Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

packed.win32.tdss.y


  • Please log in to reply
9 replies to this topic

#1 seg42

seg42

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 23 September 2009 - 09:04 AM

A client recently brought in a machine that was heavily infected. We're not sure what got on their first, but a sweep with nortons caught 5 or 6 serious infections (I don't know what all of these were, seeing as it was another tech from the department who did this and the only one they noted was Virus.Win32.Gpcode.ak ). After the machine was shut down and brought to my section I could not bring windows back up again. Because the client needs files from this machine we can't just wipe it and reinstall windows. We currently have the machine booted off a Linux CD and have been pulling the files off onto an external hard drive and scanning them on an isolated laptop. We manually found an infected AutoCAD file (acad.vlx) and kaspersky cleaned off 4 different cases of packed.win32.tdss.y. We ran a malwarebytes scan over night just to be sure that everything was completely clean, and came in this morning to find that kaspersky had caught those same three packed.win32.tdss.y again. There is some kind of re-infector, but I don't know how to locate it. Help?

BC AdBot (Login to Remove)

 


#2 Skydie

Skydie

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 23 September 2009 - 11:35 AM

Run a MBAM full scan after updating MBAM and post it here please.

You can download MBAM (Malwarebytes) off www.download.com

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:35 AM

Posted 24 September 2009 - 08:25 PM

packed.win32.tdss.y

It is a rootkit and copying the files is indeed risky


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 seg42

seg42
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 29 September 2009 - 05:10 PM

First thing I did was run a malwarebytes scan. It didn't pick up anything, the report says the computer was clean.


garmanma: I did as you said, but when I hit scan I was presented with the blue screen of death. Suggestions?

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:35 AM

Posted 29 September 2009 - 07:14 PM

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

    --------------------------------------
Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 seg42

seg42
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 01 October 2009 - 08:16 AM

The screen has started flickering badly, but this doen't happen (surprise surprise) in safe mode. Here are the requested logs.


Win32kDiag

Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!




Log.TXT

Volume in drive C has no label.
Volume Serial Number is F8CB-FF15

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 07:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 07:00 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

02/28/2006 07:00 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 30,694,903,808 bytes free

#7 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:35 AM

Posted 01 October 2009 - 05:22 PM

I would recommend one more scan



We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:35 AM

Posted 01 October 2009 - 05:28 PM

I would recommend one more scan



We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 seg42

seg42
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:12:35 AM

Posted 02 October 2009 - 10:31 AM

OTL logfile created on: 10/2/2009 10:28:16 AM - Run 1
OTL by OldTimer - Version 3.0.17.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.10 Mb Total Physical Memory | 708.66 Mb Available Physical Memory | 79.26% Memory free
2.12 Gb Paging File | 2.02 Gb Available in Paging File | 95.21% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.06 Gb Total Space | 28.59 Gb Free Space | 73.18% Space Free | Partition Type: NTFS
Drive D: | 27.65 Gb Total Space | 27.59 Gb Free Space | 99.77% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HUGO
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/06/29 03:35:10 | 00,634,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/10/02 10:27:35 | 00,519,168 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2006/04/27 09:39:50 | 00,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\Ati2evxx.exe -- (Ati HotKey Poller [Disabled | Stopped])
SRV - [2009/09/23 10:25:50 | 00,231,952 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe -- (AVP [Auto | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2003/05/07 14:21:00 | 01,413,184 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND [Auto | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2003/07/28 13:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2001/08/17 13:11:18 | 00,020,160 | ---- | M] (ADMtek Incorporated) -- C:\WINDOWS\System32\DRIVERS\ADM8511.SYS -- (ADM8511 [On_Demand | Stopped])
DRV - [2007/04/16 22:46:34 | 00,033,792 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\System32\DRIVERS\AmdPPM.sys -- (AmdPPM [System | Stopped])
DRV - [2007/03/27 05:27:02 | 00,543,712 | ---- | M] (Atheros Communications, Inc.) -- C:\WINDOWS\System32\DRIVERS\ar5211.sys -- (AR5211 [On_Demand | Running])
DRV - [2006/04/27 09:46:50 | 01,540,096 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Stopped])
DRV - [2003/05/01 14:26:34 | 00,005,220 | R--- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\CVirtA.sys -- (CVirtA [On_Demand | Stopped])
DRV - [2003/05/07 14:22:16 | 00,268,874 | ---- | M] (Cisco Systems, Inc.) -- C:\WINDOWS\System32\Drivers\CVPNDRVA.sys -- (CVPNDRVA [Auto | Stopped])
DRV - [2002/10/17 15:22:50 | 00,138,916 | ---- | M] (Deterministic Networks, Inc.) -- C:\WINDOWS\System32\DRIVERS\dne2000.sys -- (DNE [On_Demand | Running])
DRV - [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2006/01/11 16:13:34 | 00,935,424 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSX_DPV.sys -- (HSF_DPV [On_Demand | Stopped])
DRV - [2006/01/11 16:12:54 | 00,194,048 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSXHWAZL.sys -- (HSXHWAZL [On_Demand | Stopped])
DRV - [2005/09/23 18:56:28 | 03,966,976 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Stopped])
DRV - [2008/05/28 12:04:45 | 00,112,144 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1 [Boot | Stopped])
DRV - [2009/09/23 10:25:50 | 00,201,504 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys -- (klif [System | Stopped])
DRV - [2007/05/30 17:49:06 | 00,024,344 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\DRIVERS\klim5.sys -- (klim5 [On_Demand | Running])
DRV - [2005/10/05 16:57:08 | 00,012,544 | ---- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Stopped])
DRV - [2006/02/28 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/11/20 12:09:22 | 00,104,320 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\Rtnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2004/08/03 17:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\DRIVERS\RTL8139.SYS -- (rtl8139 [On_Demand | Stopped])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/01/26 13:55:08 | 00,069,168 | ---- | M] (Silicon Image, Inc.) -- C:\WINDOWS\system32\DRIVERS\SI3112.sys -- (SI3112 [Boot | Running])
DRV - [2007/01/26 13:55:32 | 00,017,328 | ---- | M] (Silicon Image, Inc.) -- C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys -- (SiFilter [Boot | Running])
DRV - [2003/03/03 15:08:56 | 00,176,896 | ---- | M] (Zone Labs Inc.) -- C:\WINDOWS\System32\vsdatant.sys -- (vsdatant [On_Demand | Stopped])
DRV - [2006/01/11 16:12:50 | 00,671,232 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSX_CNXT.sys -- (winachsf [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-796845957-573735546-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-796845957-573735546-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-796845957-573735546-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hursttech.com/
IE - HKU\S-1-5-21-796845957-573735546-725345543-500\S-1-5-21-796845957-573735546-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/23 07:38:22 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [PDF4 Registry Controller] C:\Program Files\ScanSoft\PDF Professional 4.0\RegistryController.exe (Nuance Communications, Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico ()
O4 - Startup: C:\Documents and Settings\leem\Start Menu\Programs\Startup\openoffice.org 2.0.lnk = File not found
O4 - Startup: C:\Documents and Settings\leem\Start Menu\Programs\Startup\surgeplus tray icon.lnk = File not found
O4 - Startup: C:\Documents and Settings\leem\Start Menu\Programs\Startup\surgeplus.lnk = C:\Program Files\SurgePlus\surgeplus.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-796845957-573735546-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - C:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll ()
O9 - Extra Button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1193943043062 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1193943129234 (MUWebControl Class)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\adialhk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\System32\klogon.dll (Kaspersky Lab)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/11/01 12:36:09 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{b4c65d4c-a792-11de-8945-0016d4692d28}\Shell\AutoRun\command - "" = F:\WD_Windows_Tools\Setup.exe -- File not found
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\WD_Windows_Tools\Setup.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/10/02 10:27:32 | 00,519,168 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/10/01 08:06:53 | 00,047,616 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe
[2009/09/29 17:05:31 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\settings.dat
[2009/09/29 17:05:08 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Administrator\Desktop\root.exe
[2009/09/23 10:46:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\log2
[2009/09/23 10:42:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\LOG
[2009/09/23 10:40:41 | 05,655,040 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\avz.exe
[2009/09/23 10:23:18 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/09/23 09:30:17 | 61,921,608 | ---- | C] (InstallShield Software Corporation ) -- C:\Documents and Settings\Administrator\Desktop\kav6.0.3.837_winwksen.exe
[2009/09/23 09:24:18 | 00,288,768 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tomozw3j.exe
[2009/09/23 09:23:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2009/09/23 07:40:11 | 00,000,260 | ---- | C] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/09/23 07:40:10 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\KB905474
[2009/09/22 12:57:01 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/09/22 12:56:57 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/22 12:56:54 | 00,038,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/22 12:56:52 | 00,019,096 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/22 12:56:52 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/22 12:56:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/22 10:08:40 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/09/19 03:07:27 | 00,000,000 | ---D | C] -- C:\154291984c3a056d61ed6d1e1d82
[2009/09/18 08:33:22 | 00,153,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\triedit.dll
[2009/09/18 08:33:14 | 00,128,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\dhtmled.ocx
[2009/09/18 08:32:56 | 01,315,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msoe.dll
[2008/03/25 12:56:49 | 00,000,444 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2008/01/16 16:18:09 | 00,000,056 | ---- | C] () -- C:\WINDOWS\tiger.ini
[2007/11/13 12:49:08 | 00,000,045 | ---- | C] () -- C:\WINDOWS\WIND2RTE.INI
[2007/11/13 12:49:06 | 00,003,516 | ---- | C] () -- C:\WINDOWS\foxfix5.ini
[2007/11/13 12:49:05 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\w2crpe.dll
[2007/11/13 12:49:05 | 00,005,632 | ---- | C] () -- C:\WINDOWS\System32\W2UNINST.DLL
[2007/11/01 13:46:37 | 00,000,636 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/28 07:00:00 | 00,000,477 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/02/28 07:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/05/07 14:21:26 | 00,127,042 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2002/02/27 11:41:28 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\nsldappr32v50.dll
[2002/02/27 11:41:26 | 00,139,264 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll
[2002/02/27 11:41:26 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\nsldapssl32v50.dll
[1998/06/10 16:08:40 | 00,015,120 | ---- | C] () -- C:\WINDOWS\System32\Reputil.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/10/02 10:27:35 | 00,519,168 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2009/10/02 10:25:41 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/02 10:25:16 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/02 10:24:37 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/01 08:16:46 | 03,184,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/10/01 08:08:21 | 00,521,942 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/01 08:08:21 | 00,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/01 08:08:21 | 00,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/01 08:06:57 | 00,047,616 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe
[2009/10/01 08:01:21 | 13,208,864 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/10/01 08:01:21 | 01,009,952 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2009/10/01 08:01:21 | 00,180,068 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/10/01 08:01:21 | 00,097,772 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2009/10/01 07:56:58 | 00,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2009/10/01 07:56:58 | 00,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/09/29 17:05:31 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\settings.dat
[2009/09/29 17:05:08 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Administrator\Desktop\root.exe
[2009/09/23 10:40:41 | 05,655,040 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\avz.exe
[2009/09/23 10:25:50 | 00,201,504 | ---- | M] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/09/23 09:30:23 | 61,921,608 | ---- | M] (InstallShield Software Corporation ) -- C:\Documents and Settings\Administrator\Desktop\kav6.0.3.837_winwksen.exe
[2009/09/23 09:24:19 | 00,288,768 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tomozw3j.exe
[2009/09/23 07:39:45 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/09/22 12:56:57 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/22 10:08:58 | 00,107,547 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2009/09/22 10:08:58 | 00,095,259 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2009/09/19 03:24:27 | 00,193,776 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
< End of report >


OTL Extras logfile created on: 10/2/2009 10:28:16 AM - Run 1
OTL by OldTimer - Version 3.0.17.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.10 Mb Total Physical Memory | 708.66 Mb Available Physical Memory | 79.26% Memory free
2.12 Gb Paging File | 2.02 Gb Available in Paging File | 95.21% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39.06 Gb Total Space | 28.59 Gb Free Space | 73.18% Space Free | Partition Type: NTFS
Drive D: | 27.65 Gb Total Space | 27.59 Gb Free Space | 99.77% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HUGO
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "C:\WINDOWS\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE" = C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE:*:Enabled:Microsoft Office Excel -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE" = C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE:*:Enabled:Microsoft Office Word -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Visio11\VISIO.EXE" = C:\Program Files\Microsoft Office\Visio11\VISIO.EXE:*:Enabled:Microsoft Office Visio -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1727CD47-A408-11d2-AFAD-00C04F72FB3E}" = VBA
"{3244172E-EFEB-4D49-985A-FFA4934937F4}" = Crystal XI Runtime for Deltek RTE
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}" = Cisco Systems VPN Client 4.0.1 (Rel)
"{40B0A7CC-1676-43E9-8444-2EF2377E87B8}" = ScanSoft PDF Professional 4
"{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}" = Ad-Aware SE Personal
"{79B05AF4-8894-49A1-9FF4-53F0142D85E1}" = ATI Catalyst Control Center
"{79B986AD-54D8-4498-AA06-89808829ACC0}" = Kaspersky Anti-Virus 6.0 for Windows Workstations
"{90520409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Viewer 2003 (English)
"{913A0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Project Standard 2003
"{91530409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Standard 2003
"{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FC2122F4-CB95-4040-BD94-712ED9828A3C}" = Microsoft Visual Foxpro 9 Runtime
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CNXT_MODEM_PCI_VEN_14F1&DEV_2BFA&SUBSYS_1025009F" = Soft Data Fax Modem with SmartCP
"Deltek Remote Time Entry" = Deltek Remote Time Entry
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallWIX_{79B986AD-54D8-4498-AA06-89808829ACC0}" = Kaspersky Anti-Virus 6.0 for Windows Workstations
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"SurgePlus" = SurgePlus
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/20/2008 3:19:00 PM | Computer Name = HUGO | Source = MsiInstaller | ID = 11706
Description = Product: ScanSoft PDF Professional 4 -- Error 1706.No valid source
could be found for product ScanSoft PDF Professional 4. The Windows Installer
cannot continue.

Error - 9/4/2008 12:46:11 PM | Computer Name = HUGO | Source = ESENT | ID = 490
Description = svchost (1964) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\edbtmp.log"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 11/13/2008 4:43:06 PM | Computer Name = HUGO | Source = MsiInstaller | ID = 11706
Description = Product: ScanSoft PDF Professional 4 -- Error 1706.No valid source
could be found for product ScanSoft PDF Professional 4. The Windows Installer
cannot continue.

Error - 11/13/2008 4:43:08 PM | Computer Name = HUGO | Source = MsiInstaller | ID = 11706
Description = Product: ScanSoft PDF Professional 4 -- Error 1706.No valid source
could be found for product ScanSoft PDF Professional 4. The Windows Installer
cannot continue.

Error - 11/26/2008 12:42:18 PM | Computer Name = HUGO | Source = MsiInstaller | ID = 11706
Description = Product: ScanSoft PDF Professional 4 -- Error 1706.No valid source
could be found for product ScanSoft PDF Professional 4. The Windows Installer
cannot continue.

Error - 11/26/2008 12:42:28 PM | Computer Name = HUGO | Source = MsiInstaller | ID = 11706
Description = Product: ScanSoft PDF Professional 4 -- Error 1706.No valid source
could be found for product ScanSoft PDF Professional 4. The Windows Installer
cannot continue.

Error - 11/26/2008 12:42:41 PM | Computer Name = HUGO | Source = MsiInstaller | ID = 11706
Description = Product: ScanSoft PDF Professional 4 -- Error 1706.No valid source
could be found for product ScanSoft PDF Professional 4. The Windows Installer
cannot continue.

Error - 11/26/2008 12:42:44 PM | Computer Name = HUGO | Source = MsiInstaller | ID = 11706
Description = Product: ScanSoft PDF Professional 4 -- Error 1706.No valid source
could be found for product ScanSoft PDF Professional 4. The Windows Installer
cannot continue.

Error - 2/15/2009 5:19:46 PM | Computer Name = HUGO | Source = MsiInstaller | ID = 11706
Description = Product: ScanSoft PDF Professional 4 -- Error 1706.No valid source
could be found for product ScanSoft PDF Professional 4. The Windows Installer
cannot continue.

Error - 2/15/2009 5:20:13 PM | Computer Name = HUGO | Source = MsiInstaller | ID = 11706
Description = Product: ScanSoft PDF Professional 4 -- Error 1706.No valid source
could be found for product ScanSoft PDF Professional 4. The Windows Installer
cannot continue.

[ System Events ]
Error - 10/16/2008 3:23:19 PM | Computer Name = HUGO | Source = Dhcp | ID = 1002
Description = The IP address lease 98.201.89.3 for the Network Card with network
address 0016D4692D28 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 10/16/2008 3:23:44 PM | Computer Name = HUGO | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.100.10
on the Network Card with network address 0016D4692D28.

Error - 10/22/2008 11:16:50 AM | Computer Name = HUGO | Source = System Error | ID = 1003
Description = Error code 0000009c, parameter1 00000000, parameter2 80546e70, parameter3
f6000000, parameter4 00010016.


< End of report >

#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:02:35 AM

Posted 02 October 2009 - 08:08 PM

Now that you were successful in creating an OTL log you need to post it in our HJT forum:
First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
If it won't run, don't worry, just give a brief description and tell them that the OTL log was all you could get to run successfully
Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users