Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Browser Hi-Jack


  • This topic is locked This topic is locked
9 replies to this topic

#1 takuhii

takuhii

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 15 March 2010 - 05:36 PM

Hi,
I'm new, and probably being overly paranoid, but every so often, when I perform a searh, the top results don't always go where they say they do. If I go back to the search results page and hit refresh the URL is suddenly correct.

I installed Hijackthis, but can't see anything unusual in the log (attached). Can anyone shed any light on this? I've also tried Spybot S&D, I have Norton Installed, and also used MalwareBytes (which did find 5 threats, but cleaned them out, and they've never come back (but the fault still remained)).

Any ideas greatly appreciated
Darren

** HiJackThis Log **

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 22:11:48, on 15/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\windows\system32\crypserv.exe
C:\windows\eHome\ehRecvr.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\windows\system32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\windows\RTHDCPL.EXE
C:\windows\system32\ctfmon.exe
C:\Program Files\Xmarks\IE Extension\xmarkssync.exe
C:\windows\system32\rundll32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\windows\System32\svchost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\IPSBHO.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MPlayerForWindows_UpdateReminder] "C:\Program Files\MPlayer for Windows\AutoUpdate.exe" /L=1033 /TASK
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Xmarks] C:\Program Files\Xmarks\IE Extension\xmarkssync.exe -q
O4 - HKCU\..\Run: [nvwrstream60] rundll32.exe "C:\Documents and Settings\DazAndMich\Local Settings\Application Data\nvwrstream60\nvwrstream60.dll", DllInit
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (HKCU)
O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (HKCU)
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O15 - Trusted IP range: http://192.168.0.1
O15 - ESC Trusted IP range: http://192.168.0.1
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1239974078046
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-27-0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C5C5C23-628A-4489-A823-F81CF4479695}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C5C5C23-628A-4489-A823-F81CF4479695}: NameServer = 208.67.222.222,208.67.220.220
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\windows\SYSTEM32\crypserv.exe
O23 - Service: Google Update Service (gupdate1c9ccea59430db0) (gupdate1c9ccea59430db0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7294 bytes

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:32 AM

Posted 17 March 2010 - 08:21 PM

Hello, takuhii.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 takuhii

takuhii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 19 March 2010 - 03:13 PM

Hi,
Thanks for this. I think I may have got rid of this, but I have had three false alarms (thinking I'd removed it) already. Pleae find the logs attached...

Regards
Darren

Logfile of random's system information tool 1.06 (written by random/random)
Run by DazAndMich at 2010-03-19 19:23:25
Microsoft Windows XP Professional Service Pack 3
System drive C: has 20 GB (51%) free of 38 GB
Total RAM: 503 MB (12% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:23:54, on 19/03/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\windows\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\windows\RTHDCPL.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Xmarks\IE Extension\xmarkssync.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\windows\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\RSIT.exe
C:\Program Files\trend micro\DazAndMich.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\IPSBHO.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MPlayerForWindows_UpdateReminder] "C:\Program Files\MPlayer for Windows\AutoUpdate.exe" /L=1033 /TASK
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Xmarks] C:\Program Files\Xmarks\IE Extension\xmarkssync.exe -q
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (HKCU)
O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\xmarkssync.exe (HKCU)
O15 - Trusted IP range: http://192.168.0.1
O15 - ESC Trusted IP range: http://192.168.0.1
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1239974078046
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-27-0.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C5C5C23-628A-4489-A823-F81CF4479695}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C5C5C23-628A-4489-A823-F81CF4479695}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Update Service (gupdate1c9ccea59430db0) (gupdate1c9ccea59430db0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6179 bytes

======Scheduled tasks folder======

C:\windows\tasks\GoogleUpdateTaskMachineCore.job
C:\windows\tasks\GoogleUpdateTaskMachineUA.job
C:\windows\tasks\HP Usg Daily.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
Symantec NCO BHO - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll [2009-12-10 394608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\IPSBHO.DLL [2009-11-17 79224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-03-17 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-03-17 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Norton Toolbar - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll [2009-12-10 394608]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2007-01-13 131072]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2007-01-13 163840]
"Persistence"=C:\WINDOWS\system32\igfxpers.exe [2007-01-13 135168]
"High Definition Audio Property Page Shortcut"=C:\windows\system32\HDAShCut.exe [2005-01-07 61952]
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe [2005-07-08 176128]
"HPHUPD05"=C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe [2005-07-08 49152]
"HP Component Manager"=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2004-05-12 241664]
"HPHmon05"=C:\WINDOWS\system32\hphmon05.exe [2005-07-08 491520]
"RTHDCPL"=C:\windows\RTHDCPL.EXE [2009-04-17 17880576]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]
"MPlayerForWindows_UpdateReminder"=C:\Program Files\MPlayer for Windows\AutoUpdate.exe [2010-03-02 234919]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Xmarks"=C:\Program Files\Xmarks\IE Extension\xmarkssync.exe [2009-11-12 1007616]
"ctfmon.exe"=C:\windows\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\windows\system32\igfxdev.dll [2007-01-13 204800]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.txt - open -

======List of files/folders created in the last 3 months======

2010-03-19 19:23:30 ----D---- C:\Program Files\trend micro
2010-03-19 19:23:25 ----D---- C:\rsit
2010-03-18 23:21:59 ----SHD---- C:\RECYCLER
2010-03-18 21:53:29 ----A---- C:\windows\MBR.exe
2010-03-18 21:53:27 ----A---- C:\windows\zip.exe
2010-03-18 21:53:27 ----A---- C:\windows\SWXCACLS.exe
2010-03-18 21:53:27 ----A---- C:\windows\SWSC.exe
2010-03-18 21:53:27 ----A---- C:\windows\SWREG.exe
2010-03-18 21:53:27 ----A---- C:\windows\sed.exe
2010-03-18 21:53:27 ----A---- C:\windows\PEV.exe
2010-03-18 21:53:27 ----A---- C:\windows\grep.exe
2010-03-18 21:49:46 ----D---- C:\windows\ERDNT
2010-03-18 21:31:23 ----A---- C:\windows\system32\tmp.txt
2010-03-18 20:27:31 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-18 18:48:43 ----D---- C:\Documents and Settings\All Users\Application Data\Hitman Pro
2010-03-18 18:48:31 ----D---- C:\Program Files\Hitman Pro 3.5
2010-03-17 21:39:20 ----D---- C:\Documents and Settings\DazAndMich\Application Data\Macromedia
2010-03-17 20:43:29 ----A---- C:\windows\system32\javaws.exe
2010-03-17 20:43:29 ----A---- C:\windows\system32\javaw.exe
2010-03-17 20:43:29 ----A---- C:\windows\system32\java.exe
2010-03-17 20:42:57 ----D---- C:\Program Files\Java
2010-03-16 22:15:00 ----D---- C:\ConverterOutput
2010-03-16 22:13:43 ----A---- C:\Cucu_Video_log.txt
2010-03-16 22:12:02 ----A---- C:\windows\system32\cdga.dll
2010-03-16 22:12:02 ----A---- C:\windows\system32\cdg.dll
2010-03-15 22:41:52 ----A---- C:\windows\iun6002.exe
2010-03-15 22:41:49 ----D---- C:\Program Files\TuneXP
2010-03-15 21:36:54 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-03-15 21:29:59 ----D---- C:\Program Files\TrendMicro
2010-03-15 20:45:01 ----D---- C:\Documents and Settings\DazAndMich\Application Data\Secunia CSI
2010-03-13 21:51:04 ----D---- C:\Documents and Settings\DazAndMich\Application Data\InfraRecorder
2010-03-13 21:50:32 ----D---- C:\Program Files\InfraRecorder
2010-03-11 20:01:59 ----D---- C:\Program Files\Secunia
2010-03-10 03:04:45 ----HDC---- C:\windows\$NtUninstallKB975561$
2010-03-07 16:47:35 ----A---- C:\windows\system32\mp3Media2.dll
2010-03-07 16:47:34 ----D---- C:\Program Files\Smallvideosoft
2010-03-07 10:20:58 ----A---- C:\windows\system32\unicows.dll
2010-03-07 10:20:58 ----A---- C:\windows\system32\pthreadGC2.dll
2010-03-07 10:20:57 ----A---- C:\windows\system32\ff_vfw.dll.manifest
2010-03-07 10:20:57 ----A---- C:\windows\system32\ff_vfw.dll
2010-03-06 18:44:51 ----A---- C:\windows\imsins.BAK
2010-03-06 18:44:35 ----HDC---- C:\windows\$NtUninstallKB902344$
2010-03-05 20:14:51 ----D---- C:\Program Files\KompoZer
2010-03-05 20:02:31 ----D---- C:\Program Files\KompoZer 0.7.10
2010-03-04 21:53:29 ----D---- C:\Program Files\Cucusoft
2010-03-04 21:17:21 ----A---- C:\windows\Crypkey.ini
2010-03-04 21:17:16 ----A---- C:\windows\Ckrfresh.exe
2010-03-04 21:17:16 ----A---- C:\windows\Ckconfig.exe
2010-03-04 21:17:15 ----RA---- C:\windows\Setup_ck.exe
2010-03-04 21:17:15 ----A---- C:\windows\Setup_ck.dll
2010-03-04 21:01:48 ----D---- C:\Program Files\Blue Cat Audio
2010-02-28 15:59:39 ----A---- C:\windows\system32\GEARAspi.dll
2010-02-27 20:50:15 ----D---- C:\Program Files\AnvSoft
2010-02-26 07:02:22 ----N---- C:\windows\system32\browserchoice.exe
2010-02-24 23:48:00 ----HDC---- C:\windows\$NtUninstallKB979306$
2010-02-24 23:34:23 ----D---- C:\Program Files\WinZip14
2010-02-17 21:18:54 ----D---- C:\Program Files\FileZilla FTP Client
2010-02-15 20:50:33 ----A---- C:\windows\system32\AudPlayer.dll
2010-02-15 20:50:33 ----A---- C:\windows\system32\AudioVisu.dll
2010-02-15 20:50:33 ----A---- C:\windows\system32\AudioRecord.dll
2010-02-15 20:50:33 ----A---- C:\windows\system32\AudioInfos.dll
2010-02-15 20:50:33 ----A---- C:\windows\system32\AudFile.dll
2010-02-15 20:50:33 ----A---- C:\windows\system32\AudDisplay.dll
2010-02-15 20:50:32 ----A---- C:\windows\system32\VB6STKIT.DLL
2010-02-15 20:50:32 ----A---- C:\windows\system32\VB6FR.DLL
2010-02-15 20:50:32 ----A---- C:\windows\system32\TABCTFR.DLL
2010-02-15 20:50:32 ----A---- C:\windows\system32\inetfr.DLL
2010-02-15 20:50:32 ----A---- C:\windows\system32\AudDesign.dll
2010-02-15 20:50:31 ----A---- C:\windows\system32\MSCMCFR.DLL
2010-02-15 20:50:31 ----A---- C:\windows\system32\Mscc2fr.dll
2010-02-15 20:50:31 ----A---- C:\windows\system32\CMDLGFR.DLL
2010-02-15 20:50:30 ----A---- C:\windows\system32\lame_enc.dll
2010-02-15 20:50:29 ----D---- C:\Program Files\Free Audio Pack
2010-02-10 21:06:18 ----HDC---- C:\windows\$NtUninstallKB978262$
2010-02-10 21:05:26 ----HDC---- C:\windows\$NtUninstallKB971468$
2010-02-10 20:56:16 ----HDC---- C:\windows\$NtUninstallKB978037$
2010-02-10 20:55:59 ----HDC---- C:\windows\$NtUninstallKB975713$
2010-02-10 20:55:50 ----HDC---- C:\windows\$NtUninstallKB978251$
2010-02-10 20:54:35 ----HDC---- C:\windows\$NtUninstallKB975560$
2010-02-10 20:52:57 ----HDC---- C:\windows\$NtUninstallKB977914$
2010-02-10 20:50:44 ----HDC---- C:\windows\$NtUninstallKB978706$
2010-02-10 20:47:30 ----HDC---- C:\windows\$NtUninstallKB977165$
2010-01-30 21:33:03 ----D---- C:\Program Files\ffdshow
2010-01-30 21:28:02 ----D---- C:\Program Files\Haali
2010-01-30 21:23:00 ----D---- C:\Temp
2010-01-30 21:22:59 ----A---- C:\windows\system32\MagUIInter.dll
2010-01-30 21:22:59 ----A---- C:\windows\system32\MagUIEngine.dll
2010-01-30 21:22:59 ----A---- C:\windows\system32\MagPCMac.dll
2010-01-30 21:22:59 ----A---- C:\windows\system32\MagCore.dll
2010-01-30 21:22:59 ----A---- C:\windows\system32\dtsdecoderdll.dll
2010-01-30 21:22:58 ----A---- C:\windows\system32\libFLAC.dll
2010-01-30 21:22:58 ----A---- C:\windows\system32\checkactivate.dll
2010-01-30 21:22:55 ----A---- C:\windows\system32\yv12vfw.dll
2010-01-30 21:15:51 ----D---- C:\Program Files\RipBot
2010-01-27 22:04:58 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-01-27 22:04:52 ----D---- C:\Program Files\Common Files\Java
2010-01-26 20:26:35 ----D---- C:\Documents and Settings\DazAndMich\Application Data\AccurateRip
2010-01-26 20:11:23 ----D---- C:\Program Files\Exact Audio Copy
2010-01-19 21:21:14 ----D---- C:\Program Files\MPlayer for Windows
2010-01-16 09:28:29 ----D---- C:\Program Files\Windows Installer Clean Up
2010-01-16 09:28:09 ----D---- C:\Program Files\MSECACHE
2010-01-15 21:49:48 ----D---- C:\Program Files\Common Files\Apple
2010-01-15 21:08:40 ----D---- C:\Config.Msi
2010-01-14 22:21:50 ----HDC---- C:\windows\$NtUninstallKB955759$
2010-01-12 21:41:15 ----HDC---- C:\windows\$NtUninstallKB972270$
2010-01-06 22:24:16 ----D---- C:\Documents and Settings\DazAndMich\Application Data\SPlayer

======List of files/folders modified in the last 3 months======

2010-03-19 19:23:30 ----RD---- C:\Program Files
2010-03-19 19:23:25 ----D---- C:\windows\Prefetch
2010-03-19 19:23:15 ----D---- C:\windows\Temp
2010-03-19 19:22:43 ----D---- C:\Downloads
2010-03-19 19:12:56 ----SHD---- C:\System Volume Information
2010-03-19 00:15:51 ----A---- C:\windows\SchedLgU.Txt
2010-03-19 00:14:04 ----SHD---- C:\windows\Installer
2010-03-19 00:14:04 ----D---- C:\Program Files\Common Files
2010-03-18 22:20:52 ----D---- C:\windows\system32\drivers
2010-03-18 22:18:57 ----D---- C:\windows\system32\CatRoot2
2010-03-18 22:11:24 ----D---- C:\WINDOWS
2010-03-18 22:11:24 ----A---- C:\windows\system.ini
2010-03-18 22:06:57 ----D---- C:\windows\system32
2010-03-18 22:06:57 ----D---- C:\windows\system
2010-03-18 22:03:39 ----D---- C:\windows\AppPatch
2010-03-18 21:53:26 ----D---- C:\windows\system32\Restore
2010-03-17 21:09:33 ----D---- C:\Documents and Settings\DazAndMich\Application Data\uTorrent
2010-03-17 20:50:32 ----D---- C:\Program Files\Mp3tag
2010-03-17 20:43:00 ----A---- C:\windows\system32\deploytk.dll
2010-03-17 19:44:59 ----HD---- C:\windows\inf
2010-03-16 20:29:23 ----RSD---- C:\windows\assembly
2010-03-16 20:29:04 ----D---- C:\windows\system32\URTTemp
2010-03-16 20:28:45 ----D---- C:\windows\Registration
2010-03-16 20:28:33 ----A---- C:\windows\system32\PerfStringBackup.INI
2010-03-15 23:33:59 ----A---- C:\windows\ModemLog_HDAUDIO Soft Data Fax Modem with SmartCP.txt
2010-03-15 22:48:20 ----A---- C:\windows\win.ini
2010-03-15 06:51:10 ----D---- C:\windows\Microsoft.NET
2010-03-10 07:16:02 ----D---- C:\windows\RegisteredPackages
2010-03-10 07:13:51 ----SD---- C:\windows\Tasks
2010-03-10 03:04:49 ----RSHDC---- C:\windows\system32\dllcache
2010-03-10 03:04:49 ----D---- C:\Program Files\Movie Maker
2010-03-10 03:04:13 ----HD---- C:\windows\$hf_mig$
2010-03-10 03:00:51 ----D---- C:\windows\Debug
2010-03-08 22:31:12 ----D---- C:\Documents and Settings\DazAndMich\Application Data\FileZilla
2010-03-08 21:48:13 ----D---- C:\Program Files\Mozilla Firefox
2010-03-06 19:02:10 ----D---- C:\windows\WinSxS
2010-03-06 18:47:35 ----D---- C:\Program Files\Internet Explorer
2010-03-06 18:47:30 ----D---- C:\windows\ie8updates
2010-03-04 19:19:18 ----D---- C:\Program Files\uTorrent
2010-03-02 05:30:12 ----A---- C:\windows\system32\MRT.exe
2010-03-01 18:07:13 ----D---- C:\Documents and Settings\DazAndMich\Application Data\Mozilla
2010-02-28 22:06:14 ----SD---- C:\Documents and Settings\DazAndMich\Application Data\Microsoft
2010-02-28 15:50:40 ----D---- C:\Program Files\CCleaner
2010-02-27 20:50:22 ----D---- C:\Documents and Settings\DazAndMich\Application Data\AnvSoft
2010-02-25 20:17:53 ----D---- C:\Documents and Settings\All Users\Application Data\WinZip
2010-02-19 18:58:43 ----D---- C:\windows\system32\CatRoot
2010-02-19 18:52:11 ----D---- C:\Program Files\Windows Media Player
2010-02-18 22:24:37 ----D---- C:\windows\Help
2010-02-17 23:33:59 ----D---- C:\windows\security
2010-02-16 20:27:29 ----D---- C:\Program Files\Google
2010-02-06 09:09:48 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2010-02-01 19:33:13 ----SD---- C:\windows\Downloaded Program Files
2010-01-30 21:07:13 ----D---- C:\Program Files\AviSynth 2.5
2010-01-27 22:07:36 ----D---- C:\Program Files\AlbumArtDownloader
2010-01-24 08:41:58 ----D---- C:\Program Files\NortonInstaller
2010-01-23 08:11:44 ----N---- C:\windows\system32\tzchange.exe
2010-01-18 21:17:06 ----D---- C:\Program Files\Adobe
2010-01-18 21:14:37 ----D---- C:\Program Files\Hewlett-Packard
2010-01-18 21:13:57 ----D---- C:\Program Files\Microsoft Bootvis
2010-01-18 21:12:58 ----D---- C:\Program Files\Xilisoft
2010-01-18 20:57:13 ----D---- C:\Program Files\Acro Software
2010-01-18 20:53:54 ----D---- C:\Documents and Settings\DazAndMich\Application Data\Any Video Converter
2010-01-18 20:50:22 ----D---- C:\Documents and Settings\DazAndMich\Application Data\Amazon
2010-01-18 20:42:11 ----D---- C:\Program Files\ElcomSoft
2010-01-18 20:11:48 ----D---- C:\Program Files\Common Files\Adobe
2010-01-16 11:46:18 ----D---- C:\Documents and Settings\DazAndMich\Application Data\Adobe
2010-01-16 11:23:20 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-01-16 09:24:58 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2010-01-15 23:04:00 ----DC---- C:\windows\system32\DRVSTORE
2010-01-12 18:46:58 ----D---- C:\Documents and Settings\DazAndMich\Application Data\DivX
2010-01-09 21:07:54 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-22 22:32:14 ----A---- C:\windows\APDFPRP.INI
2009-12-21 19:14:05 ----N---- C:\windows\system32\wininet.dll
2009-12-21 19:14:05 ----A---- C:\windows\system32\urlmon.dll
2009-12-21 19:14:04 ----N---- C:\windows\system32\mshtml.dll
2009-12-21 19:14:04 ----A---- C:\windows\system32\occache.dll
2009-12-21 19:14:03 ----A---- C:\windows\system32\msfeedsbs.dll
2009-12-21 19:14:03 ----A---- C:\windows\system32\msfeeds.dll
2009-12-21 19:14:03 ----A---- C:\windows\system32\jsproxy.dll
2009-12-21 19:14:03 ----A---- C:\windows\system32\iertutil.dll
2009-12-21 19:14:03 ----A---- C:\windows\system32\iepeers.dll
2009-12-21 19:14:02 ----A---- C:\windows\system32\ieframe.dll
2009-12-21 19:14:01 ----A---- C:\windows\system32\iedkcs32.dll
2009-12-21 13:19:18 ----A---- C:\windows\system32\ie4uinit.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 BHDrvx86;BHDrvx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100211.001\BHDrvx86.sys []
R1 ccHP;Symantec Hash Provider; C:\windows\system32\drivers\NIS\1105000.07F\ccHPx86.sys [2009-12-09 501888]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\windows\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\windows\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]
R1 SRTSP;Symantec Real Time Storage Protection; C:\windows\System32\Drivers\NIS\1105000.07F\SRTSP.SYS [2009-12-03 325168]
R1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\windows\system32\drivers\NIS\1105000.07F\SRTSPX.SYS [2009-12-03 43696]
R1 SymIRON;Symantec Iron Driver; C:\windows\system32\drivers\NIS\1105000.07F\Ironx86.SYS [2009-11-26 116272]
R1 SYMTDI;Symantec Network Dispatch Driver; C:\windows\System32\Drivers\NIS\1105000.07F\SYMTDI.SYS [2009-11-22 362032]
R2 mdmxsdk;mdmxsdk; C:\windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R3 Arp1394;1394 ARP Client Protocol; C:\windows\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\windows\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\windows\system32\DRIVERS\GEARAspiWDM.sys [2009-12-23 15664]
R3 HBtnKey;ThinkPad Tablet Keyboard and Buttons HID Driver; C:\windows\system32\DRIVERS\tkbtnpn.sys [2005-11-15 7463]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\windows\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HSF_DPV;HSF_DPV; C:\windows\system32\DRIVERS\HSF_DPV.sys [2008-10-15 985856]
R3 HSFHWAZL;HSFHWAZL; C:\windows\system32\DRIVERS\HSFHWAZL.sys [2008-10-15 210048]
R3 ialm;ialm; C:\windows\system32\DRIVERS\igxpmp32.sys [2007-01-13 5672032]
R3 IDSxpx86;IDSxpx86; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100312.001\IDSxpx86.sys []
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\windows\system32\drivers\RtkHDAud.sys [2009-04-20 5070848]
R3 NAVENG;NAVENG; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100317.051\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100317.051\NAVEX15.SYS []
R3 NIC1394;1394 Net Driver; C:\windows\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\windows\system32\DRIVERS\Rtnicxp.sys [2009-03-25 130432]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SymIMMP;SymIMMP; C:\windows\system32\DRIVERS\SymIM.sys [2009-12-03 47408]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\windows\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\windows\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\windows\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\windows\system32\DRIVERS\w29n51.sys [2008-01-07 2216064]
R3 winachsf;winachsf; C:\windows\system32\DRIVERS\HSF_CNXT.sys [2008-10-15 731264]
S3 Ambfilt;Ambfilt; C:\windows\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\windows\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\windows\system32\DRIVERS\HPZid412.sys [2005-07-08 51088]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\windows\system32\DRIVERS\HPZipr12.sys [2005-07-08 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\windows\system32\DRIVERS\HPZius12.sys [2005-07-08 21744]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1; C:\windows\system32\drivers\libusb0.sys [2007-03-20 28672]
S3 MHNDRV;MHN driver; C:\windows\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 Monfilt;Monfilt; C:\windows\system32\drivers\Monfilt.sys [2006-01-04 1389056]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\windows\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 SYMFW;Symantec Network Filter Driver; C:\windows\System32\Drivers\NIS\1007020.00B\SYMFW.SYS []
S3 SYMIDS;Symantec Network Filter Driver; C:\windows\System32\Drivers\NIS\1007020.00B\SYMIDS.SYS []
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\windows\system32\DRIVERS\SymIM.sys [2009-12-03 47408]
S3 SYMNDIS;Symantec Network Filter Driver; C:\windows\System32\Drivers\NIS\1007020.00B\SYMNDIS.SYS []
S3 UIUSys;Conexant Setup API; C:\windows\system32\DRIVERS\UIUSYS.SYS []
S3 USBAAPL;Apple Mobile USB Driver; C:\windows\System32\Drivers\usbaapl.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\windows\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\windows\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\windows\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\windows\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WpdUsb;WpdUsb; C:\windows\System32\Drivers\wpdusb.sys [2005-01-28 18944]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\windows\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\windows\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-03-17 153376]
R2 NIS;Norton Internet Security; C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe [2009-12-09 126392]
R2 UMWdf;Windows User Mode Driver Framework; C:\windows\system32\wdfmgr.exe [2005-01-28 38912]
R3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-03-18 65536]
S2 gupdate1c9ccea59430db0;Google Update Service (gupdate1c9ccea59430db0); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-05-04 133104]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2009-04-18 72704]
S3 aspnet_state;ASP.NET State Service; C:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\windows\system32\svchost.exe [2008-04-14 14336]
S4 ATMsrvc;ATM Service; C:\windows\System32\ATMsrvc.exe [2000-05-24 15360]
S4 ehRecvr;Media Center Receiver Service; C:\windows\eHome\ehRecvr.exe [2006-10-09 237568]
S4 ehSched;Media Center Scheduler Service; C:\windows\eHome\ehSched.exe [2005-08-05 102912]
S4 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
S4 MHN;MHN; C:\windows\System32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.06 2010-03-19 19:23:59

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->MsiExec.exe /X{6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 9.3.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Adobe Shockwave Player 11.5-->"C:\windows\system32\Adobe\Shockwave 11\uninstaller.exe"
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Album Art Downloader XUI 0.34.1-->C:\Program Files\AlbumArtDownloader\uninst.exe
Any Video Converter Professional 3.0.1-->"C:\Program Files\AnvSoft\Any Video Converter Professional\unins000.exe"
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Cucusoft DVD to iPod + iPod Video Converter Suite 7.19.7.12-->"C:\Program Files\Cucusoft\ipod-converter\unins000.exe"
Defraggler-->"C:\Program Files\Defraggler\uninst.exe"
Exact Audio Copy 0.99pb5-->C:\Program Files\Exact Audio Copy\uninst.exe
ffdshow [rev 3246] [2010-01-30]-->"C:\Program Files\ffdshow\unins000.exe"
FileZilla Client 3.3.2-->C:\Program Files\FileZilla FTP Client\uninstall.exe
Free Mp3 Wma Converter V 1.9-->"C:\Program Files\Free Audio Pack\unins000.exe"
Freez FLV to MP3 Converter-->"C:\Program Files\Smallvideosoft\Freez FLV to MP3 Converter\unins000.exe"
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Haali Media Splitter-->"C:\Program Files\Haali\MatroskaSplitter\uninstall.exe"
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDA_HSF\UIU32m.exe -U -IPZAZCM5K.INF
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format SDK (KB902344)-->"C:\windows\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\windows\$NtUninstallKB979306$\spuninst\spuninst.exe"
InfraRecorder-->C:\Program Files\InfraRecorder\uninstall.exe
Intel® Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
Japanese Fonts Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5760-0000-900000000003}
Java™ 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Medieval CUE Splitter-->MsiExec.exe /I{B96D2269-568B-4CBF-9332-12FAE8B158F7}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox (3.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mp3tag v2.46-->C:\Program Files\Mp3tag\Mp3tagUninstall.EXE
MPlayer for Windows (Full Package)-->C:\Program Files\MPlayer for Windows\Uninstall.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
Norton Internet Security-->C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\562C4DD5\17.5.0.127\InstStub.exe /X
OpenOffice.org 3.1-->MsiExec.exe /I{E6B87DC4-2B3D-4483-ADFF-E483BF718991}
overland-->MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
Photosmart 140,240,7200,7600,7700,7900 Series-->C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\setup\hpzscr01.exe -datfile hphscr01.dat
REALTEK GbE & FE Ethernet PCI NIC Driver-->C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Secunia CSI-->"C:\Program Files\Secunia\CSI\uninstall.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\windows\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\windows\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\windows\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB970430)-->"C:\windows\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\windows\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\windows\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\windows\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\windows\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\windows\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\windows\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\windows\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\windows\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\windows\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\windows\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\windows\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\windows\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\windows\$NtUninstallKB978706$\spuninst\spuninst.exe"
Simple Port Forwarding-->"C:\windows\Simple Port Forwarding\uninstall.exe" "/U:C:\Program Files\Simple Port Forwarding\Uninstall\uninstall.xml"
Simple Port Tester-->"C:\windows\Simple Port Tester\uninstall.exe" "/U:C:\Program Files\Simple Port Tester\Uninstall\uninstall.xml"
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
ThinkPad Tablet Button Driver-->C:\Program Files\InstallShield Installation Information\{26903C89-780A-463E-8CBD-E47A73927254}\setup.exe -runfromtemp -l0x0009 -removeonly
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Windows (KB971513)-->"C:\windows\$NtUninstallKB971513$\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB968220)-->"C:\WINDOWS\ie8updates\KB968220-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB971930)-->"C:\WINDOWS\ie8updates\KB971930-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB972636)-->"C:\WINDOWS\ie8updates\KB972636-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB973874)-->"C:\windows\ie8updates\KB973874-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB975364)-->"C:\windows\ie8updates\KB975364-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976662)-->"C:\windows\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB978506)-->"C:\windows\ie8updates\KB978506-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\windows\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\windows\$NtUninstallKB971737$\spuninst\spuninst.exe"
Windows Driver Package - Intel (NETw5x32) net (11/17/2008 12.2.0.11)-->C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst32.exe /u C:\WINDOWS\system32\DRVSTORE\netw5x32_E3DB7A2849DF31473325B4F9BDB5DAC54591572B\netw5x32.inf
Windows Driver Package - Intel (w29n51) net (12/19/2007 9.0.4.39)-->C:\PROGRA~1\DIFX\D6ACC4BE676423A2B130B78A4B627FC457D98997\dpinst32.exe /u C:\WINDOWS\system32\DRVSTORE\w29n51_AEF466EE116FDF742A02BFF75E6143DB4A91003C\w29n51.inf
Windows Installer Clean Up-->MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
WinZip 14.0-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240BC}
Xmarks for IE-->MsiExec.exe /X{F318330F-DE7D-4B22-AF7C-C3760DDC2EF3}

======Security center information======

AV: Norton Internet Security
FW: Norton Internet Security

======System event log======

Computer Name: MACKIN-LAPTOP01
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 16097
Source Name: Tcpip
Time Written: 20100202201854.000000+000
Event Type: warning
User:

Computer Name: MACKIN-LAPTOP01
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 16067
Source Name: Tcpip
Time Written: 20100201195342.000000+000
Event Type: warning
User:

Computer Name: MACKIN-LAPTOP01
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 16066
Source Name: Tcpip
Time Written: 20100201193921.000000+000
Event Type: warning
User:

Computer Name: MACKIN-LAPTOP01
Event Code: 14103
Message: QoS [Adapter {C391F5EA-6857-4AC9-9A0F-00B673513432}]:
The netcard driver failed the query for OID_GEN_LINK_SPEED.

Record Number: 16026
Source Name: PSched
Time Written: 20100131183344.000000+000
Event Type: error
User:

Computer Name: MACKIN-LAPTOP01
Event Code: 14103
Message: QoS [Adapter {C391F5EA-6857-4AC9-9A0F-00B673513432}]:
The netcard driver failed the query for OID_GEN_LINK_SPEED.

Record Number: 16014
Source Name: PSched
Time Written: 20100131170801.000000+000
Event Type: error
User:

=====Application event log=====

Computer Name: MACKIN-LAPTOP01
Event Code: 20
Message:
Record Number: 3059
Source Name: Google Update
Time Written: 20091016022914.000000+060
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: MACKIN-LAPTOP01
Event Code: 20
Message:
Record Number: 3058
Source Name: Google Update
Time Written: 20091016012916.000000+060
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: MACKIN-LAPTOP01
Event Code: 20
Message:
Record Number: 3057
Source Name: Google Update
Time Written: 20091016002925.000000+060
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: MACKIN-LAPTOP01
Event Code: 20
Message:
Record Number: 3056
Source Name: Google Update
Time Written: 20091015232930.000000+060
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: MACKIN-LAPTOP01
Event Code: 20
Message:
Record Number: 3055
Source Name: Google Update
Time Written: 20091015222929.000000+060
Event Type: error
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Common Files\Adobe\AGL
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-19 20:12:44
Windows 5.1.2600 Service Pack 3
Running: 63n6bdom.exe; Driver: C:\DOCUME~1\DAZAND~1\LOCALS~1\Temp\kwriakog.sys


---- System - GMER 1.0.15 ----

SSDT 8217E050 ZwAlertResumeThread
SSDT 815749D0 ZwAlertThread
SSDT 814854D0 ZwAllocateVirtualMemory
SSDT 8224A1A8 ZwAssignProcessToJobObject
SSDT 8226C0D0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA91F1210]
SSDT 814E8BC8 ZwCreateMutant
SSDT 814E86B0 ZwCreateSymbolicLinkObject
SSDT 814858E0 ZwCreateThread
SSDT 82262438 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA91F1490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA91F19F0]
SSDT 81485628 ZwDuplicateObject
SSDT 81485330 ZwFreeVirtualMemory
SSDT 8214D050 ZwImpersonateAnonymousToken
SSDT 821A64C8 ZwImpersonateThread
SSDT 82272100 ZwLoadDriver
SSDT 81485250 ZwMapViewOfSection
SSDT 82129050 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xA91F17A0]
SSDT 814857C8 ZwOpenProcess
SSDT 820F1978 ZwOpenProcessToken
SSDT 815172E8 ZwOpenSection
SSDT 814856F8 ZwOpenThread
SSDT 814E8780 ZwProtectVirtualMemory
SSDT 82137180 ZwResumeThread
SSDT 8213B198 ZwSetContextThread
SSDT 814850F8 ZwSetInformationProcess
SSDT 82148050 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA91F1C40]
SSDT 821435E0 ZwSuspendProcess
SSDT 82146110 ZwSuspendThread
SSDT 814B1070 ZwTerminateProcess
SSDT 8152CA90 ZwTerminateThread
SSDT 82118AE0 ZwUnmapViewOfSection
SSDT 81485400 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  log.txt   31.19KB   3 downloads
  • Attached File  info.txt   13.56KB   2 downloads
  • Attached File  gmer.log   5.47KB   8 downloads

Edited by aommaster, 19 March 2010 - 04:45 PM.


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:32 AM

Posted 19 March 2010 - 04:48 PM

Hello, takuhii.
Please copy and paste your logs into your reply as they make it easier for me to read.

Let's make sure you're really clean.
We need to run a Panda Active Scan
  1. Please go here to run Panda's ActiveScan
  2. Once you are on the Panda site click the Scan your PC button
  3. Click the big Scan Now button
  4. If it wants to install an ActiveX component allow it
  5. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  6. When download is complete, click on My Computer to start the scan
  7. When the scan completes, if anything malicious is detected, click the Export to button, Post the contents of the ActiveScan report

In your next reply, please include the following:
  • ActiveScan Report

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 takuhii

takuhii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 20 March 2010 - 06:47 AM

Hi,
Panda Virus found something, I've attached the log below;

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-03-20 11:41:44
PROTECTIONS: 1
MALWARE: 19
SUSPECTS: 5
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Norton Internet Security 17.5.0.127 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00003428 adware/memorywatcher Adware No 0 Yes No hkey_classes_root\vbrad.trayicon
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@atdmt[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@247realmedia[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@mediaplex[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@apmebf[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@bs.serving-sys[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@adtech[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@advertising[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@realmedia[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@zedo[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@go[1].txt
00205140 Cookie/Research-int TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@research-int[2].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@adviva[2].txt
00273339 Cookie/Smartadserver TrackingCookie No 0 Yes No c:\documents and settings\dazandmich\cookies\dazandmich@smartadserver[1].txt
00484705 Application/IEDefender HackTools No 0 Yes No c:\system volume information\_restore{5b86fccd-5ee7-42a6-ae90-7ac847e66f4a}\rp2\a0000254.exe
00484705 Application/IEDefender HackTools No 0 Yes No c:\documents and settings\dazandmich\my documents\downloads\smitfraudfix\iedfix.c.exe
00921467 Generic Malware Virus/Trojan No 0 Yes No c:\system volume information\_restore{5b86fccd-5ee7-42a6-ae90-7ac847e66f4a}\rp2\a0000246.exe
00921467 Generic Malware Virus/Trojan No 0 Yes No c:\documents and settings\dazandmich\my documents\downloads\smitfraudfix\404fix.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\documents and settings\dazandmich\local settings\application data\mozilla\firefox\profiles\it5b1sjv.default\cache\87deed25d01
No c:\documents and settings\dazandmich\my documents\downloads\smitfraudfix.exe
No c:\downloads\combofix.exe[32788r22fwjfw\pev.exe]
No c:\system volume information\_restore{5b86fccd-5ee7-42a6-ae90-7ac847e66f4a}\rp2\a0000075.exe
No c:\windows\pev.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
216839 HIGH MS10-001
;===================================================================================================================================================================================

Attached Files



#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:32 AM

Posted 20 March 2010 - 08:32 AM

Hello, takuhii.
Those files are fine. They're system restore points and cookies for your browser.
We need to run an MBAM Scan
  1. Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2
  2. Make sure you are connected to the Internet.
  3. Double-click on Download_mbam-setup.exe to install the application.
  4. When the installation begins, follow the prompts and do not make any changes to default settings.
  5. When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  6. Then click Finish.
  7. Run MBAM and you will be asked to update the program before performing a scan.
    If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If you encounter any problems while downloading the updates, manually download them from here
    and just double-click on mbam-rules.exe to install.
  8. On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  9. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  10. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  11. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  12. Click OK to close the message box and continue with the removal process.
  13. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  14. Make sure that everything is checked, and click Remove Selected.
  15. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  16. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  17. Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



In your next reply, please include the following:
  • MBAM Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 takuhii

takuhii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 20 March 2010 - 11:16 AM

MBAM Didn't find anything; I have included the log below;

Malwarebytes' Anti-Malware 1.44
Database version: 3888
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/03/2010 16:14:30
mbam-log-2010-03-20 (16-14-30).txt

Scan type: Quick Scan
Objects scanned: 118552
Time elapsed: 10 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:32 AM

Posted 20 March 2010 - 11:31 AM

Hello, takuhii.

Your Log looks Clean please take the time to read below to secure your machine and take the necessary steps to keep it clean smile.gif
Hiding Hidden Files
Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
  2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  3. Then go to Start > Run and type: Cleanmgr
  4. Click "OK".
  5. Click the "More Options" Tab.
  6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
There are many ways to reduce the chance of getting infected in the future. Below, I have listed a few:
  1. Practice Safe Internet
    • Be weary about attachments in emails. Avoid opening .exe, .com, .bat, or .pif files.
    • Watch out for Foistware. More info can be found on Foistware, And how to avoid it.
    • Do not fall for Rogue/Suspect Anti-Spyware Products & Web Sites
    • Do not go to adult sites.
    • When using an Instant Messaging program be cautious about clicking on links people send to you.
    • Stay away from Warez and Crack sites. In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
    • Use McAfee Siteadvisor to look up info on a site if you are not sure whether it is legitimate
    • Do not install any software without first reading the End User License Agreement, otherwise known as the EULA.
  2. Make Internet Explorer more secure
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt

        When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Keep Windows updated
    Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer. Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install.
  4. Install and update the following programs frequently
    1. An outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here
    2. An antivirus software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats. Three good antivirus programs free for non-commercial home use are Avast! and Antivir and AVG Antivirus
    3. An antispyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates. SUPERAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    4. SpywareBlaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    5. MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  5. Keep your other software updated too
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

Some more links you might find of interest:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 takuhii

takuhii
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 20 March 2010 - 03:39 PM

OK,THANK YOU for all your help. It is very much appreciated. It does seem as though the fault has gone this time, hopefully, PERMANENTLY ;)

Thank you
Darren

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:10:32 AM

Posted 20 March 2010 - 03:48 PM

Hehe... glad to help smile.gif

Since this problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please send me a PM with the address of this thread. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users