Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown (at least to me) Browser Hijacker


  • This topic is locked This topic is locked
24 replies to this topic

#1 cwheit

cwheit

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 07 December 2009 - 09:09 PM

I have tried many different steps to get rid of this and it is driving me nuts.

Everything will seem fine for a while, then when I click on a link from a google search, I get redirected all over the place. The landing point isn't consistent at all.

I wish I had better information, but that's all I've got. Can you help?




DDS (Ver_09-12-01.01) - NTFSx86
Run by cheit at 20:37:13.42 on Mon 12/07/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1178 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 091207-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Documents and Settings\cheit\My Documents\Computer Repair\HiJackThis.exe
C:\Program Files\IDM Computer Solutions\UltraEdit\Uedit32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\cheit\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://delmontenow.na.dlmfoods.net
mDefault_Page_URL = hxxp://delmontenow.na.dlmfoods.net
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228488882784
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: IfxWlxEN - IfxWlxEN.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli zugezevu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cheit\applic~1\mozilla\firefox\profiles\paftgdjo.default\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2008-12-5 174600]
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2008-12-5 3840]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-10 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-10 114768]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2005-11-29 36768]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\VCdRom.sys [2009-8-19 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-10 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-10 138680]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2007-11-1 399032]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-10 352920]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2009-8-18 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-12-28 36352]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091206.005\naveng.sys [2009-12-7 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091206.005\navex15.sys [2009-12-7 1323568]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [2008-12-4 65664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-10-26 2799808]

=============== Created Last 30 ================

2009-12-08 00:00:47 0 d-----w- c:\windows\system32\appmgmt
2009-11-27 13:28:12 5120 --sha-w- c:\windows\system32\Thumbs.db
2009-11-13 18:35:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-10 14:25:54 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-10 14:25:50 0 d-----w- c:\program files\Panda Security
2009-11-10 06:26:08 0 d-s---w- c:\documents and settings\cheit\UserData
2009-11-10 05:57:00 0 d-----w- c:\program files\BeClean
2009-11-10 02:20:58 0 d-----w- c:\windows\pss
2009-11-09 20:38:41 35328 ----a-w- C:\temp.xls
2009-11-09 20:26:36 0 ----a-w- C:\temp.xm_
2009-11-09 15:01:43 0 d-----w- C:\pm

==================== Find3M ====================

2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 13:18:22 1147925946 ----a-w- c:\program files\DFOSetup12N.exe
2009-10-07 13:15:43 60744 ----a-w- c:\documents and settings\cheit\g2mdlhlpx.exe
2009-09-25 10:01:10 886763 ----a-w- c:\windows\Seasword.exe
2009-09-25 10:01:10 407848 ----a-w- c:\windows\Seasword.scr
2009-09-25 10:01:09 29696 ----a-w- c:\windows\mickey32.dll

============= FINISH: 20:37:52.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 PM

Posted 20 December 2009 - 03:35 PM

Hi,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.


We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    CREATERESTOREPOINT

  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Then please post back here with the following logs:
  • OTL.txt
  • Extra.txt
Thanks

unite.jpg


#3 cwheit

cwheit
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 24 December 2009 - 10:56 AM

OTL logfile created on: 12/24/2009 10:47:13 AM - Run 1
OTL by OldTimer - Version 3.1.20.0 Folder = C:\Documents and Settings\cheit\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 48.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 55.17 Gb Free Space | 74.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 931.51 Gb Total Space | 890.60 Gb Free Space | 95.61% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WNAPGH-CHEIT1
Current User Name: cheit
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/12/24 10:45:22 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\cheit\My Documents\Downloads\OTL.exe
PRC - [2009/11/24 18:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 18:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 18:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 18:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 18:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/11/02 22:23:08 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/02/19 09:59:00 | 01,913,552 | ---- | M] (Cisco Systems, Inc) -- C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
PRC - [2008/12/16 22:05:00 | 05,160,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office Communicator\communicator.exe
PRC - [2008/10/02 11:23:16 | 00,546,288 | ---- | M] (Google) -- C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
PRC - [2008/05/20 03:00:00 | 00,757,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2008/04/14 04:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/22 15:34:06 | 00,512,000 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2007/11/08 00:26:42 | 00,228,872 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\vsjitdebugger.exe
PRC - [2007/11/01 13:47:52 | 00,399,032 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
PRC - [2007/10/19 12:05:34 | 00,177,456 | ---- | M] ( Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
PRC - [2007/09/14 18:27:20 | 01,015,808 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2007/05/16 08:12:20 | 00,671,744 | ---- | M] () -- C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
PRC - [2007/02/10 04:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2007/02/10 04:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2007/02/10 04:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2007/01/09 14:52:32 | 00,145,184 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
PRC - [2007/01/04 18:48:52 | 00,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
PRC - [2006/11/03 18:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/09/27 19:33:44 | 00,125,168 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/09/27 19:33:38 | 00,116,464 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2006/09/27 19:33:32 | 01,813,232 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/09/27 19:33:22 | 00,031,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/07/19 18:26:12 | 00,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/07/19 18:26:06 | 00,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/07/19 18:26:04 | 00,052,896 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/05/02 13:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
PRC - [2006/04/11 16:13:38 | 01,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
PRC - [2006/03/03 14:29:04 | 00,507,904 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\system32\IFXSPMGT.exe
PRC - [2006/03/03 14:28:18 | 00,136,736 | ---- | M] (Infineon Technologies AG) -- C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
PRC - [2006/03/03 14:07:40 | 00,741,376 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\system32\IFXTCS.exe
PRC - [2006/02/27 15:55:44 | 00,258,103 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
PRC - [2006/01/16 21:01:46 | 00,053,248 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\accelerometerST.exe


========== Modules (SafeList) ==========

MOD - [2009/12/24 10:45:22 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\cheit\My Documents\Downloads\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 18:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 18:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 18:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 18:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2008/11/04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/05/20 03:00:00 | 00,757,792 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2008/05/20 03:00:00 | 00,249,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
SRV - [2008/04/14 04:41:56 | 00,028,160 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\irmon.dll -- (Irmon)
SRV - [2008/03/18 15:27:12 | 00,013,312 | ---- | M] (Agere Systems) [Disabled | Stopped] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2008/01/22 15:34:06 | 00,512,000 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2007/11/01 13:47:52 | 00,399,032 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe -- (vpnagent)
SRV - [2007/03/12 03:35:02 | 00,217,088 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Stopped] -- C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2007/02/10 04:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2007/02/10 04:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS) SQL Server (SQLEXPRESS)
SRV - [2007/02/10 04:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2007/01/04 18:48:52 | 00,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2006/11/08 16:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.dll -- (Pml Driver HPZ12)
SRV - [2006/11/08 16:35:36 | 00,043,520 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\WINDOWS\system32\HPZinw12.dll -- (Net Driver HPZ12)
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/10/26 13:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/10/26 12:45:00 | 02,799,808 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon80)
SRV - [2006/09/27 19:33:38 | 00,116,464 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/09/27 19:33:32 | 01,813,232 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/09/27 19:33:22 | 00,031,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/09/02 15:36:33 | 02,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/07 15:03:02 | 00,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2006/07/19 18:26:12 | 00,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/07/19 18:26:06 | 00,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/05/02 13:41:28 | 00,135,168 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Auto | Running] -- C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe -- (hpqwmiex)
SRV - [2006/04/11 16:13:38 | 01,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2006/03/03 14:29:04 | 00,507,904 | ---- | M] (Infineon Technologies AG) [Auto | Running] -- C:\WINDOWS\system32\IFXSPMGT.exe -- (IFXSpMgtSrv)
SRV - [2006/03/03 14:07:40 | 00,741,376 | ---- | M] (Infineon Technologies AG) [Auto | Running] -- C:\WINDOWS\system32\IFXTCS.exe -- (IFXTCS)
SRV - [2006/02/27 15:55:44 | 00,258,103 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2005/11/29 15:56:36 | 00,099,872 | ---- | M] (Infineon Technologies AG) [Disabled | Stopped] -- C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE -- (PersonalSecureDriveService)
SRV - [2005/10/14 01:50:20 | 00,045,272 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2009/11/24 18:49:07 | 00,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 18:48:57 | 00,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 18:47:54 | 00,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/11/10 17:48:05 | 01,323,568 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091218.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2009/11/10 17:48:05 | 00,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091218.003\NAVENG.SYS -- (NAVENG)
DRV - [2009/09/15 06:56:14 | 00,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/09/15 06:55:30 | 00,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/09/15 06:55:19 | 00,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/08/17 19:15:34 | 00,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2009/08/17 19:15:31 | 00,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/06/30 09:37:16 | 00,028,552 | ---- | M] (Panda Security, S.L.) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot)
DRV - [2008/11/17 14:23:16 | 03,636,864 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) Intel®
DRV - [2008/06/10 21:51:14 | 00,318,488 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2008/05/27 13:55:48 | 00,174,600 | ---- | M] (AMD Technologies Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ahcix86.sys -- (ahcix86)
DRV - [2008/05/20 03:00:00 | 00,023,584 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2008/04/28 19:22:10 | 00,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2008/04/13 23:06:40 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 23:06:40 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 21:09:16 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 21:06:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/13 19:15:30 | 00,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/08 16:27:04 | 00,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)
DRV - [2008/03/21 15:13:00 | 01,203,776 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2008/01/22 16:38:04 | 02,845,696 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/11/01 13:39:18 | 00,024,176 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vpnva.sys -- (vpnva)
DRV - [2007/10/31 09:23:20 | 02,236,544 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/10/01 12:27:40 | 00,281,600 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2007/09/14 18:09:44 | 00,213,696 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/07/13 09:26:12 | 00,094,976 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (AEAudio)
DRV - [2007/06/18 15:12:04 | 00,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/06/01 10:27:00 | 00,145,288 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atswpdrv.sys -- (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor)
DRV - [2007/03/08 14:20:50 | 00,021,568 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2007/03/08 14:20:49 | 00,016,496 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2007/03/08 14:20:48 | 00,049,920 | ---- | M] (HP) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HPZid412.sys -- (HPZid412)
DRV - [2007/01/24 13:44:06 | 00,290,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/10/17 09:59:06 | 00,022,016 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Accelerometer.sys -- (Accelerometer)
DRV - [2006/10/17 09:57:58 | 00,017,920 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\hpdskflt.sys -- (hpdskflt)
DRV - [2006/09/18 16:55:28 | 00,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/09/14 15:55:00 | 00,088,192 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2006/09/13 15:06:30 | 00,003,840 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\atiide.sys -- (atiide)
DRV - [2006/09/06 13:41:20 | 00,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 13:41:20 | 00,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/08/07 15:02:26 | 00,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/08/07 15:02:22 | 00,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/04/11 16:13:34 | 00,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/02/28 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2006/02/27 15:48:20 | 00,401,664 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2006/02/27 15:45:48 | 01,342,602 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2006/02/27 15:43:06 | 00,057,096 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2006/01/12 09:06:22 | 00,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/11/29 15:56:28 | 00,036,768 | ---- | M] (Infineon Technologies AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\psd.sys -- (PersonalSecureDrive)
DRV - [2005/10/21 10:19:34 | 00,036,352 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2001/12/19 10:45:00 | 00,008,576 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\VCdRom.sys -- (vcdrom)
DRV - [2001/08/17 13:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 13:07:42 | 00,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 13:07:40 | 00,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 13:07:36 | 00,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 13:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 12:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 12:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 12:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 12:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 12:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 12:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 12:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 12:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 12:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 12:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 11:10:28 | 00,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)
DRV - [2001/08/17 08:57:46 | 00,065,664 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s3legacy.sys -- (s3legacy)
DRV - [2001/08/17 07:12:02 | 00,063,208 | ---- | M] (Intel Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dc21x4.sys -- (DC21x4)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://delmontenow.na.dlmfoods.net
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-448539723-1284227242-839522115-51998\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://delmontenow.na.dlmfoods.net
IE - HKU\S-1-5-21-448539723-1284227242-839522115-51998\S-1-5-21-448539723-1284227242-839522115-51998\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "www.igoogle.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.1
FF - prefs.js..extensions.enabledItems: foxmarks@kei.com:3.4.6

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/07 16:51:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/07 18:09:21 | 00,000,000 | ---D | M]

[2009/12/07 16:51:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\cheit\Application Data\Mozilla\Extensions
[2009/08/27 14:56:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\cheit\Application Data\Mozilla\Extensions\home2@tomtom.com
[2009/12/24 09:54:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\cheit\Application Data\Mozilla\Firefox\Profiles\paftgdjo.default\extensions
[2009/12/07 16:53:26 | 00,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\cheit\Application Data\Mozilla\Firefox\Profiles\paftgdjo.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/12/07 16:53:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\cheit\Application Data\Mozilla\Firefox\Profiles\paftgdjo.default\extensions\foxmarks@kei.com
[2009/12/07 16:50:23 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (36 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O4 - HKLM..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\accelerometerST.exe (Hewlett-Packard Corporation)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\communicator.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe ( Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe (Cisco Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe (Google)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O15 - HKLM\..Trusted Domains: ([]msn in My Computer)
O15 - HKLM\..Trusted Domains: charliescorner ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: delmonte.biz ([www] * in Local intranet)
O15 - HKLM\..Trusted Domains: delmonte.biz ([www] http in Local intranet)
O15 - HKLM\..Trusted Domains: delmonte.biz ([www] https in Local intranet)
O15 - HKLM\..Trusted Domains: delmonte.net ([dmfsfa15] http in Local intranet)
O15 - HKLM\..Trusted Domains: delmontenow ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmatlas ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([delmontenow.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([dlmatlas.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([finance.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([marketing.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([mysite.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([mytraining1.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([pghemailarchive.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([rqs.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([sales.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([sfoemailarchive.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([snapghapp05.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([snapghapp11.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([snapghdev02.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([snapghdev05.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([teamsites.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dlmfoods.net ([training.na] http in Local intranet)
O15 - HKLM\..Trusted Domains: dmintranet ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: finance ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: marketing ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: mysite ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: mytraining ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: rqs ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: sales ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: snapghvdev03 ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: starkist.net ([charliescorner] http in Local intranet)
O15 - HKLM\..Trusted Domains: teamsites ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: training ([]http in Local intranet)
O15 - HKLM\..Trusted Domains: 4 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\.DEFAULT\..Trusted Domains: charliescorner ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: delmonte.biz ([www] * in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: delmonte.biz ([www] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: delmonte.biz ([www] https in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: delmonte.net ([dmfsfa15] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: delmontenow ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmatlas ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([delmontenow.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([dlmatlas.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([finance.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([marketing.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([mysite.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([mytraining1.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([pghemailarchive.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([rqs.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([sales.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([sfoemailarchive.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([snapghapp05.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([snapghapp11.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([snapghdev02.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([snapghdev05.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([teamsites.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dlmfoods.net ([training.na] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: dmintranet ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: finance ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: marketing ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: mysite ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: mytraining ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: rqs ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: sales ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: snapghvdev03 ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: starkist.net ([charliescorner] http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: teamsites ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: training ([]http in Local intranet)
O15 - HKU\.DEFAULT\..Trusted Domains: 4 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-18\..Trusted Domains: charliescorner ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: delmonte.biz ([www] * in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: delmonte.biz ([www] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: delmonte.biz ([www] https in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: delmonte.net ([dmfsfa15] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: delmontenow ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmatlas ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([delmontenow.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([dlmatlas.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([finance.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([marketing.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([mysite.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([mytraining1.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([pghemailarchive.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([rqs.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([sales.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([sfoemailarchive.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([snapghapp05.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([snapghapp11.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([snapghdev02.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([snapghdev05.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([teamsites.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dlmfoods.net ([training.na] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: dmintranet ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: finance ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: marketing ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: mysite ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: mytraining ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: rqs ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: sales ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: snapghvdev03 ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: starkist.net ([charliescorner] http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: teamsites ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: training ([]http in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Domains: 4 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: ([]msn in My Computer)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: charliescorner ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: delmonte.biz ([www] * in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: delmonte.biz ([www] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: delmonte.biz ([www] https in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: delmonte.net ([dmfsfa15] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: delmontenow ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmatlas ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([delmontenow.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([dlmatlas.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([finance.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([marketing.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([mysite.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([mytraining1.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([pghemailarchive.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([rqs.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([sales.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([sfoemailarchive.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([snapghapp05.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([snapghapp11.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([snapghdev02.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([snapghdev05.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([teamsites.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dlmfoods.net ([training.na] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: dmintranet ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: finance ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: marketing ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: mysite ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: mytraining ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: rqs ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: sales ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: snapghvdev03 ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: starkist.net ([charliescorner] http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: teamsites ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: training ([]http in Local intranet)
O15 - HKU\S-1-5-21-448539723-1284227242-839522115-51998\..Trusted Domains: 4 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1228488882784 (WUWebControl Class)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 vpnweb.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.17.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.DLMFOODS.NET
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\IfxWlxEN: DllName - IfxWlxEN.dll - C:\WINDOWS\System32\IfxWlxEN.dll (Infineon Technologies AG)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/18 15:33:34 | 00,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{2d8ea349-9326-11de-a278-001b778c82d9}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

CREATERESTOREPOINT
Error starting restore point: System Restore is disabled.
Error closing restore point: System Restore is disabled.

========== Files/Folders - Created Within 30 Days ==========

[2009/12/24 09:58:04 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Hewlett-Packard
[2009/12/24 09:57:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
[2009/12/24 09:57:00 | 00,117,760 | ---- | C] (Hewlett-Packard Company) -- C:\WINDOWS\System32\hpzll5ha.dll
[2009/12/24 09:56:48 | 00,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[2009/12/24 09:56:47 | 00,021,568 | ---- | C] (HP) -- C:\WINDOWS\System32\drivers\HPZius12.sys
[2009/12/24 09:56:46 | 00,049,920 | ---- | C] (HP) -- C:\WINDOWS\System32\drivers\HPZid412.sys
[2009/12/24 09:56:46 | 00,016,496 | ---- | C] (HP) -- C:\WINDOWS\System32\drivers\HPZipr12.sys
[2009/12/24 09:56:44 | 00,267,864 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpzids01.dll
[2009/12/24 09:56:40 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/12/24 09:56:39 | 00,675,840 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hpowiax3.dll
[2009/12/24 09:56:39 | 00,569,344 | ---- | C] (Hewlett-Packard Co.) -- C:\WINDOWS\System32\hpotscl3.dll
[2009/12/24 09:56:39 | 00,364,544 | ---- | C] (Hewlett-Packard) -- C:\WINDOWS\System32\hppldcoi.dll
[2009/12/24 09:56:39 | 00,309,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\difxapi.dll
[2009/12/24 09:56:39 | 00,303,104 | ---- | C] (Hewlett-Packard Co.) -- C:\WINDOWS\System32\hpovst10.dll
[2009/12/24 09:56:39 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2009/12/24 09:56:32 | 00,000,000 | ---D | C] -- C:\Program Files\HP
[2009/12/24 09:55:55 | 00,000,000 | -H-D | C] -- C:\Config.Msi
[2009/12/24 09:43:45 | 00,025,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbprint.sys
[2009/12/07 20:41:52 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\cheit\Desktop\RootRepeal.exe
[2009/12/07 19:00:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2009/12/03 09:46:13 | 00,000,000 | R--D | C] -- C:\Documents and Settings\cheit\Desktop\System Reference Manual
[2009/12/03 09:46:11 | 00,000,000 | R--D | C] -- C:\Documents and Settings\cheit\Desktop\Mainsaver User Guide
[2009/12/03 09:46:09 | 00,000,000 | R--D | C] -- C:\Documents and Settings\cheit\Desktop\Installation Guide
[2009/11/28 00:26:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\cheit\My Documents\Temp
[2009/10/24 07:12:07 | 11,479,25946 | ---- | C] (Nexon) -- C:\Program Files\DFOSetup12N.exe
[2009/09/16 08:31:38 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/08/18 18:27:33 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/18 16:01:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/08/18 15:45:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\InstallShield
[2008/12/04 12:04:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/12/24 10:30:30 | 00,055,112 | ---- | M] () -- C:\Documents and Settings\cheit\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/12/24 10:15:22 | 04,718,592 | -H-- | M] () -- C:\Documents and Settings\cheit\NTUSER.DAT
[2009/12/24 10:00:46 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/12/24 09:58:35 | 00,124,378 | ---- | M] () -- C:\WINDOWS\hpoins14.dat
[2009/12/24 09:42:53 | 00,000,402 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2009/12/24 09:42:12 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/24 09:40:49 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/24 09:40:23 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/24 09:40:13 | 21,468,81536 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/19 00:48:47 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\cheit\ntuser.ini
[2009/12/18 08:42:33 | 00,020,620 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2009/12/17 13:42:47 | 00,140,288 | ---- | M] () -- C:\Documents and Settings\cheit\My Documents\R5WSMESSAGESTATUS.xls
[2009/12/14 18:57:38 | 00,014,246 | ---- | M] () -- C:\Documents and Settings\cheit\My Documents\Copy of System Code Changes Matrix- Buffalo.xlsx
[2009/12/14 08:01:31 | 00,001,728 | -H-- | M] () -- C:\Documents and Settings\cheit\My Documents\Default.rdp
[2009/12/12 22:29:56 | 00,018,432 | ---- | M] () -- C:\Documents and Settings\cheit\My Documents\BLM Data Issues.xls
[2009/12/11 14:38:56 | 00,029,696 | ---- | M] () -- C:\Documents and Settings\cheit\Desktop\New Assets.xls
[2009/12/11 14:22:26 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\cheit\My Documents\New Assets.xls
[2009/12/11 08:56:12 | 00,203,264 | ---- | M] () -- C:\Documents and Settings\cheit\Desktop\Bloomsburg EAM Conversion Schedule 121009.doc
[2009/12/07 20:42:54 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\cheit\Desktop\settings.dat
[2009/12/07 20:41:54 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\cheit\Desktop\RootRepeal.exe
[2009/12/07 20:33:09 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\cheit\Desktop\dds.scr
[2009/12/07 18:18:14 | 00,000,642 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/07 18:18:14 | 00,000,259 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/07 18:18:14 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[2009/12/07 16:50:25 | 00,001,608 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/12/07 16:24:40 | 00,000,036 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/12/03 17:01:53 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/02 01:21:40 | 00,001,097 | ---- | M] () -- C:\Documents and Settings\cheit\My Documents\ChatLog New meeting 2009_12_02 01_21.rtf
[2009/11/30 09:43:29 | 00,000,746 | RHS- | M] () -- C:\Documents and Settings\cheit\ntuser.pol
[2009/11/25 08:59:59 | 00,005,632 | ---- | M] () -- C:\Documents and Settings\cheit\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/24 18:54:29 | 01,280,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\aswBoot.exe
[2009/11/24 18:51:09 | 00,093,424 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2009/11/24 18:49:07 | 00,048,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2009/11/24 18:48:57 | 00,023,120 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2009/11/24 18:47:54 | 00,027,408 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2009/11/24 18:47:28 | 00,097,480 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\AvastSS.scr
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/24 09:55:41 | 00,000,340 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/12/24 09:55:36 | 00,124,378 | ---- | C] () -- C:\WINDOWS\hpoins14.dat
[2009/12/24 09:55:36 | 00,001,996 | ---- | C] () -- C:\WINDOWS\hpomdl14.dat
[2009/12/24 09:55:20 | 00,310,310 | ---- | C] () -- C:\WINDOWS\System32\autorun.inf
[2009/12/17 13:42:47 | 00,140,288 | ---- | C] () -- C:\Documents and Settings\cheit\My Documents\R5WSMESSAGESTATUS.xls
[2009/12/14 18:57:38 | 00,014,246 | ---- | C] () -- C:\Documents and Settings\cheit\My Documents\Copy of System Code Changes Matrix- Buffalo.xlsx
[2009/12/12 22:29:56 | 00,018,432 | ---- | C] () -- C:\Documents and Settings\cheit\My Documents\BLM Data Issues.xls
[2009/12/11 14:38:56 | 00,029,696 | ---- | C] () -- C:\Documents and Settings\cheit\Desktop\New Assets.xls
[2009/12/11 14:22:26 | 00,025,600 | ---- | C] () -- C:\Documents and Settings\cheit\My Documents\New Assets.xls
[2009/12/10 19:29:35 | 00,203,264 | ---- | C] () -- C:\Documents and Settings\cheit\Desktop\Bloomsburg EAM Conversion Schedule 121009.doc
[2009/12/07 20:42:54 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\cheit\Desktop\settings.dat
[2009/12/07 20:33:05 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\cheit\Desktop\dds.scr
[2009/12/07 16:50:25 | 00,001,608 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/12/02 01:21:40 | 00,001,097 | ---- | C] () -- C:\Documents and Settings\cheit\My Documents\ChatLog New meeting 2009_12_02 01_21.rtf
[2009/10/12 09:47:24 | 00,087,552 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
[2009/09/25 03:07:49 | 00,005,632 | ---- | C] () -- C:\Documents and Settings\cheit\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/24 10:40:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2009/08/24 08:48:13 | 00,000,244 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/18 18:35:16 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\cheit\Local Settings\Application Data\QSwitch.txt
[2009/08/18 18:35:16 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\cheit\Local Settings\Application Data\DSwitch.txt
[2009/08/18 18:35:16 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\cheit\Local Settings\Application Data\AtStart.txt
[2009/08/18 15:52:01 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2009/08/18 15:52:01 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2009/08/18 15:52:01 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2009/08/18 15:52:01 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2009/08/18 15:52:01 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2009/08/18 15:52:01 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2009/08/18 15:43:03 | 00,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
[2008/12/05 11:44:01 | 00,000,402 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/12/05 11:32:29 | 00,318,488 | ---- | C] () -- C:\WINDOWS\System32\drivers\iaStor.sys
[2006/02/27 15:51:36 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2002/05/15 21:29:04 | 00,000,607 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2001/11/23 16:18:00 | 00,000,597 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 11:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== Custom Scans ==========


< # %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 23:06:40 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys
[2008/04/13 23:06:40 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2008/04/13 23:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 23:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/13 23:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 04:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 04:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2007/07/12 15:35:02 | 00,305,176 | ---- | M] (Intel Corporation) MD5=2358C53F30CB9DCD1D3843C4E2F299B2 -- C:\Drivers\IntelSata\iastor.sys
[2005/10/12 11:07:12 | 00,874,240 | ---- | M] (Intel Corporation) MD5=309C4D86D989FB1FCF64BD30DC81C51B -- C:\Drivers\3\iastor.sys
[2008/06/10 21:51:14 | 00,318,488 | ---- | M] (Intel Corporation) MD5=DE7C12E59605EA7EA0CF6345AFEB0F07 -- C:\Drivers\IntelSata2\IaStor.sys
[2008/06/10 21:51:14 | 00,318,488 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\iaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 04:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 04:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 04:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 04:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
< End of report >


OTL Extras logfile created on: 12/24/2009 10:47:18 AM - Run 1
OTL by OldTimer - Version 3.1.20.0 Folder = C:\Documents and Settings\cheit\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 48.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 55.17 Gb Free Space | 74.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 931.51 Gb Total Space | 890.60 Gb Free Space | 95.61% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: WNAPGH-CHEIT1
Current User Name: cheit
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.ini [@ = UltraEdit.ini] -- C:\Program Files\IDM Computer Solutions\UltraEdit\Uedit32.exe (IDM Computer Solutions, Inc.)
.txt [@ = UltraEdit.txt] -- C:\Program Files\IDM Computer Solutions\UltraEdit\Uedit32.exe (IDM Computer Solutions, Inc.)

[HKEY_USERS\S-1-5-21-448539723-1284227242-839522115-51998\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office Communicator\communicator.exe" = C:\Program Files\Microsoft Office Communicator\communicator.exe:*:Enabled:Office Communicator -- (Microsoft Corporation)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"C:\Program Files\Free SMTP Server\localsrv.exe" = C:\Program Files\Free SMTP Server\localsrv.exe:*:Enabled:localsrv -- File not found

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe" = C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:*:Enabled:Microsoft Office Live Meeting 2007 -- (Microsoft Corporation)
"C:\Program Files\Windows Defender\MsMpEng.exe" = C:\Program Files\Windows Defender\MsMpEng.exe:*:Enabled:MsMpEng -- (Microsoft Corporation)
"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)
"C:\Nexon\DFO\DFO.exe" = C:\Nexon\DFO\DFO.exe:*:Enabled:Dungeon Fighter Online -- File not found
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04010300-6D72-4D54-8686-91D884A27B5C}" = Cisco Clean Access Agent
"{05EC21B8-4593-3037-A781-A6B5AFFCB19D}" = Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
"{065717D4-B980-434B-B778-0F14FBDB4AC3}" = Cisco AnyConnect VPN Client
"{0B43A744-B1B8-4089-9BD1-9D41C7EC0AA3}" = Microsoft SQL Server 2005 Books Online (English)
"{0D1CBBB9-F4A8-45B6-95E7-202BA61D7AF4}" = Microsoft Office Communicator 2007 R2
"{1517499C-3876-4D5D-BD39-F6CC976650CC}" = Infor EAM Upload Utility
"{1611A5CF-50B8-4669-98BF-087A28A8CB49}" = Microsoft Conferencing Add-in for Microsoft Office Outlook
"{227CEF3F-CBF9-441D-8D52-C11054322625}" = Quest Software Toad Data Modeler
"{2515BF88-E42E-4AFA-A8E7-DF272762589B}" = Microsoft Office Live Meeting 2007
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2DB165DC-DDB4-403F-B985-19F3EC7D0357}" = HP ProtectTools Security Manager
"{2E5C075E-11AB-4BDD-918C-7B9A68953FF8}" = Microsoft SQL Server Compact 3.5 Design Tools ENU
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.30 J1
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3912A629-0020-0005-3131-2FBA74D4DF0A}" = InterVideo WinDVD
"{3F4EC965-28EF-45C3-B063-04B25D4E9679}" = HP Integrated Module with Bluetooth wireless technology
"{453F2E11-3877-49F5-8369-CF865E550F1A}" = Corporate Sender Photo Add In for Outlook
"{4BA3DDD4-BC91-48B2-8896-7A02C34829D7}" = HP Embedded Security for ProtectTools
"{4D2DFB70-AECB-47BF-A895-3B3AA544934F}" = Microsoft SQL Server 2005 Tools
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{585E2BAE-FDD1-46AA-A937-F818CEA1AA7C}" = SQL Server DBA Dashboard
"{5AE5DB70-5CE6-4876-A83E-8246CC36FC28}" = Microsoft Office PowerPoint 2007 Get Started Tab
"{5D97A4A7-C274-4B63-86D9-07A33435F505}" = InterVideo DVD Check
"{633BF422-E691-4BBC-9EF2-BEE3C48B9FB7}" = HP RISS Outlook PlugIn
"{64c5b887-b5ee-42b8-8596-78905a6b5f1f}" = Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
"{68B52EFD-86CC-486E-A8D0-A3A1554CB5BC}" = Microsoft Office Word 2007 Get Started Tab
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{721ABC3B-5F12-4332-9C0C-C11424EF666C}" = WIMGAPI
"{75ECB75A-522C-4312-8DE7-597CDA9D96A3}" = HP Mobile Data Protection System
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{8C62A94B-4AB6-485F-A111-93056684D340}" = SQLXML4
"{8DC42D05-680B-41B0-8878-6C14D24602DB}" = QuickTime
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{ED6F11EA-14E6-4599-95F4-F030486197D9}" =
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007
"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{95120000-0052-0409-0000-0000000FF1CE}" = Microsoft Office Visio Viewer 2007
"{96327C3C-96BE-4C7A-A6F7-A71635E5949A}" = Microsoft SQL Server 2005 Backward compatibility
"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.2
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{AB706D91-2242-4E1D-B4D0-1ED35387F5A7}" = Microsoft Office Excel 2007 Get Started Tab
"{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B268E9A1-04A9-40D0-9866-846BE2B74BA7}" = Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
"{B2C61EBB-F47C-48ba-B375-27A40F8F48F7}" = HP Deskjet All-In-One Driver Software 9.0.A Corporate Edition
"{B4F35A00-24FD-4fb3-BF5E-413D5423434D}" = DJ_AIO_Software_min
"{BC6D5EAF-D314-4f47-8951-42CF14CB7316}" = dj_aio_corporate
"{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}" = Microsoft SQL Server Compact 3.5 ENU
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C25EF637-BE7A-4761-9B45-9069989C319F}" = Microsoft Visual Studio 2005 Premier Partner Edition - ENU
"{CAA376AF-0DE8-4FCA-942E-C6AC579B94B3}" = Microsoft Windows SDK for Visual Studio 2008 Tools
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE6A85D8-D6B9-479A-9FE9-A06E56881E61}" = Configuration Manager Client
"{D7A33067-9016-4D52-BC5B-D42E245AD3BA}" = UltraEdit v14.00
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F42051C0-6158-4656-BEF4-C43D5C480DC0}" = AuthenTec Fingerprint Sensor Minimum Install
"{F434F50E-7614-3EA8-9008-2FB866B697DA}" = Microsoft Visual Studio 2008 Standard Edition - ENU
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"ATI Display Driver" = ATI Display Driver
"avast!" = avast! Antivirus
"BeClean_is1" = BeClean
"CutePDF Writer Installation" = CutePDF Writer 2.8
"Google Calendar Sync" = Google Calendar Sync
"HijackThis" = HijackThis 2.0.2
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Studio 2008 Standard Edition - ENU" = Microsoft Visual Studio 2008 Standard Edition - ENU
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PROPLUS" = Microsoft Office Professional Plus 2007
"RDC" = RDC
"Synergy" = Synergy
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinGimp-2.0_is1" = GIMP 2.6.7
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-448539723-1284227242-839522115-51998\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 12/18/2009 10:18:08 PM | Computer Name = WNAPGH-CHEIT1 | Source = avast! | ID = 33554522
Description = AAVM - initialization error: Standard Shield provider: cannot start
because 'Norton Antivirus / Symantec Antivirus' is active!, 00000000.

Error - 12/19/2009 1:16:47 AM | Computer Name = WNAPGH-CHEIT1 | Source = avast! | ID = 33554522
Description = AAVM - initialization error: Instant Messaging provider: cannot start
because 'Norton Antivirus / Symantec Antivirus' is active!, 00000000.

Error - 12/19/2009 1:16:47 AM | Computer Name = WNAPGH-CHEIT1 | Source = avast! | ID = 33554522
Description = AAVM - initialization error: P2P provider: cannot start because 'Norton
Antivirus / Symantec Antivirus' is active!, 00000000.

Error - 12/19/2009 1:16:47 AM | Computer Name = WNAPGH-CHEIT1 | Source = avast! | ID = 33554522
Description = AAVM - initialization error: Standard Shield provider: cannot start
because 'Norton Antivirus / Symantec Antivirus' is active!, 00000000.

Error - 12/19/2009 9:39:42 AM | Computer Name = WNAPGH-CHEIT1 | Source = avast! | ID = 33554522
Description = AAVM - initialization error: Instant Messaging provider: cannot start
because 'Norton Antivirus / Symantec Antivirus' is active!, 00000000.

Error - 12/19/2009 9:39:43 AM | Computer Name = WNAPGH-CHEIT1 | Source = avast! | ID = 33554522
Description = AAVM - initialization error: P2P provider: cannot start because 'Norton
Antivirus / Symantec Antivirus' is active!, 00000000.

Error - 12/19/2009 9:39:43 AM | Computer Name = WNAPGH-CHEIT1 | Source = avast! | ID = 33554522
Description = AAVM - initialization error: Standard Shield provider: cannot start
because 'Norton Antivirus / Symantec Antivirus' is active!, 00000000.

Error - 12/24/2009 10:40:47 AM | Computer Name = WNAPGH-CHEIT1 | Source = avast! | ID = 33554522
Description = AAVM - initialization error: Instant Messaging provider: cannot start
because 'Norton Antivirus / Symantec Antivirus' is active!, 00000000.

Error - 12/24/2009 10:40:47 AM | Computer Name = WNAPGH-CHEIT1 | Source = avast! | ID = 33554522
Description = AAVM - initialization error: P2P provider: cannot start because 'Norton
Antivirus / Symantec Antivirus' is active!, 00000000.

Error - 12/24/2009 10:40:47 AM | Computer Name = WNAPGH-CHEIT1 | Source = avast! | ID = 33554522
Description = AAVM - initialization error: Standard Shield provider: cannot start
because 'Norton Antivirus / Symantec Antivirus' is active!, 00000000.

[ Application Events ]
Error - 12/24/2009 11:03:02 AM | Computer Name = WNAPGH-CHEIT1 | Source = Communicator | ID = 15728643
Description = Communicator was unable to resolve the DNS hostname of the login server
im01.na.dlmfoods.net. Resolution: If you are using manual configuration for Communicator,
please check that the server name is typed correctly and in full. If you are using
automatic configuration, the network administrator will need to double-check the
DNS A record configuration for im01.na.dlmfoods.net because it could not be resolved.

Error - 12/24/2009 11:07:36 AM | Computer Name = WNAPGH-CHEIT1 | Source = Communicator | ID = 15728643
Description = Communicator was unable to resolve the DNS hostname of the login server
im01.na.dlmfoods.net. Resolution: If you are using manual configuration for Communicator,
please check that the server name is typed correctly and in full. If you are using
automatic configuration, the network administrator will need to double-check the
DNS A record configuration for im01.na.dlmfoods.net because it could not be resolved.

Error - 12/24/2009 11:12:06 AM | Computer Name = WNAPGH-CHEIT1 | Source = Communicator | ID = 15728643
Description = Communicator was unable to resolve the DNS hostname of the login server
im01.na.dlmfoods.net. Resolution: If you are using manual configuration for Communicator,
please check that the server name is typed correctly and in full. If you are using
automatic configuration, the network administrator will need to double-check the
DNS A record configuration for im01.na.dlmfoods.net because it could not be resolved.

Error - 12/24/2009 11:16:42 AM | Computer Name = WNAPGH-CHEIT1 | Source = Communicator | ID = 15728643
Description = Communicator was unable to resolve the DNS hostname of the login server
im01.na.dlmfoods.net. Resolution: If you are using manual configuration for Communicator,
please check that the server name is typed correctly and in full. If you are using
automatic configuration, the network administrator will need to double-check the
DNS A record configuration for im01.na.dlmfoods.net because it could not be resolved.

Error - 12/24/2009 11:21:12 AM | Computer Name = WNAPGH-CHEIT1 | Source = Communicator | ID = 15728643
Description = Communicator was unable to resolve the DNS hostname of the login server
im01.na.dlmfoods.net. Resolution: If you are using manual configuration for Communicator,
please check that the server name is typed correctly and in full. If you are using
automatic configuration, the network administrator will need to double-check the
DNS A record configuration for im01.na.dlmfoods.net because it could not be resolved.

Error - 12/24/2009 11:26:09 AM | Computer Name = WNAPGH-CHEIT1 | Source = Communicator | ID = 15728643
Description = Communicator was unable to resolve the DNS hostname of the login server
im01.na.dlmfoods.net. Resolution: If you are using manual configuration for Communicator,
please check that the server name is typed correctly and in full. If you are using
automatic configuration, the network administrator will need to double-check the
DNS A record configuration for im01.na.dlmfoods.net because it could not be resolved.

Error - 12/24/2009 11:31:33 AM | Computer Name = WNAPGH-CHEIT1 | Source = Communicator | ID = 15728643
Description = Communicator was unable to resolve the DNS hostname of the login server
im01.na.dlmfoods.net. Resolution: If you are using manual configuration for Communicator,
please check that the server name is typed correctly and in full. If you are using
automatic configuration, the network administrator will need to double-check the
DNS A record configuration for im01.na.dlmfoods.net because it could not be resolved.

Error - 12/24/2009 11:36:50 AM | Computer Name = WNAPGH-CHEIT1 | Source = Communicator | ID = 15728643
Description = Communicator was unable to resolve the DNS hostname of the login server
im01.na.dlmfoods.net. Resolution: If you are using manual configuration for Communicator,
please check that the server name is typed correctly and in full. If you are using
automatic configuration, the network administrator will need to double-check the
DNS A record configuration for im01.na.dlmfoods.net because it could not be resolved.

Error - 12/24/2009 11:42:06 AM | Computer Name = WNAPGH-CHEIT1 | Source = Communicator | ID = 15728643
Description = Communicator was unable to resolve the DNS hostname of the login server
im01.na.dlmfoods.net. Resolution: If you are using manual configuration for Communicator,
please check that the server name is typed correctly and in full. If you are using
automatic configuration, the network administrator will need to double-check the
DNS A record configuration for im01.na.dlmfoods.net because it could not be resolved.

Error - 12/24/2009 11:47:23 AM | Computer Name = WNAPGH-CHEIT1 | Source = Communicator | ID = 15728643
Description = Communicator was unable to resolve the DNS hostname of the login server
im01.na.dlmfoods.net. Resolution: If you are using manual configuration for Communicator,
please check that the server name is typed correctly and in full. If you are using
automatic configuration, the network administrator will need to double-check the
DNS A record configuration for im01.na.dlmfoods.net because it could not be resolved.

[ Cisco AnyConnect VPN Client Events ]
Error - 12/24/2009 10:40:38 AM | Computer Name = WNAPGH-CHEIT1 | Source = vpnagent | ID = 50331649
Description = Function: DeleteRoute Return code: 0xFE07000E File: .\ChangeRouteHelper.cpp
Line:
388 Description: ROUTETABLE_ERROR_DELETEIPFORWARDENTRY_FAILED

Error - 12/24/2009 10:40:38 AM | Computer Name = WNAPGH-CHEIT1 | Source = vpnagent | ID = 50331649
Description = Function: DeleteRoute Return code: 0xFE07000E File: .\ChangeRouteHelper.cpp
Line:
388 Description: ROUTETABLE_ERROR_DELETEIPFORWARDENTRY_FAILED

Error - 12/24/2009 10:40:38 AM | Computer Name = WNAPGH-CHEIT1 | Source = vpnagent | ID = 50331649
Description = Function: DeleteRoute Return code: 0xFE07000E File: .\ChangeRouteHelper.cpp
Line:
388 Description: ROUTETABLE_ERROR_DELETEIPFORWARDENTRY_FAILED

Error - 12/24/2009 10:40:38 AM | Computer Name = WNAPGH-CHEIT1 | Source = vpnagent | ID = 50331649
Description = Function: DeleteRoute Return code: 0xFE07000E File: .\ChangeRouteHelper.cpp
Line:
388 Description: ROUTETABLE_ERROR_DELETEIPFORWARDENTRY_FAILED

Error - 12/24/2009 10:40:38 AM | Computer Name = WNAPGH-CHEIT1 | Source = vpnagent | ID = 50331649
Description = Function: DeleteRoute Return code: 0xFE07000E File: .\ChangeRouteHelper.cpp
Line:
388 Description: ROUTETABLE_ERROR_DELETEIPFORWARDENTRY_FAILED

Error - 12/24/2009 10:40:38 AM | Computer Name = WNAPGH-CHEIT1 | Source = vpnagent | ID = 50331649
Description = Function: DeleteRoute Return code: 0xFE07000E File: .\ChangeRouteHelper.cpp
Line:
388 Description: ROUTETABLE_ERROR_DELETEIPFORWARDENTRY_FAILED

Error - 12/24/2009 10:40:38 AM | Computer Name = WNAPGH-CHEIT1 | Source = vpnagent | ID = 50331649
Description = Function: DeleteRoute Return code: 0xFE07000E File: .\ChangeRouteHelper.cpp
Line:
388 Description: ROUTETABLE_ERROR_DELETEIPFORWARDENTRY_FAILED

Error - 12/24/2009 10:40:38 AM | Computer Name = WNAPGH-CHEIT1 | Source = vpnagent | ID = 50331649
Description = Function: DeleteRoute Return code: 0xFE07000E File: .\ChangeRouteHelper.cpp
Line:
388 Description: ROUTETABLE_ERROR_DELETEIPFORWARDENTRY_FAILED

Error - 12/24/2009 10:40:38 AM | Computer Name = WNAPGH-CHEIT1 | Source = vpnagent | ID = 50331649
Description = Function: DeleteRoute Return code: 0xFE070013 File: .\ChangeRouteHelper.cpp
Line:
388 Description: ROUTETABLE_ERROR_INTERFACE_NOT_FOUND

Error - 12/24/2009 10:40:38 AM | Computer Name = WNAPGH-CHEIT1 | Source = vpnagent | ID = 50331649
Description = Function: DeleteRoute Return code: 0xFE070013 File: .\ChangeRouteHelper.cpp
Line:
388 Description: ROUTETABLE_ERROR_INTERFACE_NOT_FOUND

[ OSession Events ]
Error - 9/11/2009 5:16:17 PM | Computer Name = WNAPGH-CHEIT1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 20
seconds with 0 seconds of active time. This session ended with a crash.

Error - 9/11/2009 5:19:23 PM | Computer Name = WNAPGH-CHEIT1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 52
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 12/19/2009 10:35:55 AM | Computer Name = WNAPGH-CHEIT1 | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 12/24/2009 10:41:26 AM | Computer Name = WNAPGH-CHEIT1 | Source = NETLOGON | ID = 5719
Description = No Domain Controller is available for domain NA due to the following:
%%1311. Make sure that the computer is connected to the network and try again. If
the problem persists, please contact your domain administrator.

Error - 12/24/2009 10:41:40 AM | Computer Name = WNAPGH-CHEIT1 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {7E89FF0B-F649-4F9A-A9C3-F05DFAAA3DA1}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 12/24/2009 10:41:59 AM | Computer Name = WNAPGH-CHEIT1 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 12/24/2009 10:41:59 AM | Computer Name = WNAPGH-CHEIT1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 12/24/2009 10:42:02 AM | Computer Name = WNAPGH-CHEIT1 | Source = W32Time | ID = 39452689
Description = Time Provider NtpClient: An error occurred during DNS lookup of the
manually configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup
again in 15 minutes. The error was: A socket operation was attempted to an unreachable
host. (0x80072751)

Error - 12/24/2009 10:42:02 AM | Computer Name = WNAPGH-CHEIT1 | Source = W32Time | ID = 39452701
Description = The time provider NtpClient is configured to acquire time from one
or more time sources, however none of the sources are currently accessible. No attempt
to contact a source will be made for 14 minutes. NtpClient has no source of accurate
time.

Error - 12/24/2009 10:43:01 AM | Computer Name = WNAPGH-CHEIT1 | Source = DCOM | ID = 10016
Description = The application-specific permission settings do not grant Local Launch
permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48}

to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be
modified using the Component Services administrative tool.

Error - 12/24/2009 10:44:12 AM | Computer Name = WNAPGH-CHEIT1 | Source = Dhcp | ID = 1002
Description = The IP address lease 10.20.0.64 for the Network Card with network
address 001B778C82D9 has been denied by the DHCP server 192.168.17.1 (The DHCP Server
sent a DHCPNACK message).

Error - 12/24/2009 10:45:17 AM | Computer Name = WNAPGH-CHEIT1 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}


< End of report >

Attached Files



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 PM

Posted 24 December 2009 - 01:13 PM

Hi cwheit,

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 PM

Posted 29 December 2009 - 10:56 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 PM

Posted 29 December 2009 - 11:04 AM

Topic reopened at OP request.

unite.jpg


#7 cwheit

cwheit
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 29 December 2009 - 11:40 AM

ComboFix 09-12-28.06 - cheit 12/29/2009 11:17:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1293 [GMT -5:00]
Running from: c:\documents and settings\cheit\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091229-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\cheit\My Documents\backup.reg
c:\windows\system32\AutoRun.inf

c:\windows\system32\DRIVERS\iaStor.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-29 15:43 . 2009-11-10 22:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\NAVEX32A.DLL
2009-12-29 15:43 . 2009-11-10 22:48 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\NAVENG.SYS
2009-12-29 15:43 . 2009-11-10 22:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\NAVENG32.DLL
2009-12-29 15:43 . 2009-11-10 22:48 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\NAVEX15.SYS
2009-12-29 15:43 . 2009-08-18 00:15 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\ERASER.SYS
2009-12-29 15:43 . 2009-08-18 00:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\EECTRL.SYS
2009-12-29 15:42 . 2009-12-18 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\ECMSVR32.DLL
2009-12-29 15:42 . 2009-12-08 00:01 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\CCERASER.DLL
2009-12-29 15:41 . 2009-12-28 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\ECMSVR32.DLL
2009-12-29 15:41 . 2009-12-08 00:01 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\CCERASER.DLL
2009-12-29 15:41 . 2009-11-10 22:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\NAVEX32A.DLL
2009-12-29 15:41 . 2009-11-10 22:48 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\NAVENG.SYS
2009-12-29 15:41 . 2009-11-10 22:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\NAVENG32.DLL
2009-12-29 15:41 . 2009-11-10 22:48 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\NAVEX15.SYS
2009-12-29 15:41 . 2009-08-18 00:15 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\ERASER.SYS
2009-12-29 15:41 . 2009-08-18 00:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\EECTRL.SYS
2009-12-24 17:17 . 2009-12-24 17:17 -------- d-----w- c:\windows\ms
2009-12-24 14:58 . 2009-12-24 14:58 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-12-24 14:57 . 2009-12-24 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-12-24 14:57 . 2007-03-28 19:01 117760 ----a-w- c:\windows\system32\hpzll5ha.dll
2009-12-24 14:57 . 2007-03-28 18:57 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5ha.dll
2009-12-24 14:55 . 2009-12-24 14:58 124378 ----a-w- c:\windows\hpoins14.dat
2009-12-24 14:55 . 2007-09-20 15:05 1996 ------w- c:\windows\hpomdl14.dat
2009-12-24 14:43 . 2008-04-14 05:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-12-24 14:43 . 2008-04-14 05:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-12-09 03:37 . 2009-12-09 03:37 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 16:27 . 2009-08-18 21:03 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-24 15:30 . 2009-08-18 23:34 55112 ----a-w- c:\documents and settings\cheit\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-24 14:56 . 2009-12-24 14:56 -------- d-----w- c:\program files\HP
2009-12-07 23:09 . 2009-10-24 12:09 -------- d-----w- c:\program files\Pando Networks
2009-12-07 23:08 . 2009-09-30 17:17 -------- d-----w- c:\program files\Free SMTP Server
2009-12-03 22:49 . 2009-09-22 13:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 22:49 . 2009-11-13 12:18 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 21:14 . 2009-09-22 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-09-22 13:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-24 23:54 . 2009-11-10 14:47 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-11-10 14:47 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:49 . 2009-11-10 14:47 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-11-10 14:47 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-11-10 14:47 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-11-10 14:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-13 18:34 . 2009-11-13 18:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-13 12:28 . 2009-11-10 05:57 -------- d-----w- c:\program files\BeClean
2009-11-10 14:47 . 2009-11-10 14:47 -------- d-----w- c:\program files\Alwil Software
2009-11-10 14:25 . 2009-11-10 14:25 -------- d-----w- c:\program files\Panda Security
2009-11-04 15:06 . 2009-11-04 15:06 -------- d-----w- c:\program files\Google
2009-10-24 13:20 . 2009-10-24 13:20 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-10-24 13:20 . 2009-10-24 13:20 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-10-24 13:20 . 2009-10-24 13:20 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-10-24 13:20 . 2009-10-24 13:20 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-10-24 13:20 . 2009-10-24 13:20 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-10-24 13:20 . 2009-10-24 13:20 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-10-24 13:18 . 2009-10-24 12:12 1147925946 ----a-w- c:\program files\DFOSetup12N.exe
2009-10-07 13:15 . 2009-10-07 13:15 60744 ----a-w- c:\documents and settings\cheit\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 177456]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2006-01-17 53248]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-17 5160288]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-7 28672]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 19:08 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-1284227242-839522115-21421\Scripts\Logon\0\0]
"Script"=Outlook-Import-Junk-Filter.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-1284227242-839522115-21421\Scripts\Logon\0\1]
"Script"=Configure-HP-RISS-PlugIn.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-1284227242-839522115-51998\Scripts\Logon\0\0]
"Script"=Outlook-Import-Junk-Filter.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-1284227242-839522115-51998\Scripts\Logon\0\1]
"Script"=Configure-HP-RISS-PlugIn.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jiqfpjdu

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-03 21:14 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 21:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2006-09-05 23:02 184320 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PersonalSecureDriveService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"AgereModemAudio"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [12/5/2008 11:32 AM 174600]
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [12/5/2008 11:33 AM 3840]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/10/2009 9:25 AM 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/10/2009 9:47 AM 114768]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [11/29/2005 3:56 PM 36768]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\VCdRom.sys [8/19/2009 8:28 AM 8576]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/10/2009 9:47 AM 20560]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [11/1/2007 1:47 PM 399032]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 10:56 AM 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [8/18/2009 3:34 PM 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/28/2008 12:02 PM 36352]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [12/4/2008 6:27 AM 65664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [10/26/2006 12:45 PM 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
------- Supplementary Scan -------
.
uStart Page = hxxp://delmontenow.na.dlmfoods.net
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\documents and settings\cheit\Application Data\Mozilla\Firefox\Profiles\paftgdjo.default\
FF - prefs.js: browser.startup.homepage - www.igoogle.com
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-kssbxoae - c:\documents and settings\cheit\Local Settings\Application Data\nhookq\osfwsysguard.exe
MSConfigStartUp-Pando Media Booster - c:\program files\Pando Networks\Media Booster\PMB.exe
MSConfigStartUp-TomTomHOME - (no file)
AddRemove-HijackThis - e:\computer repair\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 11:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x8A52850C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba16cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9e0b852
\Driver\iaStor -> iaStor.sys @ 0xb9e59984
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9c91bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9c80a0d
SendHandler -> NDIS.sys @ 0xb9c94b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\11.0]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Automenu]
@DACL=(02 0000)
@SACL=
"classid"="clsid:6B28F900-8D64-4B80-9963-CC52DDD1FBB4"
"visible"="false"
"tabstop"="false"
"width"="1"
"height"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\BalanceSlider]
@DACL=(02 0000)
@SACL=
"classid"="clsid:F2BF2C90-405F-11D3-BB39-00A0C93CA73A"
"toolTip"="res://wmploc.dll/RT_STRING/#1845"
"min"="-100"
"max"="100"
"value"="wmpprop:player.settings.balance"
"value_onchange"="player.settings.balance=value;"
"accName"="res://wmploc.dll/RT_STRING/#2112"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2108"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\browser]
@DACL=(02 0000)
@SACL=
"classid"="clsid:8856F961-340A-11D0-A96B-00C04FD705A2"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Button]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2114"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ButtonGroup]
@DACL=(02 0000)
@SACL=
"classid"="clsid:AE3B6831-25A9-11d3-BD41-00C04F6EA5AE"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\CloseButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"upToolTip"="res://wmploc.dll/RT_STRING/#1812"
"onclick"="view.close();"
"accName"="res://wmploc.dll/RT_STRING/#2134"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2135"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\CurrentPositionText]
@DACL=(02 0000)
@SACL=
"classid"="clsid:DDDA102E-0E17-11D3-A2E2-00C04F79F88E"
"tabStop"="true"
"justification"="right"
"value"="wmpprop:player.controls.currentPositionString"
"accName"="res://wmploc.dll/RT_STRING/#2103"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\CustomSlider]
@DACL=(02 0000)
@SACL=
"classid"="clsid:95F45AA3-ED0A-11D2-BA67-0000F80855E6"
"cursor"="hand"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\DropDownPlaylist]
@DACL=(02 0000)
@SACL=
"classid"="clsid:5F9CFD93-8CAD-11d3-9A7E-00C04F8EFB70"
"playlistItemsVisible"="false"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\DurationText]
@DACL=(02 0000)
@SACL=
"classid"="clsid:DDDA102E-0E17-11D3-A2E2-00C04F79F88E"
"tabStop"="true"
"justification"="right"
"value"="wmpprop:player.currentMedia.DurationString"
"accName"="res://wmploc.dll/RT_STRING/#2104"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\EditBox]
@DACL=(02 0000)
@SACL=
"classid"="clsid:6342FCED-25EA-4033-BDDB-D049A14382D3"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Effects\Alchemy]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Effects\Bars]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\EqualizerSettings]
@DACL=(02 0000)
@SACL=
"classid"="clsid:93EB32F5-87B1-45ad-ACC6-0F2483DB83BB"
"tabStop"="false"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\FFWDButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"enabled"="wmpenabled:player.controls.fastforward"
"upToolTip"="res://wmploc.dll/RT_STRING/#1804"
"onclick"="player.controls.FastForward()"
"accName"="res://wmploc.dll/RT_STRING/#2120"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2121"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ImageButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"cursor"="hand"
"accName"="res://wmploc.dll/RT_STRING/#2140"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ItemsPlaylist]
@DACL=(02 0000)
@SACL=
"classid"="clsid:5F9CFD93-8CAD-11d3-9A7E-00C04F8EFB70"
"backgroundcolor"="black"
"foregroundcolor"="white"
"columnsVisible"="false"
"columns"="name=Name;Duration=Time"
"dropDownVisible"="false"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\LibraryTree]
@DACL=(02 0000)
@SACL=
"classid"="clsid:D9DE732A-AEE9-4503-9D11-5605589977A8"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ListBox]
@DACL=(02 0000)
@SACL=
"classid"="clsid:FC1880CF-83B9-43A7-A066-C44CE8C82583"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\menu]
@DACL=(02 0000)
@SACL=
"classid"="clsid:BAB3768B-8883-4AEC-9F9B-E14C947913EF"
"visible"="false"
"tabstop"="false"
"width"="1"
"height"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\MinimizeButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"upToolTip"="res://wmploc.dll/RT_STRING/#1811"
"onclick"="view.minimize();"
"accName"="res://wmploc.dll/RT_STRING/#2132"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2133"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\MuteButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"upToolTip"="res://wmploc.dll/RT_STRING/#1807"
"downToolTip"="res://wmploc.dll/RT_STRING/#1808"
"sticky"="true"
"down"="wmpprop:player.settings.mute"
"onClick"="player.settings.mute=down;"
"accName"="res://wmploc.dll/RT_STRING/#2130"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2131"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\NextButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"enabled"="wmpenabled:player.controls.next"
"upToolTip"="res://wmploc.dll/RT_STRING/#1806"
"onclick"="player.controls.Next()"
"accName"="res://wmploc.dll/RT_STRING/#2124"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2125"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\PauseButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"enabled"="wmpenabled:player.controls.pause"
"upToolTip"="res://wmploc.dll/RT_STRING/#1801"
"onclick"="player.controls.pause()"
"accName"="res://wmploc.dll/RT_STRING/#2116"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2117"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\PlayButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"enabled"="wmpenabled:player.controls.play"
"upToolTip"="res://wmploc.dll/RT_STRING/#1800"
"onclick"="player.controls.play()"
"accName"="res://wmploc.dll/RT_STRING/#2115"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2117"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Playlist]
@DACL=(02 0000)
@SACL=
"classid"="clsid:5F9CFD93-8CAD-11d3-9A7E-00C04F8EFB70"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\plugin]
@DACL=(02 0000)
@SACL=
"classid"="clsid:AA1AC37B-49A8-4B41-AF69-B0176C5FFC33"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\PopUp]
@DACL=(02 0000)
@SACL=
"classid"="clsid:FC1880CF-83B9-43A7-A066-C44CE8C82583"
"popup"="true"
"visible"="false"
"backgroundColor"="menu"
"foregroundColor"="menutext"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\PrevButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"enabled"="wmpenabled:player.controls.previous"
"upToolTip"="res://wmploc.dll/RT_STRING/#1805"
"onclick"="player.controls.Previous()"
"accName"="res://wmploc.dll/RT_STRING/#2126"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2127"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ProgressBar]
@DACL=(02 0000)
@SACL=
"classid"="clsid:F2BF2C90-405F-11D3-BB39-00A0C93CA73A"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\RepeatButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"upToolTip"="res://wmploc.dll/RT_STRING/#1816"
"downToolTip"="res://wmploc.dll/RT_STRING/#1817"
"sticky"="true"
"down"="jscript:player.settings.GetMode(\"loop\");"
"onClick"="player.settings.setMode(\"loop\", down);"
"accName"="res://wmploc.dll/RT_STRING/#2138"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2139"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ReturnButton]
@DACL=(02 0000)
@SACL=
"upToolTip"="res://wmploc.dll/RT_STRING/#1813"
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"onclick"="view.returnToMediaCenter();"
"accName"="res://wmploc.dll/RT_STRING/#2128"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2129"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\REWButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"enabled"="wmpenabled:player.controls.fastreverse"
"upToolTip"="res://wmploc.dll/RT_STRING/#1803"
"onclick"="player.controls.FastReverse()"
"accName"="res://wmploc.dll/RT_STRING/#2122"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2123"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\SeekSlider]
@DACL=(02 0000)
@SACL=
"classid"="clsid:F2BF2C90-405F-11D3-BB39-00A0C93CA73A"
"toolTip"="res://wmploc.dll/RT_STRING/#1809"
"min"="0"
"max"="wmpprop:player.currentmedia.duration"
"value"="wmpprop:player.controls.currentposition"
"ondragend"="player.controls.currentposition=value;"
"foregroundProgress"="wmpprop:player.network.downloadProgress"
"useForegroundProgress"="true"
"accName"="res://wmploc.dll/RT_STRING/#2109"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2108"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ShuffleButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"upToolTip"="res://wmploc.dll/RT_STRING/#1814"
"downToolTip"="res://wmploc.dll/RT_STRING/#1815"
"sticky"="true"
"down"="jscript:player.settings.GetMode(\"shuffle\");"
"onClick"="player.settings.setMode(\"shuffle\", down);"
"accName"="res://wmploc.dll/RT_STRING/#2136"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2137"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Slider]
@DACL=(02 0000)
@SACL=
"classid"="clsid:F2BF2C90-405F-11D3-BB39-00A0C93CA73A"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2108"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\StatusText]
@DACL=(02 0000)
@SACL=
"classid"="clsid:DDDA102E-0E17-11D3-A2E2-00C04F79F88E"
"tabStop"="true"
"value"="wmpprop:player.status"
"accName"="res://wmploc.dll/RT_STRING/#2102"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\StopButton]
@DACL=(02 0000)
@SACL=
"classid"="clsid:87291B51-0C8E-11D3-BB2A-00A0C93CA73A"
"enabled"="wmpenabled:player.controls.stop"
"upToolTip"="res://wmploc.dll/RT_STRING/#1802"
"onclick"="player.controls.stop()"
"accName"="res://wmploc.dll/RT_STRING/#2118"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2119"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\taskcenter]
@DACL=(02 0000)
@SACL=
"classid"="clsid:395BF287-6477-495f-8427-2C09A23C3248"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Text]
@DACL=(02 0000)
@SACL=
"classid"="clsid:DDDA102E-0E17-11D3-A2E2-00C04F79F88E"
"tabStop"="false"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\TrackNameText]
@DACL=(02 0000)
@SACL=
"classid"="clsid:DDDA102E-0E17-11D3-A2E2-00C04F79F88E"
"tabStop"="true"
"value"="wmpprop:player.currentmedia.name"
"accName"="res://wmploc.dll/RT_STRING/#2105"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Video]
@DACL=(02 0000)
@SACL=
"classid"="clsid:61CECF11-FC3A-11D2-A1CD-005004602752"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\VideoSettings]
@DACL=(02 0000)
@SACL=
"classid"="clsid:AE7BFAFE-DCC8-4a73-92C8-CC300CA88859"
"tabStop"="false"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\VolumeSlider]
@DACL=(02 0000)
@SACL=
"classid"="clsid:F2BF2C90-405F-11D3-BB39-00A0C93CA73A"
"min"="0"
"max"="100"
"value"="wmpprop:player.settings.volume"
"value_onchange"="if (value!=player.settings.volume){player.settings.volume=value;player.settings.mute=false;}"
"toolTip"="res://wmploc.dll/RT_STRING/#1810"
"accName"="res://wmploc.dll/RT_STRING/#2110"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2111"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\WMPEffects]
@DACL=(02 0000)
@SACL=
"classid"="clsid:47DEA830-D619-4154-B8D8-6B74845D6A2D"
"tabStop"="false"
"width"="250"
"height"="200"
"horizontalAlignment"="stretch"
"verticalAlignment"="stretch"
"currentEffectType"="wmpprop:mediacenter.effectType"
"currentPreset"="wmpprop:mediacenter.effectPreset"
"currentEffectType_onchange"="mediacenter.effectType = currentEffectType;"
"currentPreset_onchange"="mediacenter.effectPreset = currentPreset;"
"onclick"="next();"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\WMPVideo]
@DACL=(02 0000)
@SACL=
"classid"="clsid:61CECF11-FC3A-11D2-A1CD-005004602752"
"horizontalAlignment"="stretch"
"verticalAlignment"="stretch"
"zoom"="wmpprop:mediacenter.videoZoom"
"stretchToFit"="wmpprop:mediacenter.videoStretchToFit"
"backgroundColor"="black"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Services]
@DACL=(02 0000)
@SACL=
"NoServices"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Services\MediaGuide]
@DACL=(02 0000)
"FriendlyName"="Media Guide"
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Settings]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Setup\WMDMAutoPlayHandlers]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{0890F930-4F80-4646-BAB1-4B6E5571FB89}]
@DACL=(02 0000)
@SACL=
"Capabilities"=dword:00000004
"FriendlyName"="res://wmploc.dll/RT_STRING/#1491"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{1F32514F-1561-4922-A604-8A1F478B5A42}]
@DACL=(02 0000)
@SACL=
"Capabilities"=dword:00000004
"FriendlyName"="res://wmploc.dll/RT_STRING/#1495"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{52903d79-f993-4de6-8317-20c9c176d823}]
@DACL=(02 0000)
@SACL=
"Capabilities"=dword:00000004
"FriendlyName"="res://wmploc.dll/RT_STRING/#1496"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{59E7BF52-E5C9-4382-A39A-522DEE9AFDFD}]
@DACL=(02 0000)
@SACL=
"Capabilities"=dword:00000004
"FriendlyName"="res://wmploc.dll/RT_STRING/#1497"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{5DF031B7-6A37-42D9-8802-E27F4F224332}]
@DACL=(02 0000)
@SACL=
"Capabilities"=dword:00000003
"FriendlyName"="Viz Plug-in"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{5F4BB5C9-4652-489B-8601-EEC0C3C32E2E}]
@DACL=(02 0000)
@SACL=
"Capabilities"=dword:00000004
"FriendlyName"="res://wmploc.dll/RT_STRING/#1494"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{7F2B1D6B-1357-402C-A1C8-67E59583B41D}]
@DACL=(02 0000)
@SACL=
"Description"="Captions plugin description"
"Capabilities"=dword:000000f0
"FriendlyName"="Captions plugin name"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{93075F62-16B3-43EC-A53B-FFAD0E01D5E7}]
@DACL=(02 0000)
@SACL=
"Capabilities"=dword:00000003
"FriendlyName"="res://wmploc.dll/RT_STRING/#209"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{9695AEF9-9D03-4671-8F2F-FF49D1BB01C4}]
@DACL=(02 0000)
@SACL=
"Description"="Media Information description"
"Capabilities"=dword:00000005
"FriendlyName"="res://wmploc.dll/RT_STRING/#1407"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{976ABECA-93F7-4d81-9187-2A6137829675}]
@DACL=(02 0000)
@SACL=
"Capabilities"=dword:00000004
"FriendlyName"="res://wmploc.dll/RT_STRING/#1490"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{99DB05E3-F81E-4C8A-A252-F396306AB6FE}]
@DACL=(02 0000)
@SACL=
"Description"="Banner plugin description"
"Capabilities"=dword:000000f0
"FriendlyName"="Banner plugin name"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{9F9562EB-15B6-46C6-A7CB-0A66FC65130E}]
@DACL=(02 0000)
@SACL=
"Capabilities"=dword:00000004
"FriendlyName"="res://wmploc.dll/RT_STRING/#1493"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{9FA014E3-076F-4865-A73C-117131B8E292}]
@DACL=(02 0000)
@SACL=
"Capabilities"=dword:00000004
"FriendlyName"="res://wmploc.dll/RT_STRING/#1492"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{D5E49195-ED19-40fb-9EE0-E6625A808B77}]
@DACL=(02 0000)
@SACL=
"Capabilities"=dword:00000003
"FriendlyName"="Video Plug-in"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{E641D09E-E500-4c09-8260-F1CD7B902E9C}]
@DACL=(02 0000)
@SACL=
"FriendlyName"="WM View plugin name"
"Description"="WM View plugin description"
"Capabilities"=dword:000000f0

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{F24A1BC2-2331-4B91-8A13-5A549DA56E9D}]
@DACL=(02 0000)
@SACL=
"Capabilities"=dword:00000003
"FriendlyName"="Border Plug-in"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{FD981763-B6BB-4d51-9143-6D372A0ED56F}]
@DACL=(02 0000)
@SACL=
"FriendlyName"="res://wmploc.dll/RT_STRING/#5822"
"Description"="res://wmploc.dll/RT_STRING/#5823"
"Capabilities"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\Codebases]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\Files]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\References]
@DACL=(02 0000)
@SACL=
"U_KB938464"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_ed83e624\Codebases]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_ed83e624\Files]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_ed83e624\References]
@DACL=(02 0000)
@SACL=
"U_KB938464"=""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Answer]
@DACL=(02 0000)
"1"="ATA<cr>"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Hangup]
@DACL=(02 0000)
"1"="ATH E1<cr>"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Init]
@DACL=(02 0000)
"1"="AT<cr>"
"2"="AT &F E0 &C1 &D2 V1 S0=0\\V1<cr>"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Monitor]
@DACL=(02 0000)
"1"="ATS0=0<cr>"
"2"="None"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\Settings]
@DACL=(02 0000)
"Prefix"="AT"
"Terminator"="<cr>"
"DialPrefix"="D"
"DialSuffix"=";"
"CallSetupFailTimer"="S7=<#>"
"SpeakerVolume_Low"="L0"
"SpeakerVolume_Med"="L2"
"SpeakerVolume_High"="L3"
"SpeakerMode_Off"="M0"
"SpeakerMode_Dial"="M1"
"SpeakerMode_On"="M2"
"SpeakerMode_Setup"="M3"
"FlowControl_Off"="&K0"
"FlowControl_Hard"="&K3"
"FlowControl_Soft"="&K4"
"ErrorControl_On"="\\N3"
"ErrorControl_Off"="\\N1"
"ErrorControl_Forced"="\\N4"
"Compression_Off"="%C0"
"Compression_On"="%C1"
"Modulation_CCITT"="B0B15B2"
"Modulation_Bell"="B1B16B2"
"SpeedNegotiation_Off"="N0\\J1"
"SpeedNegotiation_On"="N1\\J1"
"Pulse"="P"
"Tone"="T"
"Blind_Off"="X4"
"Blind_On"="X3"
"InactivityTimeOut"="S30=<#>"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'explorer.exe'(4292)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\SCardSvr.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\msiexec.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe
c:\windows\system32\vsjitdebugger.exe
.
**************************************************************************
.
Completion time: 2009-12-29 11:33:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 16:33

Pre-Run: 58,965,532,672 bytes free
Post-Run: 59,168,366,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 26A38C6F6AE70102043B1E04FD286673

#8 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 PM

Posted 29 December 2009 - 01:32 PM

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Avast or Symantec.


  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.

CMD /K COPY /V C:\Drivers\IntelSata2\IaStor.sys C:\IaStor.sys

  • The command prompt should pop up and say 1 file(s) copied, if it doesn't please let me know before continuing.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FMove::
C:\IaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_ed83e624]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

unite.jpg


#9 cwheit

cwheit
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 29 December 2009 - 02:48 PM

ComboFix 09-12-28.06 - cheit 12/29/2009 14:31:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1190 [GMT -5:00]
Running from: c:\documents and settings\cheit\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\cheit\Desktop\cfscript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-29 19:19 . 2008-06-11 02:51 318488 ------w- C:\IaStor.sys
2009-12-29 15:43 . 2009-11-10 22:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\NAVEX32A.DLL
2009-12-29 15:43 . 2009-11-10 22:48 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\NAVENG.SYS
2009-12-29 15:43 . 2009-11-10 22:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\NAVENG32.DLL
2009-12-29 15:43 . 2009-11-10 22:48 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\NAVEX15.SYS
2009-12-29 15:43 . 2009-08-18 00:15 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\ERASER.SYS
2009-12-29 15:43 . 2009-08-18 00:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\EECTRL.SYS
2009-12-29 15:42 . 2009-12-18 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\ECMSVR32.DLL
2009-12-29 15:42 . 2009-12-08 00:01 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f2403.vdb\CCERASER.DLL
2009-12-29 15:41 . 2009-12-28 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\ECMSVR32.DLL
2009-12-29 15:41 . 2009-12-08 00:01 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\CCERASER.DLL
2009-12-29 15:41 . 2009-11-10 22:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\NAVEX32A.DLL
2009-12-29 15:41 . 2009-11-10 22:48 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\NAVENG.SYS
2009-12-29 15:41 . 2009-11-10 22:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\NAVENG32.DLL
2009-12-29 15:41 . 2009-11-10 22:48 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\NAVEX15.SYS
2009-12-29 15:41 . 2009-08-18 00:15 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\ERASER.SYS
2009-12-29 15:41 . 2009-08-18 00:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3804.vdb\EECTRL.SYS
2009-12-24 17:17 . 2009-12-24 17:17 -------- d-----w- c:\windows\ms
2009-12-24 14:58 . 2009-12-24 14:58 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-12-24 14:57 . 2009-12-24 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-12-24 14:57 . 2007-03-28 19:01 117760 ----a-w- c:\windows\system32\hpzll5ha.dll
2009-12-24 14:57 . 2007-03-28 18:57 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5ha.dll
2009-12-24 14:55 . 2009-12-24 14:58 124378 ----a-w- c:\windows\hpoins14.dat
2009-12-24 14:55 . 2007-09-20 15:05 1996 ------w- c:\windows\hpomdl14.dat
2009-12-24 14:43 . 2008-04-14 05:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-12-24 14:43 . 2008-04-14 05:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-12-09 03:37 . 2009-12-09 03:37 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-29 19:40 . 2009-08-18 21:03 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-24 15:30 . 2009-08-18 23:34 55112 ----a-w- c:\documents and settings\cheit\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-24 14:56 . 2009-12-24 14:56 -------- d-----w- c:\program files\HP
2009-12-07 23:09 . 2009-10-24 12:09 -------- d-----w- c:\program files\Pando Networks
2009-12-07 23:08 . 2009-09-30 17:17 -------- d-----w- c:\program files\Free SMTP Server
2009-12-03 22:49 . 2009-09-22 13:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 22:49 . 2009-11-13 12:18 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 21:14 . 2009-09-22 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-09-22 13:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 18:34 . 2009-11-13 18:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-13 12:28 . 2009-11-10 05:57 -------- d-----w- c:\program files\BeClean
2009-11-10 14:47 . 2009-11-10 14:47 -------- d-----w- c:\program files\Alwil Software
2009-11-10 14:25 . 2009-11-10 14:25 -------- d-----w- c:\program files\Panda Security
2009-11-04 15:06 . 2009-11-04 15:06 -------- d-----w- c:\program files\Google
2009-10-24 13:20 . 2009-10-24 13:20 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-10-24 13:20 . 2009-10-24 13:20 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-10-24 13:20 . 2009-10-24 13:20 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-10-24 13:20 . 2009-10-24 13:20 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-10-24 13:20 . 2009-10-24 13:20 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-10-24 13:20 . 2009-10-24 13:20 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-10-24 13:18 . 2009-10-24 12:12 1147925946 ----a-w- c:\program files\DFOSetup12N.exe
2009-10-07 13:15 . 2009-10-07 13:15 60744 ----a-w- c:\documents and settings\cheit\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-12-29_16.29.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-04 17:32 . 2009-12-29 16:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-04 17:32 . 2009-12-29 16:26 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-04 17:32 . 2009-12-29 16:26 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-04 17:32 . 2009-12-29 16:15 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-12-24 14:45 . 2009-12-29 16:26 278528 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-24 14:45 . 2009-12-29 16:15 278528 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 177456]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2006-01-17 53248]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-17 5160288]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-7 28672]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 19:08 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-1284227242-839522115-21421\Scripts\Logon\0\0]
"Script"=Outlook-Import-Junk-Filter.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-1284227242-839522115-21421\Scripts\Logon\0\1]
"Script"=Configure-HP-RISS-PlugIn.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-1284227242-839522115-51998\Scripts\Logon\0\0]
"Script"=Outlook-Import-Junk-Filter.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-1284227242-839522115-51998\Scripts\Logon\0\1]
"Script"=Configure-HP-RISS-PlugIn.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-03 21:14 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 21:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2006-09-05 23:02 184320 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PersonalSecureDriveService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"AgereModemAudio"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [12/5/2008 11:32 AM 174600]
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [12/5/2008 11:33 AM 3840]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/10/2009 9:25 AM 28552]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [11/29/2005 3:56 PM 36768]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\VCdRom.sys [8/19/2009 8:28 AM 8576]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [11/1/2007 1:47 PM 399032]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 10:56 AM 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [8/18/2009 3:34 PM 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/28/2008 12:02 PM 36352]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [12/4/2008 6:27 AM 65664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [10/26/2006 12:45 PM 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
------- Supplementary Scan -------
.
uStart Page = hxxp://delmontenow.na.dlmfoods.net
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\documents and settings\cheit\Application Data\Mozilla\Firefox\Profiles\paftgdjo.default\
FF - prefs.js: browser.startup.homepage - www.igoogle.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-29 14:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x8A62C50C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba16cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9e0b852
\Driver\iaStor -> iaStor.sys @ 0xb9e59984
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9c91bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9c80a0d
SendHandler -> NDIS.sys @ 0xb9c94b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\11.0\Registration]
@DACL=(02 0000)
@SACL=
"UDBVersion"="11.0.5721.5145"
"UDBRev"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ButtonGroup\ButtonElement]
@DACL=(02 0000)
@SACL=
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2114"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ButtonGroup\FFWDElement]
@DACL=(02 0000)
@SACL=
"enabled"="wmpenabled:player.controls.FastForward"
"upToolTip"="res://wmploc.dll/RT_STRING/#1804"
"onclick"="player.controls.FastForward()"
"accName"="res://wmploc.dll/RT_STRING/#2120"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2121"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ButtonGroup\ImageElement]
@DACL=(02 0000)
@SACL=
"cursor"="hand"
"accName"="res://wmploc.dll/RT_STRING/#2140"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ButtonGroup\NextElement]
@DACL=(02 0000)
@SACL=
"enabled"="wmpenabled:player.controls.Next"
"upToolTip"="res://wmploc.dll/RT_STRING/#1806"
"onclick"="player.controls.Next()"
"accName"="res://wmploc.dll/RT_STRING/#2124"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2125"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ButtonGroup\PauseElement]
@DACL=(02 0000)
@SACL=
"enabled"="wmpenabled:player.controls.Pause"
"upToolTip"="res://wmploc.dll/RT_STRING/#1801"
"onclick"="player.controls.Pause()"
"accName"="res://wmploc.dll/RT_STRING/#2116"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2117"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ButtonGroup\PlayElement]
@DACL=(02 0000)
@SACL=
"enabled"="wmpenabled:player.controls.Play"
"upToolTip"="res://wmploc.dll/RT_STRING/#1800"
"onclick"="player.controls.Play()"
"accName"="res://wmploc.dll/RT_STRING/#2115"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2117"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ButtonGroup\PrevElement]
@DACL=(02 0000)
@SACL=
"enabled"="wmpenabled:player.controls.Previous"
"upToolTip"="res://wmploc.dll/RT_STRING/#1805"
"onclick"="player.controls.Previous()"
"accName"="res://wmploc.dll/RT_STRING/#2126"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2127"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ButtonGroup\REWElement]
@DACL=(02 0000)
@SACL=
"enabled"="wmpenabled:player.controls.FastReverse"
"upToolTip"="res://wmploc.dll/RT_STRING/#1803"
"onclick"="player.controls.FastReverse()"
"accName"="res://wmploc.dll/RT_STRING/#2122"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2123"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ButtonGroup\StopElement]
@DACL=(02 0000)
@SACL=
"enabled"="wmpenabled:player.controls.Stop"
"upToolTip"="res://wmploc.dll/RT_STRING/#1802"
"onclick"="player.controls.Stop()"
"accName"="res://wmploc.dll/RT_STRING/#2118"
"accKeyboardShortcut"="res://wmploc.dll/RT_STRING/#2119"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\DropDownPlaylist\Column]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Effects\Alchemy\Properties]
@DACL=(02 0000)
@SACL=
"classid"="{0AA02E8D-F851-4CB0-9F64-BBA9BE7A983D}"
"name"="res://mpvis.dll/RT_STRING/#100"
"description"="res://mpvis.dll/RT_STRING/#100"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Effects\Bars\Properties]
@DACL=(02 0000)
@SACL=
"classid"="{48501FF0-F6A9-11D2-9435-00A0C92A2F2D}"
"name"="res://wmploc.dll/RT_STRING/#5500"
"description"="res://wmploc.dll/RT_STRING/#5512"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ItemsPlaylist\Column]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ListBox\Item]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Playlist\Column]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\PopUp\Item]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Settings\MP3Encoding]
@DACL=(02 0000)
@SACL=
"LowRate"=dword:0001f400
"MediumRate"=dword:0002ee00
"MediumHighRate"=dword:0003e800
"HighRate"=dword:0004e200
"PreferredCodecName"="mp3"
"PreferredCodecPath"="c:\\WINDOWS\\system32\\l3codecp.acm"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\Files\0]
@DACL=(02 0000)
@SACL=
@="GdiPlus.dll"
"SHA1"=hex:d2,8d,76,71,36,f6,a6,60,60,49,3b,7b,f4,86,f2,52,ab,85,a0,7c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'explorer.exe'(3824)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\msiexec.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe
.
**************************************************************************
.
Completion time: 2009-12-29 14:45:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 19:45
ComboFix2.txt 2009-12-29 16:33

Pre-Run: 59,277,873,152 bytes free
Post-Run: 59,249,205,248 bytes free

- - End Of File - - 943908D4308867A666C514D66A0F45DF

#10 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 PM

Posted 29 December 2009 - 07:07 PM

  • Go to Kaspersky and Download TDSSKiller.zip.
  • Extract the contents of TDSSKiller.zip to your Desktop.
  • Click Start >> Run then copy and paste the following bold command line into the Run box and click OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
  • When done, a log file should be created on your C: drive called TDSSKiller.txt please post this log in your next reply.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\11.0\Registration]
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ButtonGroup]
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\DropDownPlaylist\Column]
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Effects\Alchemy\Properties]
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Effects\Bars\Properties]
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ItemsPlaylist\Column]
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\ListBox\Item]
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\Playlist\Column]
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Objects\PopUp\Item]
[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Settings\MP3Encoding]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\Files\0]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Then please post back here with the following logs:
  • TDSSKiller.txt
  • Combofix.txt
Thanks

unite.jpg


#11 cwheit

cwheit
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 30 December 2009 - 12:07 AM

The TDSSKiller app did not ask what to do, it just ran and said that the file was fixed. It then instructed me to press Y to reboot, which I did. Neither did it produce a log.

After the reboot I started the CFScript.txt file in ComboFix. During the ComboFix run the PC crashed and rebooted. No log file was produced here either.

Also, ComboFix keeps saying that there is a new version available. I have been saying No to the update.

Please advise. Shall I repeat the steps or is there something else that should be done?

Edited by cwheit, 30 December 2009 - 06:49 PM.


#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 PM

Posted 31 December 2009 - 12:51 PM

Delete the copy of combofix you have then download a new copy and run it without a cfscript.

unite.jpg


#13 cwheit

cwheit
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 31 December 2009 - 01:12 PM

ComboFix 09-12-31.01 - cheit 12/31/2009 13:04:12.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1139 [GMT -5:00]
Running from: c:\documents and settings\cheit\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\cheit\LOCALS~1\Temp\tmp1.tmp
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-31 16:59 . 2009-12-24 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3002.vdb\ECMSVR32.DLL
2009-12-31 16:59 . 2009-12-08 00:01 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3002.vdb\CCERASER.DLL
2009-12-31 16:59 . 2009-11-10 22:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3002.vdb\NAVEX32A.DLL
2009-12-31 16:59 . 2009-11-10 22:48 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3002.vdb\NAVENG.SYS
2009-12-31 16:59 . 2009-11-10 22:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3002.vdb\NAVENG32.DLL
2009-12-31 16:59 . 2009-11-10 22:48 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3002.vdb\NAVEX15.SYS
2009-12-31 16:59 . 2009-08-18 00:15 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3002.vdb\ERASER.SYS
2009-12-31 16:59 . 2009-08-18 00:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3002.vdb\EECTRL.SYS
2009-12-31 16:57 . 2009-12-30 09:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3c37.vdb\ECMSVR32.DLL
2009-12-31 16:57 . 2009-12-08 00:01 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3c37.vdb\CCERASER.DLL
2009-12-31 16:57 . 2009-11-10 22:48 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3c37.vdb\NAVEX32A.DLL
2009-12-31 16:57 . 2009-11-10 22:48 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3c37.vdb\NAVENG.SYS
2009-12-31 16:57 . 2009-11-10 22:48 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3c37.vdb\NAVENG32.DLL
2009-12-31 16:57 . 2009-11-10 22:48 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3c37.vdb\NAVEX15.SYS
2009-12-31 16:57 . 2009-08-18 00:15 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3c37.vdb\ERASER.SYS
2009-12-31 16:57 . 2009-08-18 00:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd2f3c37.vdb\EECTRL.SYS
2009-12-30 04:55 . 2009-12-30 04:55 16904 ----a-w- c:\windows\system32\drivers\KLMD.sys
2009-12-29 19:19 . 2008-06-11 02:51 318488 ------w- C:\IaStor.sys
2009-12-24 17:17 . 2009-12-24 17:17 -------- d-----w- c:\windows\ms
2009-12-24 14:58 . 2009-12-24 14:58 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-12-24 14:57 . 2009-12-24 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-12-24 14:57 . 2007-03-28 19:01 117760 ----a-w- c:\windows\system32\hpzll5ha.dll
2009-12-24 14:57 . 2007-03-28 18:57 274944 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp5ha.dll
2009-12-24 14:55 . 2009-12-24 14:58 124378 ----a-w- c:\windows\hpoins14.dat
2009-12-24 14:55 . 2007-09-20 15:05 1996 ------w- c:\windows\hpomdl14.dat
2009-12-24 14:43 . 2008-04-14 05:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-12-24 14:43 . 2008-04-14 05:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2009-12-09 03:37 . 2009-12-09 03:37 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 17:55 . 2009-08-18 21:03 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-30 04:57 . 2008-12-05 16:32 318488 ----a-w- c:\windows\system32\drivers\iastor.sys
2009-12-30 04:55 . 2009-12-30 04:55 318488 ----a-w- c:\windows\system32\drivers\iastor.tsk
2009-12-24 15:30 . 2009-08-18 23:34 55112 ----a-w- c:\documents and settings\cheit\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-24 14:56 . 2009-12-24 14:56 -------- d-----w- c:\program files\HP
2009-12-07 23:09 . 2009-10-24 12:09 -------- d-----w- c:\program files\Pando Networks
2009-12-07 23:08 . 2009-09-30 17:17 -------- d-----w- c:\program files\Free SMTP Server
2009-12-03 22:49 . 2009-09-22 13:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-03 22:49 . 2009-11-13 12:18 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-03 21:14 . 2009-09-22 13:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2009-09-22 13:24 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 18:34 . 2009-11-13 18:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-13 12:28 . 2009-11-10 05:57 -------- d-----w- c:\program files\BeClean
2009-11-10 14:47 . 2009-11-10 14:47 -------- d-----w- c:\program files\Alwil Software
2009-11-10 14:25 . 2009-11-10 14:25 -------- d-----w- c:\program files\Panda Security
2009-11-04 15:06 . 2009-11-04 15:06 -------- d-----w- c:\program files\Google
2009-10-24 13:20 . 2009-10-24 13:20 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-10-24 13:20 . 2009-10-24 13:20 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-10-24 13:20 . 2009-10-24 13:20 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-10-24 13:20 . 2009-10-24 13:20 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-10-24 13:20 . 2009-10-24 13:20 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-10-24 13:20 . 2009-10-24 13:20 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-10-24 13:18 . 2009-10-24 12:12 1147925946 ----a-w- c:\program files\DFOSetup12N.exe
2009-10-07 13:15 . 2009-10-07 13:15 60744 ----a-w- c:\documents and settings\cheit\g2mdlhlpx.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-12-29_16.29.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-04 17:32 . 2009-12-29 16:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-04 17:32 . 2009-12-29 19:39 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-04 17:32 . 2009-12-29 19:39 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-04 17:32 . 2009-12-29 16:15 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-12-24 14:45 . 2009-12-29 19:56 311296 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 177456]
"AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2006-01-17 53248]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-17 5160288]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-7 28672]
Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-2 546288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 19:08 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-1284227242-839522115-21421\Scripts\Logon\0\0]
"Script"=Outlook-Import-Junk-Filter.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-1284227242-839522115-21421\Scripts\Logon\0\1]
"Script"=Configure-HP-RISS-PlugIn.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-1284227242-839522115-51998\Scripts\Logon\0\0]
"Script"=Outlook-Import-Junk-Filter.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-1284227242-839522115-51998\Scripts\Logon\0\1]
"Script"=Configure-HP-RISS-PlugIn.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=c:\windows\pss\DVD Check.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-03 21:14 1394000 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 21:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
2006-09-05 23:02 184320 ----a-w- c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PersonalSecureDriveService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"AgereModemAudio"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [12/5/2008 11:32 AM 174600]
R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [12/5/2008 11:33 AM 3840]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/10/2009 9:25 AM 28552]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [11/29/2005 3:56 PM 36768]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\VCdRom.sys [8/19/2009 8:28 AM 8576]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [11/1/2007 1:47 PM 399032]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 10:56 AM 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [8/18/2009 3:34 PM 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/28/2008 12:02 PM 36352]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [12/4/2008 6:27 AM 65664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [10/26/2006 12:45 PM 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2009-12-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://delmontenow.na.dlmfoods.net
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
FF - ProfilePath - c:\documents and settings\cheit\Application Data\Mozilla\Firefox\Profiles\paftgdjo.default\
FF - prefs.js: browser.startup.homepage - www.igoogle.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-31 13:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iaStor]
"ImagePath"="system32\Drivers\iastor.tsk"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\IfxWlxEN.dll
.
Completion time: 2009-12-31 13:09:15
ComboFix-quarantined-files.txt 2009-12-31 18:09
ComboFix2.txt 2009-12-29 19:45
ComboFix3.txt 2009-12-29 16:33

Pre-Run: 59,072,217,088 bytes free
Post-Run: 59,042,971,648 bytes free

- - End Of File - - 06BE90DE640A816D6B52F92F3CB5B6EA

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:09 PM

Posted 31 December 2009 - 01:26 PM

  • Go to Start >> Run
  • Copy and paste the following command line into the Run box, then click OK.

CMD /K REG EXPORT HKLM\SYSTEM\CurrentControlSet\Services\iaStor "%userprofile%\desktop\export.reg"

  • A file called export.reg will appear on your Desktop please post the contents in your next reply.

unite.jpg


#15 cwheit

cwheit
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:09 AM

Posted 31 December 2009 - 01:29 PM

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor]
"Type"=dword:00000001
"Start"=dword:00000000
"ErrorControl"=dword:00000001
"Tag"=dword:00000019
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,61,00,73,00,74,00,6f,00,72,\
00,2e,00,74,00,73,00,6b,00,00,00
"DisplayName"="Intel AHCI Controller"
"Group"="SCSI Miniport"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor\Parameters]
"queuePriorityEnable"=dword:00000000
"BusType"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor\Parameters\Port0]
"AN"=dword:00000000
"LPM"=dword:00000001
"LPMSTATE"=dword:00000000
"LPMDSTATE"=dword:00000001
"GTF"=dword:00000001
"DIPM"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor\Parameters\Port1]
"AN"=dword:00000000
"LPM"=dword:00000001
"LPMSTATE"=dword:00000000
"LPMDSTATE"=dword:00000001
"GTF"=dword:00000001
"DIPM"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor\Parameters\Port2]
"AN"=dword:00000000
"LPM"=dword:00000001
"LPMSTATE"=dword:00000000
"LPMDSTATE"=dword:00000001
"GTF"=dword:00000001
"DIPM"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor\Parameters\Port3]
"AN"=dword:00000000
"LPM"=dword:00000001
"LPMSTATE"=dword:00000000
"LPMDSTATE"=dword:00000001
"GTF"=dword:00000001
"DIPM"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor\Parameters\Port4]
"AN"=dword:00000000
"LPM"=dword:00000001
"LPMSTATE"=dword:00000000
"LPMDSTATE"=dword:00000001
"GTF"=dword:00000001
"DIPM"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor\Parameters\Port5]
"AN"=dword:00000000
"LPM"=dword:00000001
"LPMSTATE"=dword:00000000
"LPMDSTATE"=dword:00000001
"GTF"=dword:00000001
"DIPM"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor\Enum]
"0"="PCI\\VEN_8086&DEV_27C5&SUBSYS_30AC103C&REV_01\\3&b1bfb68&0&FA"
"Count"=dword:00000001
"NextInstance"=dword:00000001




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users