Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple laptop issues


  • This topic is locked This topic is locked
22 replies to this topic

#1 jjdefan

jjdefan

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:02:04 PM

Posted 23 February 2010 - 10:07 AM

System is running XP Home SP3. Can not run any executables in normal mode (asks for program to open exe) Can not access add/remove in normal mode. Safe mode allows running of programs, but still can not run add/remove (says can not run windows installer in safe mode). Ran online scan in safemode with nothing detected. HJT log below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:41 AM, on 2/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\IEToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Validator] C:\Program Files\CyberTRUCK\ct_valid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stan
O17 - HKLM\Software\..\Telephony: DomainName = stan
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stan
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Update Service (gupdate1ca66be299925c6) (gupdate1ca66be299925c6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe

--
End of file - 10131 bytes

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:04 PM

Posted 25 February 2010 - 12:29 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:02:04 PM

Posted 27 February 2010 - 10:21 AM

Here are the results of the scans you requested. Gmer had to be run in safe mode since exe's can not be run in normal mode.


DDS (Ver_09-12-01.01) - NTFSx86
Run by stan's at 8:53:01.76 on Sat 02/27/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1442 [GMT -5:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Documents and Settings\stan's\Desktop\Stan\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Windows Internet Explorer provided by MySpace
uDefault_Page_URL = hxxp://www.myspace.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [Validator] c:\program files\cybertruck\ct_valid.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R2 BDVEDISK;BDVEDISK;c:\program files\bitdefender\bitdefender 2010\bdvedisk.sys [2009-9-22 83208]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2009-12-7 153448]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2009-10-19 110984]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-10 102448]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100217.005\NAVENG.SYS [2010-2-17 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100217.005\NAVEX15.SYS [2010-2-17 1324720]
S2 gupdate1ca66be299925c6;Google Update Service (gupdate1ca66be299925c6);c:\program files\google\update\GoogleUpdate.exe [2009-11-16 133104]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2009-10-19 183880]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
S3 vvbususb;ADT USB VvBus driver;c:\windows\system32\drivers\vvbususb.sys [2005-10-10 50236]

=============== Created Last 30 ================

2010-02-23 13:53:57 0 d-----w- C:\HijackThis
2010-02-23 11:37:27 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-12 22:16:56 0 d-----w- c:\windows\system32\NtmsData
2010-02-12 22:12:06 34630056 ----a-w- C:\sdasetup.exe
2010-02-10 21:45:15 149768 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-02-10 21:43:12 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-02-10 21:42:27 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-10 21:42:27 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-10 21:42:27 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-10 21:42:27 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-10 21:38:39 0 d-----w- c:\program files\common files\Symantec Shared
2010-02-10 03:43:26 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-02-10 03:43:26 16 ----a-w- c:\windows\system32\asdict.dat
2010-02-10 02:37:44 52 ----a-w- c:\windows\system32\ashttpstats.csv
2010-02-10 02:27:17 0 d-----w- c:\docume~1\stan's\applic~1\BitDefender
2010-02-10 02:25:20 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-01-28 14:40:44 85000 ---ha-w- c:\windows\system32\mlfcache.dat

==================== Find3M ====================

2010-02-10 02:37:10 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-02-10 02:37:09 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
2010-02-10 02:18:43 81984 ----a-w- c:\windows\system32\bdod.bin
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 11:00:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2007-02-01 05:10:28 0 ----a-w- c:\program files\error.dat
2008-12-26 13:57:21 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122620081227\index.dat

============= FINISH: 8:54:28.67 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-27 10:13:29
Windows 5.1.2600 Service Pack 3
Running: kjxpyx0p.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdypob.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Tcp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp bdftdif.sys (BitDefender Firewall TDI Filter Driver/BitDefender LLC)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

Edited by jjdefan, 27 February 2010 - 10:28 AM.


#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:04 PM

Posted 27 February 2010 - 11:40 AM

Hello, jjdefan
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.



Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:02:04 PM

Posted 28 February 2010 - 03:28 PM

Here is the combofix log:

ComboFix 10-02-27.04 - Administrator 02/28/2010 8:22.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1643 [GMT -5:00]
Running from: c:\stan\schrauber.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: BitDefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\stan's\Local Settings\Temporary Internet Files\7ylA1.jpg
c:\documents and settings\stan's\Local Settings\Temporary Internet Files\lyJ5kMayN.jpg
c:\documents and settings\stan's\Local Settings\Temporary Internet Files\mNA10XaA.jpg
c:\documents and settings\stan's\Local Settings\Temporary Internet Files\X0yA81Pb.jpg
c:\recycler\S-1-5-21-1089551744-1120685985-1162132538-1003
c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003
c:\windows\system32\logs

.
((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-27 15:16 . 2005-06-06 15:29 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-02-27 15:15 . 2010-02-28 13:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-02-27 13:52 . 2010-02-28 13:11 -------- d-----w- C:\Stan
2010-02-27 13:46 . 2010-02-27 13:46 -------- d-----w- c:\documents and settings\stan's\Application Data\U3
2010-02-23 13:53 . 2010-02-23 14:12 -------- d-----w- C:\HijackThis
2010-02-23 12:47 . 2010-02-23 12:47 114040 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 11:37 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-23 11:34 . 2010-02-23 11:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitDefender
2010-02-23 11:30 . 2010-02-23 11:30 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-22 14:24 . 2010-02-22 14:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-22 14:22 . 2010-02-23 11:30 -------- d-----w- c:\documents and settings\Administrator
2010-02-12 22:16 . 2010-02-16 22:50 -------- d-----w- c:\windows\system32\NtmsData
2010-02-12 22:12 . 2010-02-12 22:12 34630056 ----a-w- C:\sdasetup.exe
2010-02-10 21:45 . 2010-02-10 21:45 -------- d-----w- c:\documents and settings\stan's\Local Settings\Application Data\Symantec
2010-02-10 21:45 . 2009-04-21 03:12 149768 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-02-10 21:43 . 2009-09-17 23:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-02-10 21:42 . 2010-02-10 21:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-10 21:42 . 2010-02-10 21:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-10 21:39 . 2006-05-16 17:58 2584848 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\WindowsInstaller-KB893803-x86.exe
2010-02-10 21:38 . 2009-09-18 06:54 300432 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\Setup.exe
2010-02-10 21:38 . 2009-09-17 23:27 669000 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\smcinst.exe
2010-02-10 21:38 . 2009-07-16 07:21 3557096 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\LUSETUP.EXE
2010-02-10 21:38 . 2009-07-16 07:21 927096 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\LuCheck.exe
2010-02-10 21:38 . 2010-02-10 21:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-10 03:43 . 2010-02-10 03:43 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-02-10 03:43 . 2010-02-10 03:43 16 ----a-w- c:\windows\system32\asdict.dat
2010-02-10 02:27 . 2010-02-10 02:27 -------- d-----w- c:\documents and settings\stan's\Application Data\BitDefender
2010-02-10 02:25 . 2010-02-12 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 21:45 . 2005-04-30 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-10 21:42 . 2005-04-30 05:48 -------- d-----w- c:\program files\Symantec
2010-02-10 21:42 . 2010-02-10 21:42 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-10 21:42 . 2010-02-10 21:42 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-10 03:31 . 2009-11-16 13:11 -------- d-----w- c:\documents and settings\stan's\Application Data\Skype
2010-02-10 02:37 . 2009-12-07 23:46 153448 ----a-w- c:\windows\system32\drivers\bdfm.sys
2010-02-10 02:37 . 2009-12-07 23:49 106464 ----a-w- c:\windows\system32\drivers\bdhv.sys
2010-02-10 02:26 . 2008-12-27 14:08 -------- d-----w- c:\program files\BitDefender
2010-02-10 02:25 . 2009-01-31 05:37 -------- d-----w- c:\program files\Common Files\BitDefender
2010-02-10 02:18 . 2009-01-16 05:06 81984 ----a-w- c:\windows\system32\bdod.bin
2010-02-10 01:34 . 2009-11-16 13:13 -------- d-----w- c:\documents and settings\stan's\Application Data\skypePM
2010-01-31 01:22 . 2010-01-24 04:09 -------- d-----w- c:\documents and settings\stan's\Application Data\HpUpdate
2010-01-28 14:40 . 2010-01-28 14:40 85000 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-04 08:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 11:00 . 2009-12-09 11:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-09 10:59 . 2009-12-09 10:59 152576 ----a-w- c:\documents and settings\stan's\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-09 10:58 . 2009-12-09 10:58 79488 ----a-w- c:\documents and settings\stan's\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 19:27 . 2004-08-04 08:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 08:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-08-04 08:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2007-02-01 05:10 . 2007-02-01 05:10 0 ----a-w- c:\program files\error.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Validator"="c:\program files\CyberTRUCK\ct_valid.exe" [2002-10-31 402944]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-09 149280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2010\IEShow.exe" [2009-10-19 71152]
"BDAgent"="c:\program files\BitDefender\BitDefender 2010\bdagent.exe" [2010-01-20 1120704]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-13 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [10/19/2009 4:04 PM 110984]
S2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2010\bdvedisk.sys [9/22/2009 8:22 AM 83208]
S2 gupdate1ca66be299925c6;Google Update Service (gupdate1ca66be299925c6);c:\program files\Google\Update\GoogleUpdate.exe [11/16/2009 8:10 AM 133104]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [10/19/2009 4:06 PM 183880]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [12/7/2009 6:46 PM 153448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/10/2010 4:44 PM 102448]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/15/2004 10:18 AM 200192]
S3 vvbususb;ADT USB VvBus driver;c:\windows\system32\drivers\vvbususb.sys [10/10/2005 9:44 PM 50236]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PXTDYPOB
*Deregistered* - pxtdypob

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 03:34]

2006-02-06 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 18:04]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-16 13:09]

2010-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-16 13:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 08:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????`?#??;?Z?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1873490202-4011141961-2687378165-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,9b,98,24,b1,9c,aa,43,8d,da,cf,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,9b,98,24,b1,9c,aa,43,8d,da,cf,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1476)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-28 08:33:35
ComboFix-quarantined-files.txt 2010-02-28 13:33

Pre-Run: 1,177,624,576 bytes free
Post-Run: 2,417,876,992 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 4C248B0E7013593CD21A22D15AE15B12


#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:04 PM

Posted 01 March 2010 - 02:35 PM

Hi,


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.





  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    safebootminimal
    safebootnetwork
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:02:04 PM

Posted 02 March 2010 - 09:12 AM

Had to run everything in Safe Mode because I still can not run executables in normal mode. Here are the logs.

Malwarebytes' Anti-Malware 1.44
Database version: 3811
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

3/2/2010 7:44:56 AM
mbam-log-2010-03-02 (07-44-56).txt

Scan type: Quick Scan
Objects scanned: 124583
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OTL logfile created on: 3/2/2010 7:54:30 AM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 2.23 Gb Free Space | 2.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STAN
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/01 20:37:07 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009/09/17 18:56:58 | 002,477,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2009/07/08 20:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/03/01 20:37:07 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2010/02/09 21:37:23 | 001,612,616 | ---- | M] (BitDefender S.R.L.) [Auto | Stopped] -- C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe -- (VSSERV)
SRV - [2010/01/11 13:02:46 | 000,308,552 | ---- | M] (BitDefender S.R.L.) [Auto | Stopped] -- C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe -- (LIVESRV)
SRV - [2009/10/23 14:45:26 | 000,311,296 | ---- | M] (S.C. BitDefender S.R.L) [On_Demand | Stopped] -- C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\scan.dll -- (scan)
SRV - [2009/10/19 16:06:10 | 000,183,880 | ---- | M] (BitDefender S.R.L. http://www.bitdefender.com) [On_Demand | Stopped] -- C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe -- (Arrakis3)
SRV - [2009/09/17 18:56:58 | 002,477,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2009/09/17 18:38:02 | 001,864,888 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2009/09/17 17:21:10 | 000,341,320 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2009/07/13 12:06:15 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2009/07/08 20:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2009/07/08 20:14:20 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2002/04/11 19:00:00 | 000,057,344 | ---- | M] (brother Industries Ltd) [Auto | Stopped] -- C:\WINDOWS\system32\brsvc01a.exe -- (Brother XP spl Service)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2004/08/04 03:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (UberButton Class) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo!)
O2 - BHO: (YahooTaggedBM Class) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (Yahoo! Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (BitDefender Toolbar) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2010\ietoolbar.dll (BitDefender S.R.L.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [BDAgent] C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe (BitDefender S.R.L.)
O4 - HKLM..\Run: [BitDefender Antiphishing Helper] C:\Program Files\BitDefender\BitDefender 2010\IEShow.exe (BitDefender S.R.L.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\hpwuschd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [Validator] C:\Program Files\CyberTRUCK\ct_valid.exe (Fine Point Technologies, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo!)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.17 68.105.29.17
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stan
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Amber Migration.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Amber Migration.bmp
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/04/29 22:41:02 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: ccEvtMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootMin: ccSetMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: Symantec Antivirus - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: ccEvtMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootNet: ccSetMgr - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (Symantec Corporation)
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: SmcService - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe (Symantec Corporation)
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: Symantec Antivirus - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (Symantec Corporation)
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

CREATERESTOREPOINT
Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.

========== Files/Folders - Created Within 14 Days ==========

[2010/03/02 07:36:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/03/02 07:36:14 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/02 07:36:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/03/02 07:36:12 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/02 07:36:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/02 06:47:27 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/02/28 08:33:37 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/02/28 08:19:52 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/02/28 08:15:56 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/02/28 08:15:56 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/02/28 08:15:56 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/02/28 08:15:56 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/02/28 08:15:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/28 08:11:58 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/27 10:15:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\U3
[2010/02/27 08:52:42 | 000,000,000 | ---D | C] -- C:\Stan
[2010/02/23 08:53:57 | 000,000,000 | ---D | C] -- C:\HijackThis
[2010/02/23 06:37:27 | 000,157,712 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010/02/23 06:34:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\BitDefender
[2010/02/23 06:30:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2010/02/23 06:30:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2010/02/23 06:30:30 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE
[2010/02/22 09:24:13 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2010/02/22 09:23:01 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2010/02/22 09:23:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2010/02/22 09:23:01 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Favorites
[2010/02/22 09:23:01 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2010/02/22 09:23:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Symantec
[2010/02/22 09:23:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\LightScribe
[2010/02/22 09:23:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Identities
[2010/02/22 09:23:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2010/02/22 09:23:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2010/02/22 09:23:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory
[2010/02/22 09:23:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
[2010/02/22 09:23:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Apple Computer
[2010/02/22 09:23:00 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2010/02/22 09:23:00 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/02/22 09:23:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2010/02/22 09:23:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2010/02/22 09:23:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Pictures
[2010/02/22 09:23:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Music
[2010/02/22 09:23:00 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents
[2010/02/22 09:23:00 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2010/02/22 09:23:00 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2010/02/22 09:23:00 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2010/02/22 09:23:00 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2010/02/22 09:23:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2010/02/22 09:23:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150020}
[2009/11/16 08:22:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/11/16 08:10:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/05/11 08:42:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/12/26 08:58:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/01/15 13:04:43 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/10/07 09:29:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Symantec
[2005/04/29 23:49:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2005/04/29 22:40:57 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/02 07:50:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/02 07:50:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/02 07:47:52 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/02 07:45:45 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/03/02 07:45:45 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/03/02 07:45:43 | 002,205,456 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/03/02 07:36:17 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/02 07:08:04 | 000,525,770 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/02 07:08:04 | 000,444,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/02 07:08:04 | 000,072,306 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/01 20:37:07 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/02/28 08:31:52 | 000,000,274 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/02/28 08:19:59 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/02/27 09:22:05 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/27 08:41:16 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/23 08:55:18 | 000,000,052 | ---- | M] () -- C:\WINDOWS\System32\ashttpstats.csv
[2010/02/23 08:55:06 | 000,000,121 | ---- | M] () -- C:\WINDOWS\bdagent.INI
[2010/02/23 07:47:36 | 000,114,040 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/02/23 06:36:28 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/02 07:36:17 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/28 08:19:59 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/02/28 08:19:54 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/02/28 08:15:56 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/02/28 08:15:56 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/02/28 08:15:56 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/02/28 08:15:56 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/02/28 08:15:56 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/02/23 06:36:28 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache
[2010/02/22 09:23:00 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/02/22 09:22:58 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2009/10/25 04:16:53 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ITALD_AMP.INI
[2009/01/15 12:45:34 | 000,181,248 | ---- | C] () -- C:\WINDOWS\System32\txmlutil.dll
[2008/12/29 01:24:21 | 000,000,121 | ---- | C] () -- C:\WINDOWS\bdagent.INI
[2008/12/26 09:55:11 | 000,002,375 | ---- | C] () -- C:\WINDOWS\Graffiti5.2Pin.ini
[2008/02/08 03:13:44 | 000,319,488 | ---- | C] () -- C:\WINDOWS\System32\LS3Renderer.dll
[2008/01/09 01:01:48 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2007/08/29 09:29:36 | 000,000,213 | ---- | C] () -- C:\WINDOWS\muveeapp.INI
[2007/05/18 07:32:24 | 000,000,061 | ---- | C] () -- C:\WINDOWS\dcmvwr.INI
[2007/02/01 00:10:28 | 000,000,000 | ---- | C] () -- C:\Program Files\error.dat
[2007/02/01 00:10:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\BROWNIE.INI
[2007/02/01 00:10:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2007/02/01 00:10:28 | 000,000,000 | ---- | C] () -- C:\WINDOWS\briwm04a.ini
[2007/02/01 00:10:02 | 000,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2007/02/01 00:10:01 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2007/02/01 00:10:01 | 000,000,026 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2007/01/31 13:50:32 | 000,913,408 | ---- | C] () -- C:\WINDOWS\System32\xreglib.dll
[2006/10/23 12:21:13 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\jacob.dll
[2005/10/13 19:10:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QuickInstall.INI
[2005/10/13 18:48:49 | 000,000,000 | ---- | C] () -- C:\WINDOWS\QUICKI~1.INI
[2005/10/08 11:41:12 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/04/30 00:30:44 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2005/04/30 00:30:44 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2005/04/30 00:30:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2005/04/30 00:30:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2005/04/30 00:30:44 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2005/04/30 00:30:44 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2005/04/30 00:17:21 | 000,015,669 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/02/12 03:33:06 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/07 08:16:44 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/07 08:10:08 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/01/13 13:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/01/22 13:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010/02/23 06:34:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BitDefender
[2010/02/12 17:40:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BitDefender
[2006/02/19 01:59:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HotSync
[2005/04/30 00:47:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2008/12/26 09:25:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2008/12/26 09:07:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Plus
[2008/12/26 09:16:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio Ultimate
[2008/12/26 09:07:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Studio 12
[2009/09/21 09:00:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/18 10:30:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2006/02/06 07:10:32 | 000,000,276 | ---- | M] () -- C:\WINDOWS\Tasks\Easy Internet Sign-up.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2010/02/12 17:12:40 | 034,630,056 | ---- | M] (PC Tools ) -- C:\sdasetup.exe


< MD5 for: AGP440.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/12/26 08:27:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/12/26 08:27:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 03:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/12/26 08:27:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/12/26 08:27:54 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 19:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2009/06/25 15:04:32 | 000,001,536 | ---- | M] () MD5=8D4CD834292293F4055BAC313268E2DE -- C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\lib\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >
< End of report >

OTL Extras logfile created on: 3/2/2010 7:54:30 AM - Run 1
OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 87.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 2.23 Gb Free Space | 2.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STAN
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Pinnacle\Studio 12\Programs\RM.exe" = C:\Program Files\Pinnacle\Studio 12\Programs\RM.exe:*:Enabled:Render Manager -- (Pinnacle Systems)
"C:\Program Files\Pinnacle\Studio 12\Programs\Studio.exe" = C:\Program Files\Pinnacle\Studio 12\Programs\Studio.exe:*:Enabled:Studio -- (Pinnacle Systems)
"C:\Program Files\Pinnacle\Studio 12\Programs\umi.exe" = C:\Program Files\Pinnacle\Studio 12\Programs\umi.exe:*:Enabled:umi -- (Pinnacle Systems)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- (Skype Technologies)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06ECCCF4-9295-468E-851C-9529A7C181E8}" = HP User Guides 0001
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15D91706-6ADF-44CF-9D7D-FF2D8ACD2C6F}" = LS_HSI
"{1895A08A-0DEC-4855-B1F4-1B95FB39901B}" = BitDefender Total Security 2010
"{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Sonic MyDVD Plus
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{262BF2CD-601D-4F43-919C-4B00B1D1F338}" = Boris Graffiti
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{2EFCC193-D915-4CCB-9201-31773A27BC06}" = Symantec Endpoint Protection
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{31B5C6E6-15A4-4614-8169-DA9576575715}" = Tune Tools for iPod
"{3248F0A8-6813-11D6-A77B-00B0D0150040}" = J2SE Runtime Environment 5.0 Update 4
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{4302B2DD-D958-40E3-BAF3-B07FFE1978CE}" = HP Wireless Assistant 1.01 A2
"{436C6169-7265-2020-436F-6E6B6C696E21}" = Merriam-Webster Macros for Microsoft Word
"{4E7E8E6A-15F1-4E26-9352-26AD235131E9}" = Documents To Go
"{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows
"{534AA552-E1F1-4965-B2AA-FBDEB0730D60}" = muvee autoProducer 4.0 - SE
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{5EB90C06-964F-4195-B83E-BD7E55C88415}" = Pinnacle Video Driver
"{612DC38A-B36A-4699-88EB-12C7394DE2FC}" = TIxx21
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Sonic Express Labeler
"{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}" = Zone Deluxe Games
"{67330878-0617-41A9-A3B0-B5298E89E7BC}" = Pinnacle Winter Pack
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Sonic Audio Module
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Sonic Copy Module
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1212AE3-DBB9-4365-8473-F8ABC7B06BBB}" = Pinnacle Instant DVD Recorder
"{C151CE54-E7EA-4804-854B-F515368B0798}" = Athlon 64 Processor Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEB326EC-8F40-47B2-BA22-BB092565D66F}" = Quick Launch Buttons 5.10 B2
"{D041EB9E-890A-4098-8F94-51DA194AC72A}" = Pinnacle Studio 12
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D1860E6E-520E-4380-8433-E58E8F88B473}" = Pinnacle Studio 12 Ultimate Plugins
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{F3812D83-86D2-4445-A841-3E0BA4F9A11C}" = Merriam-Webster 3.0
"{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility
"{FF8157AA-F640-45BD-B7C2-BAA1016B267A}" = palmOne
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"Brother MFC-420CN" = Brother MFC-420CN
"CNXT_AUDIO" = Conexant AC-Link Audio
"CNXT_MODEM_PCI_VEN_1002&DEV_4378&SUBSYS_3091103C" = Data Fax SoftModem with SmartCP
"DVD Decrypter" = DVD Decrypter (Remove Only)
"Google Chrome" = Google Chrome
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{612DC38A-B36A-4699-88EB-12C7394DE2FC}" = Texas Instruments PCIxx21/x515 drivers.
"InstallShield_{8105684D-8CA6-440D-8F58-7E5FD67A499D}" = Easy Internet Sign-up
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Magic Bullet Looks Studio" = Magic Bullet Looks Studio
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Money2005b" = Microsoft Money 2005
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"proDAD-Vitascene-1.0" = proDAD Vitascene 1.0
"Roxio UDF Reader" = Roxio UDF Reader
"ST6UNST #1" = NavFit98A
"stax-Pinnacle_is1" = SureThing Express Labeler
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Customizations" = Yahoo! extras
"Yahoo! Internet Mail" = Yahoo! Internet Mail
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/28/2010 7:34:42 AM | Computer Name = STAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 2/28/2010 7:34:42 AM | Computer Name = STAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/28/2010 8:34:42 AM | Computer Name = STAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 2/28/2010 8:34:42 AM | Computer Name = STAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/28/2010 9:12:46 AM | Computer Name = STAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 2/28/2010 9:12:46 AM | Computer Name = STAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/28/2010 9:12:47 AM | Computer Name = STAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/28/2010 9:14:25 AM | Computer Name = STAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The server name or address could not be resolved

Error - 2/28/2010 9:14:25 AM | Computer Name = STAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 2/28/2010 9:14:26 AM | Computer Name = STAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 3/2/2010 8:35:32 AM | Computer Name = STAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/2/2010 8:35:32 AM | Computer Name = STAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/2/2010 8:36:18 AM | Computer Name = STAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/2/2010 8:45:09 AM | Computer Name = STAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/2/2010 8:45:44 AM | Computer Name = STAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/2/2010 8:52:41 AM | Computer Name = STAN | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AmdK8 bdfsfltr eabfiltr eeCtrl Fips SPBBCDrv SRTSP SRTSPX SYMTDI

Error - 3/2/2010 8:53:15 AM | Computer Name = STAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/2/2010 8:53:18 AM | Computer Name = STAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 3/2/2010 8:53:19 AM | Computer Name = STAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 3/2/2010 8:53:35 AM | Computer Name = STAN | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:04 PM

Posted 03 March 2010 - 01:18 PM

What for issues do you have when you run in normal mode?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:02:04 PM

Posted 04 March 2010 - 09:13 AM

In normal mode, I can not run any executables. When attempting to run any executable file, I get the window asking to select what program to use to open exe file extensions. I can not run add/remove programs in normal mode or safe mode. When trying to add/remove in safe mode it tells me that service is not available in safe mode and must be run in normal mode. In normal I get an error saying application not found.

Edited by jjdefan, 04 March 2010 - 09:14 AM.


#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:04 PM

Posted 05 March 2010 - 02:01 PM

Hi,

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:02:04 PM

Posted 05 March 2010 - 06:39 PM

Ran exehelper in safe mode. Tool completed successfully. Rebooted into normal mode, tried to run any exe and still got the "select program to open exe" window. Here is the log...

exeHelper by Raktor
Build 20091220
Run at 18:20:30 on 03/05/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--



#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:04 PM

Posted 06 March 2010 - 02:03 PM

Please delete your copy of Combofix, download a fresh one and save it as fix.com to your desktop. Reboot into normal mode and try to run the tool.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:02:04 PM

Posted 06 March 2010 - 04:57 PM

Fix.com would not run in normal mode. Same results...

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:07:04 PM

Posted 07 March 2010 - 04:18 AM

Hi,

In Notepad create a new file and copy/paste all the text below:

CODE
' VBScript to restore .exe file association with Windows XP
Option Explicit

Dim strComputer
Dim objRegistry,objDictionary

strComputer = "."
Set objRegistry=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")

Set objDictionary = CreateObject("Scripting.Dictionary")
objDictionary.Add "HKCR",&h80000000

Call RegAddString( "HKCR", ".exe", "", "exefile")
Call RegAddString( "HKCR", ".exe", "Content Type",_
"application/x-msdownload" )
Call RegAddString( "HKCR", ".exe\PersistentHandler", "",_
"{098f2470-bae0-11cd-b579-08002b30bfeb}" )
Call RegAddString( "HKCR", "exefile", "", "Application" )
Call RegAddBinary( "HKCR", "exefile", "EditFlags", "38,07,00,00" )
Call RegAddString( "HKCR", "exefile", "TileInfo",_
"prop:FileDescription;Company;FileVersion" )
Call RegAddString( "HKCR", "exefile", "InfoTip",_
"prop:FileDescription;Company;FileVersion;Create;Size" )
Call RegAddString( "HKCR", "exefile\DefaultIcon", "", "%1" )
Call RegAddString( "HKCR", "exefile\shell", "", "" )
Call RegAddString( "HKCR", "exefile\shell\open", "", "" )
Call RegAddBinary( "HKCR", "exefile\shell\open",_
"EditFlags", "00,00,00,00" )
Call RegAddString( "HKCR", "exefile\shell\open\command", "",_
Chr(34) & "%1" & Chr(34) & Space(1) & "%*" )
Call RegAddString( "HKCR", "exefile\shell\runas", "", "" )
Call RegAddString( "HKCR", "exefile\shell\runas\command", "",_
Chr(34) & "%1" & Chr(34) & Space(1) & "%*" )
Call RegAddString( "HKCR", "exefile\shellex", "", "" )
Call RegAddString( "HKCR", "exefile\shellex\DropHandler",_
"", "{86C86720-42A0-1069-A2E8-08002B30309D}" )
Call RegAddString( "HKCR", "exefile\shellex\PropertySheetHandlers", "", "" )
Call RegAddString( "HKCR", "exefile\shellex\PropertySheetHandlers\PifProps",_
"", "{86F19A00-42A0-1069-A2E9-08002B30309D}" )
Call RegAddString( "HKCR", "exefile\shellex\PropertySheetHandlers\ShimLayer Property Page",_
"", "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" )

Function RegKeyExists(rootkey, keypath)
Dim arrValueNames, arrValueTypes
If objRegistry.EnumValues(objDictionary(rootkey), keypath, arrValueNames, arrValueTypes) = 0 Then
RegKeyExists = True
Else
RegKeyExists = False
End If
End Function

Sub RegAddKey(rootkey, keypath)
objRegistry.CreateKey objDictionary(rootkey),keypath
End Sub

Sub RegAddString(rootkey, keypath, valuename, valuedata)
If Not RegKeyExists(rootkey, keypath) Then
Call RegAddKey( rootkey, keypath )
End If
objRegistry.SetStringValue objDictionary(rootkey),keypath,valuename,valuedata
End Sub

Sub RegAddBinary(rootkey, keypath, valuename, valuearray)
Dim arrValue(),arrHexValue,i,HexVal

arrHexValue = Split(Trim(valuearray),",")
i=0
For Each HexVal in arrHexValue
Redim Preserve arrValue(i)
arrValue(i) = "&h" & HexVal
i=i + 1
Next
objRegistry.SetBinaryValue objDictionary(rootKey),keypath,valuename,arrValue
Redim arrValue(0)
End Sub


In Notepad, select file, select save.
Under "Save In" use the pull-down menu and select C:\regfixes
Name the file xp_exe_fix.vbs
Under "Save as type" use the pull-down menu and select "All files"

Run the script and restore the registry keys associated with the exe file type.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 jjdefan

jjdefan
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia Beach
  • Local time:02:04 PM

Posted 07 March 2010 - 04:02 PM

I can run executables now. Ran the fix.com that you requested earlier. Here is the log...

ComboFix 10-03-06.01 - stan's 03/07/2010 8:48.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1449 [GMT -5:00]
Running from: f:\stan\fix.com
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((( Files Created from 2010-02-07 to 2010-03-07 )))))))))))))))))))))))))))))))
.

2010-03-07 13:35 . 2010-03-07 13:35 -------- d-----w- c:\windows\LastGood
2010-03-07 13:21 . 2010-03-07 13:21 -------- d-----w- c:\documents and settings\stan's\Application Data\Malwarebytes
2010-03-02 12:36 . 2010-03-02 12:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-03-02 12:36 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 12:36 . 2010-03-02 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-02 12:36 . 2010-03-02 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 12:36 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-27 15:16 . 2005-06-06 15:29 110592 ----a-w- c:\documents and settings\Administrator\Application Data\U3\temp\cleanup.exe
2010-02-27 15:15 . 2010-02-28 13:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-02-27 13:52 . 2010-03-02 14:06 -------- d-----w- C:\Stan
2010-02-27 13:46 . 2010-02-27 13:46 -------- d-----w- c:\documents and settings\stan's\Application Data\U3
2010-02-23 13:53 . 2010-02-23 14:12 -------- d-----w- C:\HijackThis
2010-02-23 12:47 . 2010-02-23 12:47 114040 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-23 11:37 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-23 11:34 . 2010-03-07 13:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitDefender
2010-02-23 11:30 . 2010-02-23 11:30 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-22 14:24 . 2010-02-22 14:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-02-22 14:22 . 2010-02-23 11:30 -------- d-----w- c:\documents and settings\Administrator
2010-02-12 22:16 . 2010-02-16 22:50 -------- d-----w- c:\windows\system32\NtmsData
2010-02-12 22:12 . 2010-02-12 22:12 34630056 ----a-w- C:\sdasetup.exe
2010-02-10 21:45 . 2010-02-10 21:45 -------- d-----w- c:\documents and settings\stan's\Local Settings\Application Data\Symantec
2010-02-10 21:45 . 2010-01-12 22:57 162048 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-02-10 21:43 . 2009-09-17 23:38 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-02-10 21:42 . 2010-02-10 21:42 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-10 21:42 . 2010-02-10 21:42 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-10 21:39 . 2006-05-16 17:58 2584848 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\WindowsInstaller-KB893803-x86.exe
2010-02-10 21:38 . 2009-09-18 06:54 300432 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\Setup.exe
2010-02-10 21:38 . 2009-09-17 23:27 669000 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\smcinst.exe
2010-02-10 21:38 . 2009-07-16 07:21 3557096 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\LUSETUP.EXE
2010-02-10 21:38 . 2009-07-16 07:21 927096 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{2EFCC193-D915-4CCB-9201-31773A27BC06}\LuCheck.exe
2010-02-10 21:38 . 2010-02-10 21:45 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-10 03:43 . 2010-02-10 03:43 4 ----a-w- c:\windows\system32\aspdict-en.dat
2010-02-10 03:43 . 2010-02-10 03:43 16 ----a-w- c:\windows\system32\asdict.dat
2010-02-10 02:25 . 2010-03-07 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 13:37 . 2009-01-31 05:37 -------- d-----w- c:\program files\Common Files\BitDefender
2010-03-07 13:37 . 2008-12-27 14:08 -------- d-----w- c:\program files\BitDefender
2010-02-10 21:45 . 2005-04-30 05:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-10 21:42 . 2005-04-30 05:48 -------- d-----w- c:\program files\Symantec
2010-02-10 21:42 . 2010-02-10 21:42 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-10 21:42 . 2010-02-10 21:42 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-10 03:31 . 2009-11-16 13:11 -------- d-----w- c:\documents and settings\stan's\Application Data\Skype
2010-02-10 02:18 . 2009-01-16 05:06 81984 ----a-w- c:\windows\system32\bdod.bin
2010-02-10 01:34 . 2009-11-16 13:13 -------- d-----w- c:\documents and settings\stan's\Application Data\skypePM
2010-01-31 01:22 . 2010-01-24 04:09 -------- d-----w- c:\documents and settings\stan's\Application Data\HpUpdate
2010-01-28 14:40 . 2010-01-28 14:40 85000 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-31 16:50 . 2004-08-04 08:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2004-08-04 08:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-04 08:00 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-08-04 08:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-09 11:00 . 2009-12-09 11:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-09 10:59 . 2009-12-09 10:59 152576 ----a-w- c:\documents and settings\stan's\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-09 10:58 . 2009-12-09 10:58 79488 ----a-w- c:\documents and settings\stan's\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-08 19:27 . 2004-08-04 08:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 08:00 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2007-02-01 05:10 . 2007-02-01 05:10 0 ----a-w- c:\program files\error.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-02-28_13.31.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-05 23:24 . 2010-03-05 23:24 16384 c:\windows\temp\Perflib_Perfdata_61c.dat
+ 2007-01-29 08:58 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
- 2007-01-29 08:58 . 2009-10-28 15:07 46080 c:\windows\system32\tzchange.exe
+ 2004-08-07 13:10 . 2010-03-02 12:08 72306 c:\windows\system32\perfc009.dat
- 2004-08-07 13:10 . 2010-02-11 01:51 72306 c:\windows\system32\perfc009.dat
+ 2004-08-07 13:10 . 2010-03-02 12:08 444596 c:\windows\system32\perfh009.dat
- 2004-08-07 13:10 . 2010-02-11 01:51 444596 c:\windows\system32\perfh009.dat
- 2004-08-04 08:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2004-08-04 08:00 . 2009-12-09 05:53 726528 c:\windows\system32\jscript.dll
- 2008-05-09 10:53 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53 . 2009-12-09 05:53 726528 c:\windows\system32\dllcache\jscript.dll
+ 2010-03-07 13:35 . 2009-10-19 21:04 110984 c:\windows\LastGood\system32\DRIVERS\bdfndisf.sys
+ 2010-03-04 13:33 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976662-IE8\spuninst\updspapi.dll
+ 2010-03-04 13:33 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe
+ 2010-03-04 13:33 . 2009-06-22 06:44 726528 c:\windows\ie8updates\KB976662-IE8\jscript.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-27 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Validator"="c:\program files\CyberTRUCK\ct_valid.exe" [2002-10-31 402944]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-09 149280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-13 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/10/2010 4:44 PM 102448]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/15/2004 10:18 AM 200192]
S2 gupdate1ca66be299925c6;Google Update Service (gupdate1ca66be299925c6);c:\program files\Google\Update\GoogleUpdate.exe [11/16/2009 8:10 AM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/14/2009 12:51 PM 23888]
S3 vvbususb;ADT USB VvBus driver;c:\windows\system32\drivers\vvbususb.sys [10/10/2005 9:44 PM 50236]
.
Contents of the 'Scheduled Tasks' folder

2010-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 03:34]

2006-02-06 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2005-03-03 18:04]

2010-03-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-16 13:09]

2010-03-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-16 13:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-07 08:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????`?#??;?Z?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1656)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(880)
c:\windows\system32\WININET.dll
c:\windows\system32\capicom.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-03-07 08:58:26
ComboFix-quarantined-files.txt 2010-03-07 13:58

Pre-Run: 2,760,675,328 bytes free
Post-Run: 2,730,471,424 bytes free

- - End Of File - - B56BBC920DE5EBA08479E0A9EAC9EA86




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users