c:\windows\l2schemas
2009-09-15 14:15 . 2009-09-15 14:15 -------- d-----w- c:\windows\system32\en
2009-09-15 14:15 . 2009-09-15 14:15 -------- d-----w- c:\windows\system32\bits
2009-09-14 21:26 . 2009-06-21 22:04 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 21:28 . 2006-01-18 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-12 05:31 . 2007-12-18 17:24 -------- d-----w- c:\program files\LogMeIn
2009-10-02 21:30 . 2006-12-07 23:45 -------- d-----w- c:\program files\Symantec AntiVirus
2009-10-01 20:38 . 2007-12-17 16:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2009-09-15 19:00 . 2006-01-26 22:44 -------- d-----w- c:\program files\MSN Messenger
2009-09-15 13:43 . 2009-07-15 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-09-14 19:56 . 2009-09-08 18:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 19:54 . 2009-09-08 18:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-08 18:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 18:25 . 2009-09-08 18:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-08 18:25 . 2009-09-08 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-28 13:40 . 2009-02-03 16:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:40 . 2009-02-03 16:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-28 13:40 . 2009-02-03 16:58 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 09:01 . 2004-08-11 23:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-11 23:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2004-08-11 23:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 18:55 . 2004-08-11 23:00 58880 ----a-w- c:\windows\system32\atl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-02_20.38.28 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 21:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-14 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-02 2023704]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2008-3-7 1738032]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
2005-06-19 19:01 24669 ----a-w- c:\windows\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-23 19:38 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SCC.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.EXE"=
"c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_DIAGNOSTICS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Symantec AntiVirus\\Smc.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Symantec AntiVirus\\SymCorpUI.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/3/2009 11:58 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/3/2009 11:59 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/3/2009 11:58 AM 297752]
R2 CP_OMDRV;Check Point Office Mode Module;c:\windows\system32\drivers\omdrv.sys [12/17/2007 4:49 PM 36400]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [12/18/2007 12:25 PM 47640]
R2 VNASC;Check Point Virtual Network Adapter - SecureClient;c:\windows\system32\drivers\vnasc.sys [12/17/2007 4:50 PM 109072]
R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [12/17/2007 4:49 PM 671408]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/2/2009 4:33 AM 102448]
R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [12/17/2007 4:50 PM 2234320]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [3/7/2008 12:23 PM 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [3/7/2008 12:23 PM 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [3/7/2008 12:23 PM 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [3/7/2008 12:23 PM 59520]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\User_Feed_Synchronization-{EA73162F-8F47-4CBA-B9E1-E07B87C6F277}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 18:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1984886284-1438626582-588946948-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e7,1e,a6,b1,f7,41,86,41,ae,44,0b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e7,1e,a6,b1,f7,41,86,41,ae,44,0b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(2260)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe
c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
.
**************************************************************************
.
Completion time: 2009-10-12 18:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-12 23:42
ComboFix2.txt 2009-10-02 20:39

Pre-Run: 55,467,974,656 bytes free
Post-Run: 55,495,417,856 bytes free

212 --- E O F --- 2009-09-16 08:06

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:19 PM

Posted 12 October 2009 - 07:29 PM

We both want to get the job done properly. Please read the instruction fully and tell me about the steps you performed and give feedback about the questions asked.

#9 treypal

treypal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 13 October 2009 - 07:04 AM

I am having trouble uninstalling symantec antivirus, it keeps freezing up, which is preventing the norton removal tool from running. Internet Explorer is still crashing.

I was able to disable AVG like you asked to run Combofix.

What else do I need to do?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:19 PM

Posted 13 October 2009 - 08:14 AM

Thanks for the feedback, that is what I needed to know. We will attend to those problems you mention later on.

Go to Start -> Run, type cmd and then click OK.
At copy and paste the following lines one by one in the command prompt and press Enter after each line :

c:\mbr.exe -f
c:\mbr.exe -f
c:\mbr.log


(the first two command are the same)

A log.file opens. Please post the content to your reply.

#11 treypal

treypal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 13 October 2009 - 08:24 AM

Here is the log file from mbr.exe

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
PE file found in sector at 0x094FAAFC !

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:19 PM

Posted 13 October 2009 - 09:09 AM

Please perform the steps in the order they are written. It is important to run OTL as the last step.
  • Reboot the computer if you have not rebooted it after previous fix by mbr.exe.

  • Please go to Start => Run. Copy and paste the following commands one by one in the run box and click enter after each line:

    C:\mbr.exe
    C:\mbr.log


    After the second run a log file opens. Please post the content of it.

  • Run Internet Explorer in "No Add-ons" Mode:
    • Close Internet Explorer if it is running.
    • Go to start > Run.
    • Copy/paste in the run box: iexplore.exe -extoff
    • Click OK or press Enter.
    • See how Internet Explorer is running in that mode. If it crashes describe how long it lasts before crashing and if it crashes by itself.

      Note: When you close Internet Explorer and restart it, it will again function in normal mode with all Add-ons
  • Use Firefox for a while and tell me if Firefox is also still crashing.

  • Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop.
    • Click the "Scan All Users" checkbox.
    • Under Drivers section check "All".
    • Under Registry check "All".
    • Click Run Scan button and wait without doing any action until the scan is finished.
    • Two reports will open, copy and paste them to your reply:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


#13 treypal

treypal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 13 October 2009 - 06:04 PM

Internet explorer did not crash in addons disabled mode, and now firefox can download files without crashing.

MBR.log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
PE file found in sector at 0x094FAAFC !



OTL.TXT
OTL logfile created on: 10/13/2009 5:42:05 PM - Run 3
OTL by OldTimer - Version 3.0.20.0 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.07 Mb Total Physical Memory | 77.93 Mb Available Physical Memory | 15.52% Memory free
1.20 Gb Paging File | 0.81 Gb Available in Paging File | 67.38% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 51.72 Gb Free Space | 69.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 15.05 Gb Total Space | 15.04 Gb Free Space | 99.97% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IIIKIN-H1YC491
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\My Documents\Downloads\OTL(2).exe (OldTimer Tools)
PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe (Check Point Software Technologies)
PRC - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe (Check Point Software Technologies)
PRC - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
PRC - C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\MSN Messenger\msnmsgr.exe (Microsoft Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\Smc.exe (Symantec Corporation)
PRC - C:\Program Files\Symantec AntiVirus\SmcGui.exe (Symantec Corporation)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
PRC - C:\WINDOWS\System32\HPZipm12.exe (HP)
PRC - C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
PRC - C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation)
SRV - (avg8wd [Auto | Running]) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (ccEvtMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (CcmExec [Disabled | Stopped]) -- C:\WINDOWS\System32\CCM\CcmExec.exe (Microsoft Corporation)
SRV - (ccSetMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
SRV - (LMIMaint [Auto | Running]) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)
SRV - (LogMeIn [Auto | Running]) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (Pml Driver HPZ12 [Unknown | Running]) -- C:\WINDOWS\System32\HPZipm12.exe (HP)
SRV - (RoxLiveShare9 [Auto | Stopped]) -- File not found
SRV - (SmcService [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\Smc.exe (Symantec Corporation)
SRV - (SNAC [On_Demand | Stopped]) -- C:\Program Files\Symantec AntiVirus\SNAC.EXE (Symantec Corporation)
SRV - (SR_Service [Disabled | Stopped]) -- File not found
SRV - (SR_WatchDog [Auto | Running]) -- C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe (Check Point Software Technologies)
SRV - (Symantec AntiVirus [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\MSN Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (Wuser32 [Auto | Running]) -- C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe (Microsoft Corporation)

========== Driver Services (All) ==========

DRV - (Abiosdsk [Disabled | Stopped]) -- File not found
DRV - (abp480n5 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS (Microsoft Corporation)
DRV - (ACPI [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ACPI.sys (Microsoft Corporation)
DRV - (ACPIEC [Disabled | Stopped]) -- C:\WINDOWS\System32\drivers\acpiec.sys (Microsoft Corporation)
DRV - (adpu160m [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\adpu160m.sys (Microsoft Corporation)
DRV - (aec [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\aec.sys (Microsoft Corporation)
DRV - (AFD [System | Running]) -- C:\WINDOWS\System32\drivers\afd.sys (Microsoft Corporation)
DRV - (agp440 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\agp440.sys (Microsoft Corporation)
DRV - (agpCPQ [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\agpCPQ.sys (Microsoft Corporation)
DRV - (Aha154x [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\aha154x.sys (Microsoft Corporation)
DRV - (aic78u2 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\aic78u2.sys (Microsoft Corporation)
DRV - (aic78xx [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\aic78xx.sys (Microsoft Corporation)
DRV - (AliIde [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (alim1541 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\alim1541.sys (Microsoft Corporation)
DRV - (amdagp [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (amsint [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\amsint.sys (Microsoft Corporation)
DRV - (asc [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3350p [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\asc3350p.sys (Microsoft Corporation)
DRV - (asc3550 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AsyncMac [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\asyncmac.sys (Microsoft Corporation)
DRV - (atapi [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\atapi.sys (Microsoft Corporation)
DRV - (Atdisk [Disabled | Stopped]) -- File not found
DRV - (Atmarpc [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\atmarpc.sys (Microsoft Corporation)
DRV - (audstub [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\audstub.sys (Microsoft Corporation)
DRV - (AvgLdx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86 [System | Running]) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX [System | Running]) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (b57w2k [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\b57xp32.sys (Broadcom Corporation)
DRV - (Beep [System | Running]) -- C:\WINDOWS\System32\drivers\beep.sys (Microsoft Corporation)
DRV - (BrPar [Auto | Running]) -- C:\WINDOWS\System32\drivers\BrPar.sys (Brother Industries Ltd.)
DRV - (catchme [On_Demand | Stopped]) -- File not found
DRV - (cbidf [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\cbidf2k.sys (Microsoft Corporation)
DRV - (cbidf2k [Disabled | Stopped]) -- C:\WINDOWS\System32\drivers\cbidf2k.sys (Microsoft Corporation)
DRV - (cd20xrnt [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys (Microsoft Corporation)
DRV - (Cdaudio [System | Stopped]) -- C:\WINDOWS\System32\drivers\cdaudio.sys (Microsoft Corporation)
DRV - (Cdfs [Disabled | Running]) -- C:\WINDOWS\System32\drivers\cdfs.sys (Microsoft Corporation)
DRV - (Cdrom [System | Running]) -- C:\WINDOWS\System32\DRIVERS\cdrom.sys (Microsoft Corporation)
DRV - (Changer [System | Stopped]) -- File not found
DRV - (CmdIde [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (COH_Mon [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\COH_Mon.sys (Symantec Corporation)
DRV - (CP_OMDRV [Auto | Running]) -- C:\WINDOWS\System32\drivers\omdrv.sys (Check Point Software Technologies)
DRV - (Cpqarray [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\cpqarray.sys (Microsoft Corporation)
DRV - (dac2w2k [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (dac960nt [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\dac960nt.sys (Microsoft Corporation)
DRV - (Disk [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\disk.sys (Microsoft Corporation)
DRV - (dmboot [Disabled | Stopped]) -- C:\WINDOWS\System32\drivers\dmboot.sys (Microsoft Corp., Veritas Software)
DRV - (dmio [Boot | Running]) -- C:\WINDOWS\System32\drivers\dmio.sys (Microsoft Corp., Veritas Software)
DRV - (dmload [Boot | Running]) -- C:\WINDOWS\System32\drivers\dmload.sys (Microsoft Corp., Veritas Software.)
DRV - (DMusic [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\DMusic.sys (Microsoft Corporation)
DRV - (dpti2o [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\dpti2o.sys (Microsoft Corporation)
DRV - (drmkaud [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\drmkaud.sys (Microsoft Corporation)
DRV - (E100B [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (eeCtrl [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (Fastfat [Disabled | Running]) -- C:\WINDOWS\System32\drivers\fastfat.sys (Microsoft Corporation)
DRV - (Fdc [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\fdc.sys (Microsoft Corporation)
DRV - (Fips [System | Running]) -- C:\WINDOWS\System32\drivers\fips.sys (Microsoft Corporation)
DRV - (Flpydisk [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\flpydisk.sys (Microsoft Corporation)
DRV - (FltMgr [Boot | Running]) -- C:\WINDOWS\system32\drivers\fltmgr.sys (Microsoft Corporation)
DRV - (Ftdisk [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ftdisk.sys (Microsoft Corporation)
DRV - (FW1 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\fw.sys (Check Point Software Technologies)
DRV - (Gpc [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\msgpc.sys (Microsoft Corporation)
DRV - (HidUsb [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\hidusb.sys (Microsoft Corporation)
DRV - (hpn [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\hpn.sys (Microsoft Corporation)
DRV - (HPZid412 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys (HP)
DRV - (HTTP [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\HTTP.sys (Microsoft Corporation)
DRV - (i2omgmt [System | Running]) -- C:\WINDOWS\System32\drivers\i2omgmt.sys (Microsoft Corporation)
DRV - (i2omp [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\i2omp.sys (Microsoft Corporation)
DRV - (i8042prt [System | Stopped]) -- C:\WINDOWS\System32\DRIVERS\i8042prt.sys (Microsoft Corporation)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (idisw2km [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\idisw2km.sys (Microsoft Corporation)
DRV - (Imapi [System | Running]) -- C:\WINDOWS\System32\DRIVERS\imapi.sys (Microsoft Corporation)
DRV - (ini910u [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ini910u.sys (Microsoft Corporation)
DRV - (IntelIde [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\intelide.sys (Microsoft Corporation)
DRV - (intelppm [System | Running]) -- C:\WINDOWS\System32\DRIVERS\intelppm.sys (Microsoft Corporation)
DRV - (Ip6Fw [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\ip6fw.sys (Microsoft Corporation)
DRV - (IpFilterDriver [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys (Microsoft Corporation)
DRV - (IpInIp [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ipinip.sys (Microsoft Corporation)
DRV - (IpNat [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ipnat.sys (Microsoft Corporation)
DRV - (IPSec [System | Running]) -- C:\WINDOWS\System32\DRIVERS\ipsec.sys (Microsoft Corporation)
DRV - (IRENUM [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\irenum.sys (Microsoft Corporation)
DRV - (isapnp [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\isapnp.sys (Microsoft Corporation)
DRV - (Kbdclass [System | Running]) -- C:\WINDOWS\System32\DRIVERS\kbdclass.sys (Microsoft Corporation)
DRV - (kbdhid [System | Running]) -- C:\WINDOWS\System32\DRIVERS\kbdhid.sys (Microsoft Corporation)
DRV - (kbstuff [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\kbstuff5.sys (Microsoft Corporation)
DRV - (kmixer [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\kmixer.sys (Microsoft Corporation)
DRV - (KSecDD [Boot | Running]) -- C:\WINDOWS\System32\drivers\ksecdd.sys (Microsoft Corporation)
DRV - (lbrtfdc [System | Stopped]) -- File not found
DRV - (LMIInfo [Auto | Running]) -- C:\Program Files\LogMeIn\x86\RaInfo.sys (LogMeIn, Inc.)
DRV - (lmimirr [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\lmimirr.sys (LogMeIn, Inc.)
DRV - (LMIRfsClientNP [Disabled | Stopped]) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)
DRV - (LMIRfsDriver [Auto | Running]) -- C:\WINDOWS\System32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)
DRV - (mbr [On_Demand | Running]) -- File not found
DRV - (mnmdd [System | Running]) -- C:\WINDOWS\System32\drivers\mnmdd.sys (Microsoft Corporation)
DRV - (Modem [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\modem.sys (Microsoft Corporation)
DRV - (Mouclass [System | Running]) -- C:\WINDOWS\System32\DRIVERS\mouclass.sys (Microsoft Corporation)
DRV - (mouhid [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\mouhid.sys (Microsoft Corporation)
DRV - (MountMgr [Boot | Running]) -- C:\WINDOWS\System32\drivers\mountmgr.sys (Microsoft Corporation)
DRV - (mraid35x [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (MRxDAV [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\mrxdav.sys (Microsoft Corporation)
DRV - (MRxSmb [System | Running]) -- C:\WINDOWS\System32\DRIVERS\mrxsmb.sys (Microsoft Corporation)
DRV - (Msfs [System | Running]) -- C:\WINDOWS\System32\drivers\msfs.sys (Microsoft Corporation)
DRV - (MSKSSRV [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\MSKSSRV.sys (Microsoft Corporation)
DRV - (MSPCLOCK [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\MSPCLOCK.sys (Microsoft Corporation)
DRV - (MSPQM [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\MSPQM.sys (Microsoft Corporation)
DRV - (mssmbios [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\mssmbios.sys (Microsoft Corporation)
DRV - (Mup [Boot | Running]) -- C:\WINDOWS\System32\drivers\mup.sys (Microsoft Corporation)
DRV - (NAVENG [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091009.040\NAVENG.SYS (Symantec Corporation)
DRV - (NAVEX15 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091009.040\NAVEX15.SYS (Symantec Corporation)
DRV - (NDIS [Boot | Running]) -- C:\WINDOWS\System32\drivers\ndis.sys (Microsoft Corporation)
DRV - (NdisTapi [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ndistapi.sys (Microsoft Corporation)
DRV - (Ndisuio [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ndisuio.sys (Microsoft Corporation)
DRV - (NdisWan [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ndiswan.sys (Microsoft Corporation)
DRV - (NDProxy [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\ndproxy.sys (Microsoft Corporation)
DRV - (NetBIOS [System | Running]) -- C:\WINDOWS\System32\DRIVERS\netbios.sys (Microsoft Corporation)
DRV - (NetBT [System | Running]) -- C:\WINDOWS\System32\DRIVERS\netbt.sys (Microsoft Corporation)
DRV - (Npfs [System | Running]) -- C:\WINDOWS\System32\drivers\npfs.sys (Microsoft Corporation)
DRV - (Ntfs [Disabled | Running]) -- C:\WINDOWS\System32\drivers\ntfs.sys (Microsoft Corporation)
DRV - (Null [System | Running]) -- C:\WINDOWS\System32\drivers\null.sys (Microsoft Corporation)
DRV - (nv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (NwlnkFlt [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys (Microsoft Corporation)
DRV - (NwlnkFwd [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys (Microsoft Corporation)
DRV - (Parport [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\parport.sys (Microsoft Corporation)
DRV - (PartMgr [Boot | Running]) -- C:\WINDOWS\System32\drivers\partmgr.sys (Microsoft Corporation)
DRV - (ParVdm [Disabled | Stopped]) -- C:\WINDOWS\System32\drivers\parvdm.sys (Microsoft Corporation)
DRV - (PCI [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\pci.sys (Microsoft Corporation)
DRV - (PCIDump [System | Stopped]) -- File not found
DRV - (PCIIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\pciide.sys (Microsoft Corporation)
DRV - (Pcmcia [Disabled | Stopped]) -- C:\WINDOWS\System32\drivers\pcmcia.sys (Microsoft Corporation)
DRV - (PDCOMP [On_Demand | Stopped]) -- File not found
DRV - (PDFRAME [On_Demand | Stopped]) -- File not found
DRV - (PDRELI [On_Demand | Stopped]) -- File not found
DRV - (PDRFRAME [On_Demand | Stopped]) -- File not found
DRV - (perc2 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\perc2.sys (Microsoft Corporation)
DRV - (perc2hib [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\perc2hib.sys (Microsoft Corporation)
DRV - (PptpMiniport [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\raspptp.sys (Microsoft Corporation)
DRV - (prepdrvr [On_Demand | Stopped]) -- C:\WINDOWS\System32\CCM\prepdrv.sys (Microsoft Corporation)
DRV - (PSched [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\psched.sys (Microsoft Corporation)
DRV - (PTDMBus [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\PTDMBus.sys (DEVGURU Co,LTD.)
DRV - (PTDMMdm [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\PTDMMdm.sys (DEVGURU Co,LTD.)
DRV - (PTDMVsp [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\PTDMVsp.sys (DEVGURU Co,LTD.)
DRV - (PTDMWWAN [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\PTDMWWAN.sys (DEVGURU Co,LTD.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (ql1080 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (Ql10wnt [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql10wnt.sys (Microsoft Corporation)
DRV - (ql12160 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1240 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql1240.sys (Microsoft Corporation)
DRV - (ql1280 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (RasAcd [System | Running]) -- C:\WINDOWS\System32\DRIVERS\rasacd.sys (Microsoft Corporation)
DRV - (Rasl2tp [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\rasl2tp.sys (Microsoft Corporation)
DRV - (RasPppoe [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\raspppoe.sys (Microsoft Corporation)
DRV - (Raspti [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\raspti.sys (Microsoft Corporation)
DRV - (Rdbss [System | Running]) -- C:\WINDOWS\System32\DRIVERS\rdbss.sys (Microsoft Corporation)
DRV - (RDPCDD [System | Running]) -- C:\WINDOWS\System32\DRIVERS\RDPCDD.sys (Microsoft Corporation)
DRV - (rdpdr [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\rdpdr.sys (Microsoft Corporation)
DRV - (RDPWD [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\rdpwd.sys (Microsoft Corporation)
DRV - (redbook [System | Running]) -- C:\WINDOWS\System32\DRIVERS\redbook.sys (Microsoft Corporation)
DRV - (RimUsb [On_Demand | Stopped]) -- File not found
DRV - (RimVSerPort [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\RimSerial.sys (Research in Motion Ltd)
DRV - (ROOTMODEM [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\RootMdm.sys (Microsoft Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (senfilt [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\senfilt.sys (Creative Technology Ltd.)
DRV - (serenum [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\serenum.sys (Microsoft Corporation)
DRV - (Serial [System | Running]) -- C:\WINDOWS\System32\DRIVERS\serial.sys (Microsoft Corporation)
DRV - (Sfloppy [System | Stopped]) -- C:\WINDOWS\System32\drivers\sfloppy.sys (Microsoft Corporation)
DRV - (Simbad [Disabled | Stopped]) -- File not found
DRV - (sisagp [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (Sparrow [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (SPBBCDrv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
DRV - (splitter [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\splitter.sys (Microsoft Corporation)
DRV - (sr [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sr.sys (Microsoft Corporation)
DRV - (Srv [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\srv.sys (Microsoft Corporation)
DRV - (swenum [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\swenum.sys (Microsoft Corporation)
DRV - (swmidi [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\swmidi.sys (Microsoft Corporation)
DRV - (sym_hi [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (sym_u3 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (symc810 [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (symc8xx [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (SymEvent [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (SYMREDRV [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
DRV - (sysaudio [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\sysaudio.sys (Microsoft Corporation)
DRV - (Tcpip [System | Running]) -- C:\WINDOWS\System32\DRIVERS\tcpip.sys (Microsoft Corporation)
DRV - (TDPIPE [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\tdpipe.sys (Microsoft Corporation)
DRV - (TDTCP [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\tdtcp.sys (Microsoft Corporation)
DRV - (TermDD [System | Running]) -- C:\WINDOWS\System32\DRIVERS\termdd.sys (Microsoft Corporation)
DRV - (TfFsMon [Boot | Stopped]) -- File not found
DRV - (TfNetMon [On_Demand | Stopped]) -- File not found
DRV - (TfSysMon [Boot | Stopped]) -- File not found
DRV - (TosIde [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\toside.sys (Microsoft Corporation)
DRV - (Udfs [Disabled | Stopped]) -- C:\WINDOWS\System32\drivers\udfs.sys (Microsoft Corporation)
DRV - (ultra [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (Update [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\update.sys (Microsoft Corporation)
DRV - (usbccgp [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\usbccgp.sys (Microsoft Corporation)
DRV - (usbehci [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\usbehci.sys (Microsoft Corporation)
DRV - (usbhub [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\usbhub.sys (Microsoft Corporation)
DRV - (usbprint [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\usbprint.sys (Microsoft Corporation)
DRV - (usbscan [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\usbscan.sys (Microsoft Corporation)
DRV - (USBSTOR [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS (Microsoft Corporation)
DRV - (usbuhci [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\usbuhci.sys (Microsoft Corporation)
DRV - (VgaSave [System | Running]) -- C:\WINDOWS\System32\drivers\vga.sys (Microsoft Corporation)
DRV - (viaagp [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\viaagp.sys (Microsoft Corporation)
DRV - (ViaIde [Disabled | Stopped]) -- C:\WINDOWS\system32\DRIVERS\viaide.sys (Microsoft Corporation)
DRV - (VNASC [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\vnasc.sys (Check Point Software Technologies)
DRV - (VolSnap [Boot | Running]) -- C:\WINDOWS\System32\drivers\volsnap.sys (Microsoft Corporation)
DRV - (VPN-1 [Auto | Running]) -- C:\WINDOWS\System32\drivers\vpn.sys (Check Point Software Technologies)
DRV - (Wanarp [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\wanarp.sys (Microsoft Corporation)
DRV - (WDICA [On_Demand | Stopped]) -- File not found
DRV - (wdmaud [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\wdmaud.sys (Microsoft Corporation)
DRV - (WPS [System | Running]) -- C:\WINDOWS\System32\drivers\wpsdrvnt.sys (Symantec Corporation)
DRV - (WpsHelper [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\WpsHelper.sys (Symantec Corporation)
DRV - (WS2IFSL [System | Running]) -- C:\WINDOWS\System32\drivers\ws2ifsl.sys (Microsoft Corporation)

========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-1984886284-1438626582-588946948-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-1984886284-1438626582-588946948-500\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1984886284-1438626582-588946948-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-1984886284-1438626582-588946948-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1984886284-1438626582-588946948-500\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-1984886284-1438626582-588946948-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1984886284-1438626582-588946948-500\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-1984886284-1438626582-588946948-500\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
IE - HKU\S-1-5-21-1984886284-1438626582-588946948-500\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\System32\ieframe.dll (Microsoft Corporation)
IE - HKU\S-1-5-21-1984886284-1438626582-588946948-500\S-1-5-21-1984886284-1438626582-588946948-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p="
FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-tyc7"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-tyc7"
FF - prefs.js..browser.search.selectedEngine: "Yahoo! Search"
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: avg@igeared:2.507.024.001
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.07103010
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.5.200812101546
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p="


FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/08/28 08:41:32 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/08/28 10:35:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/15 08:12:21 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/15 08:12:21 | 00,000,000 | ---D | M]

[2008/12/16 16:30:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions
[2008/12/16 16:30:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/10/12 18:59:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\j88gft5t.default\extensions
[2009/03/24 15:26:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\j88gft5t.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/09/16 09:04:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\j88gft5t.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/05/03 10:28:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\mozilla\Firefox\Profiles\j88gft5t.default\extensions\moveplayer@movenetworks.com
[2008/12/16 16:30:36 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/09/15 08:12:21 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/09/15 08:12:08 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/09/15 08:12:08 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/09/15 08:12:10 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/08/26 08:56:08 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/08/26 08:56:08 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/07/15 15:17:56 | 00,001,490 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\avg_igeared.xml
[2009/08/26 08:56:09 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/08/26 08:56:09 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/08/26 08:56:09 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/08/26 08:56:09 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/08/26 08:56:09 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-1984886284-1438626582-588946948-500\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1984886284-1438626582-588946948-500\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1984886284-1438626582-588946948-500\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1984886284-1438626582-588946948-500\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()
O3 - HKU\S-1-5-21-1984886284-1438626582-588946948-500\..\Toolbar\WebBrowser: (&Links) - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\WINDOWS\System32\ieframe.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKU\S-1-5-21-1984886284-1438626582-588946948-500..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1984886284-1438626582-588946948-500..\Run: [msnmsgr] C:\Program Files\MSN Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1984886284-1438626582-588946948-500..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe (Smith Micro Software, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = Important Notice: ELECTRONIC MAIL AND INTERNET USAGE POLICY
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = [String data over 1000 bytes]
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1984886284-1438626582-588946948-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1984886284-1438626582-588946948-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1984886284-1438626582-588946948-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1984886284-1438626582-588946948-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1984886284-1438626582-588946948-500_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.61.21
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = whes.com
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/octet-stream - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-complus - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-msdownload - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - Class Install Handler - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - deflate - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - gzip - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - lzdhtml - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/webviewhtml - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\ckpNotify: DllName - ckpNotify.dll - C:\WINDOWS\System32\ckpNotify.dll (Check Point Software Technologies)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\System32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\WlNotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\System32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O27 - HKLM IFEO\Your Image File Name Here without a path: Debugger - C:\WINDOWS\System32\ntsd.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/10/12 16:26:05 | 00,793,200 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\Administrator\Desktop\Norton_Removal_Tool.exe
[2009/10/02 15:33:19 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/10/02 15:31:24 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/10/02 15:31:24 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/10/02 15:31:24 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/10/02 15:31:24 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/10/02 15:31:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/10/02 15:28:59 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/09/15 10:21:21 | 00,272,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\bthport.sys
[2009/09/15 10:20:25 | 00,203,136 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rmcast.sys
[2009/09/15 10:20:21 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2009/09/15 10:20:13 | 00,333,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\srv.sys
[2009/09/15 10:20:03 | 01,315,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoe.dll
[2009/09/15 10:19:42 | 00,691,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\inetcomm.dll
[2009/09/15 10:19:05 | 00,337,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\netapi32.dll
[2009/09/15 10:16:34 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/09/15 09:15:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/09/15 09:15:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/09/15 09:15:18 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/09/15 09:15:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2009/09/15 08:57:27 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2009/09/14 16:26:27 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2009/10/13 17:35:14 | 00,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{EA73162F-8F47-4CBA-B9E1-E07B87C6F277}.job
[2009/10/13 17:34:50 | 00,001,893 | ---- | M] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\VZAccess Manager.lnk
[2009/10/13 17:34:34 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/13 09:38:01 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/13 09:37:57 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/13 09:37:56 | 52,652,8512 | -HS- | M] () -- C:\hiberfil.sys
[2009/10/13 09:34:55 | 00,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/10/13 09:34:55 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/10/13 09:34:48 | 03,759,880 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/10/13 08:44:30 | 42,770,980 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/10/13 08:44:30 | 00,024,446 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/10/12 18:48:23 | 00,071,680 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\mbr.exe
[2009/10/12 18:38:56 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/10/12 18:38:26 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/10/12 16:28:34 | 03,337,593 | R--- | M] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2009/10/12 16:27:28 | 00,793,200 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\Administrator\Desktop\Norton_Removal_Tool.exe
[2009/10/12 16:26:03 | 00,000,275 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to ComboFix.lnk
[2009/10/12 14:06:44 | 00,071,680 | ---- | M] () -- C:\mbr.exe
[2009/10/12 09:35:02 | 00,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/10/12 09:35:02 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/10/12 09:25:27 | 00,000,450 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\regfix.reg
[2009/10/11 08:10:09 | 00,236,544 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/10/05 09:32:18 | 00,003,446 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Attach.zip
[2009/10/05 09:17:07 | 00,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/10/05 09:17:07 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/10/02 15:33:24 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/10/02 14:57:07 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/10/02 14:57:07 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/10/02 14:48:00 | 00,004,566 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/10/02 14:47:54 | 00,447,132 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/02 14:47:54 | 00,386,318 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/02 14:47:54 | 00,054,856 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/01 22:51:36 | 00,492,629 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\miniavi.avg
[2009/09/17 09:26:52 | 00,359,932 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2009/09/16 03:12:48 | 00,189,792 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/15 14:00:46 | 00,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Messenger.lnk
[2009/09/15 13:59:39 | 00,000,786 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Windows Media Player.lnk
[2009/09/15 13:59:33 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/09/15 10:14:05 | 00,000,268 | -H-- | M] () -- C:\sqmdata19.sqm
[2009/09/15 10:14:05 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2009/09/15 09:03:10 | 00,250,048 | RHS- | M] () -- C:\ntldr

========== Files - No Company Name ==========
[2009/10/12 18:28:09 | 03,337,593 | R--- | C] () -- C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
[2009/10/12 16:26:03 | 00,000,275 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Shortcut to ComboFix.lnk
[2009/10/12 14:07:22 | 00,071,680 | ---- | C] () -- C:\mbr.exe
[2009/10/12 11:32:17 | 00,071,680 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\mbr.exe
[2009/10/12 09:25:26 | 00,000,450 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\regfix.reg
[2009/10/05 09:32:18 | 00,003,446 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Attach.zip
[2009/10/02 16:30:01 | 52,652,8512 | -HS- | C] () -- C:\hiberfil.sys
[2009/10/02 15:33:24 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/10/02 15:33:21 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/10/02 15:31:24 | 00,236,544 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/10/02 15:31:24 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/10/02 15:31:24 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/10/02 15:31:24 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/09/17 09:26:25 | 00,359,932 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\dds.scr
[2009/09/15 14:00:46 | 00,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Messenger.lnk
[2008/12/16 15:46:53 | 00,000,600 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PUTTY.RND
[2008/12/05 16:10:37 | 03,759,880 | -H-- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2008/07/04 03:41:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/01/09 11:39:45 | 00,004,133 | ---- | C] () -- C:\WINDOWS\entrust.ini
[2007/12/17 16:50:11 | 00,106,588 | ---- | C] () -- C:\WINDOWS\System32\fwnetcfg.dll
[2007/12/17 16:19:04 | 00,000,145 | ---- | C] () -- C:\WINDOWS\BRVIDEO.INI
[2007/12/17 16:19:04 | 00,000,040 | ---- | C] () -- C:\WINDOWS\BRDIAG.INI
[2007/12/17 16:19:04 | 00,000,023 | ---- | C] () -- C:\WINDOWS\Brownie.ini
[2007/12/17 16:18:56 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
[2007/12/17 16:18:56 | 00,026,624 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC32.DLL
[2007/12/17 16:18:56 | 00,004,608 | ---- | C] () -- C:\WINDOWS\System32\BRGSRC16.DLL
[2007/12/17 16:18:55 | 00,008,975 | ---- | C] () -- C:\WINDOWS\HL-2040.INI
[2007/12/17 16:18:30 | 00,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2007/12/17 12:51:45 | 00,042,168 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2007/01/03 09:47:32 | 00,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2006/08/01 08:06:01 | 00,000,206 | ---- | C] () -- C:\WINDOWS\HPGdiPlus.ini
[2006/05/31 07:36:05 | 00,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2006/01/26 11:58:40 | 00,004,659 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/01/25 10:35:33 | 00,000,183 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2006/01/19 15:46:41 | 00,000,486 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/01/07 18:37:57 | 00,000,455 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/01/07 18:19:00 | 00,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/04/27 13:38:00 | 00,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2005/04/27 13:37:49 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2004/08/11 18:24:19 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 18:20:25 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini
[2004/08/11 18:11:31 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/11 18:07:11 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2004/08/11 18:00:37 | 00,000,573 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/11 18:00:35 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/01/07 16:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/08/17 15:50:20 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\rrviewx.dll
[1996/07/12 03:00:00 | 00,045,696 | ---- | C] () -- C:\WINDOWS\System32\rsgui08.dll
[1994/12/16 16:34:08 | 00,014,909 | ---- | C] () -- C:\WINDOWS\System32\rrlabels.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
< End of report >



Extras.txt
OTL Extras logfile created on: 10/13/2009 5:42:05 PM - Run 3
OTL by OldTimer - Version 3.0.20.0 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

502.07 Mb Total Physical Memory | 77.93 Mb Available Physical Memory | 15.52% Memory free
1.20 Gb Paging File | 0.81 Gb Available in Paging File | 67.38% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 51.72 Gb Free Space | 69.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 15.05 Gb Total Space | 15.04 Gb Free Space | 99.97% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: IIIKIN-H1YC491
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\WINDOWS\System32\shell32.DLL (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\System32\ieframe.DLL (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1984886284-1438626582-588946948-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %* File not found
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %* File not found
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %* File not found
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SERVICE.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_SERVICE.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient service -- File not found
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient application -- (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SCC.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SCC.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient command line -- (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent -- (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_DIAGNOSTICS.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_DIAGNOSTICS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics -- ()
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 -- (Microsoft Corporation)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient application -- (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SCC.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SCC.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient command line -- (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_SDS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient SDS agent -- (Check Point Software Technologies)
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_DIAGNOSTICS.EXE" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_DIAGNOSTICS.EXE:*:Enabled:VPN-1 SecuRemote/SecureClient diagnostics -- ()
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG8\avgnsx.exe" = C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\Symantec AntiVirus\Smc.exe" = C:\Program Files\Symantec AntiVirus\Smc.exe:*:Enabled:SMC Service -- (Symantec Corporation)
"C:\Program Files\Symantec AntiVirus\SNAC.EXE" = C:\Program Files\Symantec AntiVirus\SNAC.EXE:*:Enabled:SNAC Service -- (Symantec Corporation)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:Symantec Email -- (Symantec Corporation)
"C:\Program Files\Symantec AntiVirus\SymCorpUI.exe" = C:\Program Files\Symantec AntiVirus\SymCorpUI.exe:*:Enabled:Symantec Endpoint Protection -- (Symantec Corporation)
"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 -- (Microsoft Corporation)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{058B32E2-6310-4359-B2D4-1988390C3B83}" = Broadcom Advanced Control Suite
"{0864A89D-9C9C-4495-8C98-CF2BDADF93CF}" = Solutions-Now Reporting Interface
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3F8471E1-B09D-483D-A92D-9AFF55419F60}" = Brother HL-2040
"{5421155F-B033-49DB-9B33-8F80F233D4D5}" = GdiplusUpgrade
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7E7658A2-CD3F-48A7-93EA-0882BCA4FD2A}" = LogMeIn
"{83AD5E71-80C0-4818-B6E4-CA2607B6A141}" = SMS Advanced Client
"{8A5F34E2-37CF-4AD4-808C-2D413786E31A}" = Microsoft Visual C Runtime
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{972C2BBC-F277-4A6C-972C-5E5AFC044D7F}" = Solutions-Now
"{9FCF2FC0-8268-11D4-A313-0006290D766E}" = Check Point VPN-1 SecureClient NGX R60
"{AC76BA86-7AD7-1033-7B44-A70900000002}" = Adobe Reader 7.0.9
"{B29B0066-547B-402c-9C0D-090E2F928A01}" = PANTECH PC USB Modem Software
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG8Uninstall" = AVG Free 8.5
"Citrix ICA Client" = Citrix ICA Client
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.5.3)" = Mozilla Firefox (3.5.3)
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"VZAccess Manager" = VZAccess Manager
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/13/2009 6:31:14 AM | Computer Name = IIIKIN-H1YC491 | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (Access is denied.
). Group Policy processing aborted.

Error - 10/13/2009 8:13:16 AM | Computer Name = IIIKIN-H1YC491 | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (Access is denied.
). Group Policy processing aborted.

Error - 10/13/2009 9:54:19 AM | Computer Name = IIIKIN-H1YC491 | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (Access is denied.
). Group Policy processing aborted.

Error - 10/13/2009 10:39:04 AM | Computer Name = IIIKIN-H1YC491 | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be contacted.
). Group Policy processing aborted.

Error - 10/13/2009 10:39:04 AM | Computer Name = IIIKIN-H1YC491 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007054b). The specified domain either does not exist
or could not be contacted. Enrollment will not be performed.

Error - 10/13/2009 12:09:07 PM | Computer Name = IIIKIN-H1YC491 | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (Access is denied.
). Group Policy processing aborted.

Error - 10/13/2009 2:05:09 PM | Computer Name = IIIKIN-H1YC491 | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (Access is denied.
). Group Policy processing aborted.

Error - 10/13/2009 3:55:12 PM | Computer Name = IIIKIN-H1YC491 | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (Access is denied.
). Group Policy processing aborted.

Error - 10/13/2009 5:38:14 PM | Computer Name = IIIKIN-H1YC491 | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (Access is denied.
). Group Policy processing aborted.

Error - 10/13/2009 6:39:04 PM | Computer Name = IIIKIN-H1YC491 | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007052b). Unable to update the password. The value provided
as the current password is incorrect. Enrollment will not be performed.

[ System Events ]
Error - 10/13/2009 10:40:32 AM | Computer Name = IIIKIN-H1YC491 | Source = NETLOGON | ID = 5721
Description = The session setup to the Windows NT or Windows 2000 Domain Controller
\\iiikinfs.whes.com for the domain WHES failed because the Domain Controller does
not have an account for the computer IIIKIN-H1YC491.

Error - 10/13/2009 10:54:34 AM | Computer Name = IIIKIN-H1YC491 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 29 minutes. NtpClient has no source of accurate
time.

Error - 10/13/2009 11:09:34 AM | Computer Name = IIIKIN-H1YC491 | Source = NETLOGON | ID = 5721
Description = The session setup to the Windows NT or Windows 2000 Domain Controller
\\iiikindom01.whes.com for the domain WHES failed because the Domain Controller
does not have an account for the computer IIIKIN-H1YC491.

Error - 10/13/2009 11:24:34 AM | Computer Name = IIIKIN-H1YC491 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 59 minutes. NtpClient has no source of accurate
time.

Error - 10/13/2009 12:24:34 PM | Computer Name = IIIKIN-H1YC491 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 119 minutes. NtpClient has no source of accurate
time.

Error - 10/13/2009 2:24:34 PM | Computer Name = IIIKIN-H1YC491 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 239 minutes. NtpClient has no source of accurate
time.

Error - 10/13/2009 3:09:34 PM | Computer Name = IIIKIN-H1YC491 | Source = NETLOGON | ID = 5721
Description = The session setup to the Windows NT or Windows 2000 Domain Controller
\\iiikinfs.whes.com for the domain WHES failed because the Domain Controller does
not have an account for the computer IIIKIN-H1YC491.

Error - 10/13/2009 3:39:34 PM | Computer Name = IIIKIN-H1YC491 | Source = NETLOGON | ID = 5721
Description = The session setup to the Windows NT or Windows 2000 Domain Controller
\\iiikindom01.whes.com for the domain WHES failed because the Domain Controller
does not have an account for the computer IIIKIN-H1YC491.

Error - 10/13/2009 6:24:34 PM | Computer Name = IIIKIN-H1YC491 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 479 minutes. NtpClient has no source of accurate
time.

Error - 10/13/2009 6:34:28 PM | Computer Name = IIIKIN-H1YC491 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {7E89FF0B-F649-4F9A-A9C3-F05DFAAA3DA1}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.


< End of report >



Thank you so much for your help!

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:12:19 PM

Posted 13 October 2009 - 08:30 PM

Thanks for the feedback.
  • Please open OTL.
    • Copy the text in code box and paste it to Custom Scans/Fixes section:

      :otl
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
      O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
      SRV - (ccEvtMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
      SRV - (ccSetMgr [Auto | Running]) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
      SRV - (LiveUpdate [On_Demand | Stopped]) -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE (Symantec Corporation)
      SRV - (SmcService [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\Smc.exe (Symantec Corporation)
      SRV - (SNAC [On_Demand | Stopped]) -- C:\Program Files\Symantec AntiVirus\SNAC.EXE (Symantec Corporation)
      SRV - (Symantec AntiVirus [Auto | Running]) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation)
      DRV - (COH_Mon [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\COH_Mon.sys (Symantec Corporation)
      DRV - (COH_Mon [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\COH_Mon.sys (Symantec Corporation)
      DRV - (eeCtrl [System | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
      DRV - (EraserUtilRebootDrv [On_Demand | Running]) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
      DRV - (NAVENG [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091009.040\NAVENG.SYS (Symantec Corporation)
      DRV - (NAVEX15 [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091009.040\NAVEX15.SYS (Symantec Corporation)
      DRV - (SPBBCDrv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (Symantec Corporation)
      DRV - (SymEvent [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\SYMEVENT.SYS (Symantec Corporation)
      DRV - (SYMREDRV [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS (Symantec Corporation)
      DRV - (TfFsMon [Boot | Stopped]) -- File not found
      DRV - (TfNetMon [On_Demand | Stopped]) -- File not found
      DRV - (TfSysMon [Boot | Stopped]) -- File not found
      DRV - (WPS [System | Running]) -- C:\WINDOWS\System32\drivers\wpsdrvnt.sys (Symantec Corporation)
      DRV - (WpsHelper [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\WpsHelper.sys (Symantec Corporation)
      
      :files
      C:\Program Files\Symantec AntiVirus
      C:\Program Files\Common Files\Symantec Shared
      :commands
      [emptytemp]
    • Click Run Fix button.
    • If the fix needed a reboot please do it.
    • After finished a log will open. Copy and paste the log to your reply.
  • Now please run Norton removal tool once more. Tell me if you could run it this time.

  • Go to start > Control Panel > internet options.
    • Under General tab press Delete... then Delete All a window opens check Also delete files and settings stored by Add-ons click Yes.
    • Under Advanced tab click Restore advanced settings
  • Run Internet explorer (in normal mode) and tell me if it is still crashing.


#15 treypal

treypal
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 14 October 2009 - 09:11 AM

Internet explorer is running great.
Ran the removal tool, it says to uninstall symantec under add or remover programs, but its not there, so I have nothing to uninstall, and the removal tool wont run because it says that I need to uninstall symantec.

Thanks again for all your help.


OTL Log:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ccApp deleted successfully.
C:\Program Files\Common Files\Symantec Shared\ccApp.exe moved successfully.
Unable to stop service\driver ccEvtMgr.
Service\Driver ccEvtMgr deleted successfully.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe moved successfully.
Unable to stop service\driver ccSetMgr.
Service\Driver ccSetMgr deleted successfully.
File C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe not found.
Service\Driver LiveUpdate stopped successfully.
Service\Driver LiveUpdate deleted successfully.
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE moved successfully.
Unable to stop service\driver SmcService.
Service\Driver SmcService deleted successfully.
C:\Program Files\Symantec AntiVirus\Smc.exe moved successfully.
Service\Driver SNAC stopped successfully.
Service\Driver SNAC deleted successfully.
C:\Program Files\Symantec AntiVirus\SNAC.EXE moved successfully.
Service\Driver Symantec AntiVirus stopped successfully.
Service\Driver Symantec AntiVirus deleted successfully.
C:\Program Files\Symantec AntiVirus\Rtvscan.exe moved successfully.
Service\Driver COH_Mon stopped successfully.
Service\Driver COH_Mon deleted successfully.
C:\WINDOWS\System32\Drivers\COH_Mon.sys moved successfully.
Service\Driver COH_Mon not found.
Service\Driver COH_Mon not found.
File C:\WINDOWS\System32\Drivers\COH_Mon.sys not found.
Service\Driver eeCtrl stopped successfully.
Service\Driver eeCtrl deleted successfully.
C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys moved successfully.
Unable to stop service\driver EraserUtilRebootDrv.
Service\Driver EraserUtilRebootDrv deleted successfully.
C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys moved successfully.
Service\Driver NAVENG stopped successfully.
Service\Driver NAVENG deleted successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091009.040\NAVENG.SYS moved successfully.
Service\Driver NAVEX15 stopped successfully.
Service\Driver NAVEX15 deleted successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091009.040\NAVEX15.SYS moved successfully.
Service\Driver SPBBCDrv stopped successfully.
Service\Driver SPBBCDrv deleted successfully.
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys moved successfully.
Unable to stop service\driver SymEvent.
Service\Driver SymEvent deleted successfully.
C:\WINDOWS\System32\Drivers\SYMEVENT.SYS moved successfully.
Service\Driver SYMREDRV stopped successfully.
Service\Driver SYMREDRV deleted successfully.
C:\WINDOWS\System32\Drivers\SYMREDRV.SYS moved successfully.
Service\Driver TfFsMon stopped successfully.
Service\Driver TfFsMon deleted successfully.
File File not found not found.
Service\Driver TfNetMon stopped successfully.
Service\Driver TfNetMon deleted successfully.
File File not found not found.
Service\Driver TfSysMon stopped successfully.
Service\Driver TfSysMon deleted successfully.
File File not found not found.
Unable to stop service\driver WPS.
Service\Driver WPS deleted successfully.
C:\WINDOWS\System32\drivers\wpsdrvnt.sys moved successfully.
Service\Driver WpsHelper stopped successfully.
Service\Driver WpsHelper deleted successfully.
C:\WINDOWS\System32\drivers\WpsHelper.sys moved successfully.
========== FILES ==========
C:\Program Files\Symantec AntiVirus\XDelta moved successfully.
C:\Program Files\Symantec AntiVirus\SmcLU moved successfully.
C:\Program Files\Symantec AntiVirus\res\1033 moved successfully.
C:\Program Files\Symantec AntiVirus\res moved successfully.
C:\Program Files\Symantec AntiVirus\IU moved successfully.
C:\Program Files\Symantec AntiVirus\Help moved successfully.
C:\Program Files\Symantec AntiVirus\ContentCache moved successfully.
C:\Program Files\Symantec AntiVirus moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmpeb6.tmp moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5fff.tmp moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5add.tmp moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp46c5.tmp moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp273.tmp moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp16f3.tmp moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\TextHub moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\incoming moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091012.021 moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091009.040 moved successfully.
C:\Program Files\Common Files\Symantec Shared\VirusDefs moved successfully.
C:\Program Files\Common Files\Symantec Shared\SymcData\cndcipsdefs\tmp46c8.tmp moved successfully.
C:\Program Files\Common Files\Symantec Shared\SymcData\cndcipsdefs\tmp16fa.tmp moved successfully.
C:\Program Files\Common Files\Symantec Shared\SymcData\cndcipsdefs\incoming moved successfully.
C:\Program Files\Common Files\Symantec Shared\SymcData\cndcipsdefs\BinHub moved successfully.
C:\Program Files\Common Files\Symantec Shared\SymcData\cndcipsdefs\20090923.002 moved successfully.
C:\Program Files\Common Files\Symantec Shared\SymcData\cndcipsdefs\20090911.001 moved successfully.
C:\Program Files\Common Files\Symantec Shared\SymcData\cndcipsdefs moved successfully.
C:\Program Files\Common Files\Symantec Shared\SymcData moved successfully.
C:\Program Files\Common Files\Symantec Shared\SRTSP moved successfully.
C:\Program Files\Common Files\Symantec Shared\SPManifests moved successfully.
C:\Program Files\Common Files\Symantec Shared\SPBBC moved successfully.
C:\Program Files\Common Files\Symantec Shared\SAVSubmissionEngine moved successfully.
C:\Program Files\Common Files\Symantec Shared\MSL moved successfully.
C:\Program Files\Common Files\Symantec Shared\Help moved successfully.
C:\Program Files\Common Files\Symantec Shared\Global Exceptions moved successfully.
C:\Program Files\Common Files\Symantec Shared\EENGINE moved successfully.
C:\Program Files\Common Files\Symantec Shared\COH moved successfully.
C:\Program Files\Common Files\Symantec Shared moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_yp7ecVeDuTLo3ftfaeTJ scheduled to be deleted on reboot.
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 5844184 bytes
->Java cache emptied: 0 bytes
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\XUL.mfl scheduled to be deleted on reboot.
->FireFox cache emptied: 46489032 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: edinburg
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Integrity
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: jpalreiro
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: raguilar
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: tgaddie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 553 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 49.96 mb


OTL by OldTimer - Version 3.0.20.0 log created on 10142009_082025

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Administrator\Local Settings\Temp\etilqs_yp7ecVeDuTLo3ftfaeTJ not found!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\j88gft5t.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users