Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

JS:ScriptIP and RECYCLER


  • This topic is locked This topic is locked
22 replies to this topic

#1 KJLue

KJLue

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:40 PM

Posted 01 May 2010 - 11:11 AM


Previously discussed problem in this thread: http://www.bleepingcomputer.com/forums/ind...p;#entry1728198

I was asked to post a DDS log here.

I am using Windows 7 and might have a Recycler and a JS:ScriptIP infection. I am also using Avast Anti-virus, which informed me of the presence of the second infection on a website while searching on google and I clicked Abort Connection. Recycler folder keeps appearing on my USB which I have to plug into my work computer and then into my laptop (Windows 7) every now and then. So I was wondering if my USB and laptop were infected, and if yes, how to cure and prevent the infection from happening again.


DDS (Ver_10-03-17.01) - NTFSx86
Run by FO at 20:55:30.69 on 01/05/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2045.884 [GMT 5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\vfsFPService.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\16.7.0.30\InstStub.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
c:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\HPSF.exe
C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\FO\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_PK&c=94&bd=Pavilion&pf=cnnb
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_PK&c=94&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_PK&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_PK&c=94&bd=Pavilion&pf=cnnb
uURLSearchHooks: Castle Age Toolbar: {aac4043a-8832-4abe-9963-35377f30b8e6} - c:\program files\castle_age\tbCast.dll
mURLSearchHooks: Castle Age Toolbar: {aac4043a-8832-4abe-9963-35377f30b8e6} - c:\program files\castle_age\tbCast.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DigitalPersona Personal Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.7.0.30\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.7.0.30\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Castle Age Toolbar: {aac4043a-8832-4abe-9963-35377f30b8e6} - c:\program files\castle_age\tbCast.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.7.0.30\coIEPlg.dll
TB: Castle Age Toolbar: {aac4043a-8832-4abe-9963-35377f30b8e6} - c:\program files\castle_age\tbCast.dll
uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\fo\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [HPCam_Menu] "c:\program files\hewlett-packard\media\webcam\muitransfer\muistartmenu.exe" "c:\program files\hewlett-packard\media\webcam" updatewithcreateonce "software\hewlett-packard\media\Webcam"
mRun: [SmartMenu] c:\program files\hewlett-packard\hp mediasmart\SmartMenu.exe /background
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [NortonOnlineBackupReminder] "c:\program files\symantec\norton online backup\activation\NobuActivation.exe" UNATTENDED
mRun: [UpdatePRCShortCut] "c:\program files\hewlett-packard\recovery\muitransfer\muistartmenu.exe" "c:\program files\hewlett-packard\recovery" updatewithcreateonce "software\cyberlink\PowerRecover"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: []
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-system: WallpaperStyle = 2
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-system: WallpaperStyle = 2
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.7.0.30\CoIEPlg.dll
LSA: Notification Packages = scecli DPPWDFLT
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-2 114768]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\AEstSrv.exe [2009-8-25 81920]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-7-3 176128]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-2 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-2 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-2 138680]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2009-7-9 26168]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.7.0.30\ccSvcHst.exe [2009-8-20 117640]
R2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2009-6-3 599344]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-2 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-2 352920]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-8-20 228408]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2009-6-29 59904]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-7-21 116136]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-8-25 185344]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1007000.01e\BHDrvx86.sys [2009-8-20 259632]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-8-25 29472]
S3 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1007000.01e\cchpx86.sys [2009-8-20 482432]
S3 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090712.001\IDSvix86.sys [2009-8-20 293424]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-14 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-14 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-14 661504]
S3 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1007000.01e\SymEFA.sys [2009-8-20 310320]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-10 1343400]

=============== Created Last 30 ================

2010-04-28 06:58:27 0 d-----w- c:\programdata\Sun
2010-04-28 06:58:11 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 03:06:26 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 03:06:26 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-28 02:28:32 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-27 05:19:00 0 d-----w- c:\users\fo\appdata\roaming\QuickScan
2010-04-15 02:45:02 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 02:45:02 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 02:40:37 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 02:38:55 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 02:38:55 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 02:38:55 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 10:52:26 0 d-----w- c:\program files\iPod
2010-04-14 10:52:25 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 10:52:25 0 d-----w- c:\program files\iTunes
2010-04-14 10:46:39 0 d-----w- c:\program files\Bonjour
2010-04-14 01:21:21 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 01:21:20 132608 ----a-w- c:\windows\system32\cabview.dll

==================== Find3M ====================

2010-04-01 12:05:05 41 ----a-w- c:\users\fo\jagex_runescape_preferences.dat
2010-04-01 12:02:43 69 ----a-w- c:\users\fo\jagex_runescape_preferences2.dat
2010-03-29 19:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 19:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-27 09:00:17 0 ----a-w- c:\users\fo\jagex__preferences3.dat
2010-02-24 05:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 07:56:00 977920 ----a-w- c:\windows\system32\wininet.dll
2010-02-12 06:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 06:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-26 14:31:03 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 20:56:16.42 ===============


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:40 AM

Posted 04 May 2010 - 12:02 PM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:40 PM

Posted 09 May 2010 - 08:58 AM

Here is the OTL log:
OTL logfile created on: 09/05/2010 06:53:52 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\FO\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 46.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 53.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 286.24 Gb Total Space | 233.73 Gb Free Space | 81.65% Space Free | Partition Type: NTFS
Drive D: | 11.65 Gb Total Space | 1.95 Gb Free Space | 16.70% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FO-PC
Current User Name: FO
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/09 18:53:06 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\FO\Desktop\OTL.exe
PRC - [2010/04/26 22:13:25 | 000,531,440 | ---- | M] (Google Inc.) -- C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe
PRC - [2010/03/26 01:09:58 | 010,358,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/01/31 10:33:51 | 002,937,528 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
PRC - [2009/11/25 04:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/25 04:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/25 04:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/25 04:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/25 04:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/10/31 10:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/08/20 03:19:55 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe
PRC - [2009/08/20 03:19:37 | 000,985,952 | ---- | M] (Symantec Corporation) -- C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\16.7.0.30\InstStub.exe
PRC - [2009/07/31 04:49:36 | 000,062,752 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BtITunesPlugIn.exe
PRC - [2009/07/31 04:49:34 | 000,795,936 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2009/07/31 04:49:34 | 000,582,944 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
PRC - [2009/07/24 08:45:52 | 000,128,296 | ---- | M] (CyberLink Corp.) -- c:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
PRC - [2009/07/23 23:37:16 | 000,206,120 | ---- | M] (CyberLink) -- c:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
PRC - [2009/07/22 06:33:00 | 000,458,844 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2009/07/22 06:33:00 | 000,221,266 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\stacsv.exe
PRC - [2009/07/21 22:34:52 | 000,567,864 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
PRC - [2009/07/18 03:25:20 | 000,842,816 | ---- | M] (DigitalPersona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DpAgent.exe
PRC - [2009/07/18 03:25:20 | 000,322,624 | ---- | M] (DigitalPersona, Inc.) -- C:\Program Files\DigitalPersona\Bin\DpHostW.exe
PRC - [2009/07/17 03:09:44 | 000,423,208 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Hewlett-Packard\Media\iTV\iTVAgent.exe
PRC - [2009/07/14 06:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/14 06:14:24 | 000,157,184 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Windows Defender\MpCmdRun.exe
PRC - [2009/07/14 06:14:15 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2009/07/03 02:16:00 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009/07/03 02:15:00 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2009/06/03 14:12:50 | 000,599,344 | ---- | M] (Validity Sensors, Inc.) -- C:\Windows\System32\vfsFPService.exe
PRC - [2009/03/28 07:10:56 | 000,014,336 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2009/03/03 02:43:00 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\AEstSrv.exe
PRC - [2009/02/07 05:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe


========== Modules (SafeList) ==========

MOD - [2010/05/09 18:53:06 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\FO\Desktop\OTL.exe
MOD - [2009/07/14 06:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 06:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 06:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/14 06:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 06:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/14 06:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 06:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 06:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 06:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 06:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 06:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/14 06:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/08 04:21:30 | 000,246,520 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/10 03:00:39 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/01/13 06:33:00 | 003,477,452 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\System32\GameMon.des -- (npggsvc)
SRV - [2009/11/25 04:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/25 04:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/25 04:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/25 04:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/08/20 03:19:55 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe -- (Norton Internet Security)
SRV - [2009/07/31 04:49:34 | 000,582,944 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV - [2009/07/22 06:33:00 | 000,221,266 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\stacsv.exe -- (STacSV)
SRV - [2009/07/18 03:25:20 | 000,322,624 | ---- | M] (DigitalPersona, Inc.) [Auto | Running] -- C:\Program Files\DigitalPersona\Bin\DpHostW.exe -- (DpHost)
SRV - [2009/07/14 06:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 06:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 06:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 06:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 06:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 06:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 06:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 06:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 06:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 06:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 06:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 06:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 06:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 06:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 06:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 06:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 06:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 06:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 06:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 06:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/07/03 02:15:00 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/06/03 14:12:50 | 000,599,344 | ---- | M] (Validity Sensors, Inc.) [Auto | Running] -- C:\Windows\System32\vfsFPService.exe -- (vfsFPService)
SRV - [2009/03/28 07:10:56 | 000,014,336 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2009/03/03 02:43:00 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\AEstSrv.exe -- (AESTFilters)


========== Driver Services (SafeList) ==========

DRV - [2010/01/02 13:48:22 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/12/11 12:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/11/25 04:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/25 04:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/25 04:49:48 | 000,053,328 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2009/11/25 04:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/25 04:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/08/25 13:44:08 | 002,506,232 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2009/08/20 03:19:56 | 000,875,728 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090713.024\NAVEX15.SYS -- (NAVEX15)
DRV - [2009/08/20 03:19:56 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\system32\drivers\NIS\1007000.01E\SYMEFA.SYS -- (SymEFA)
DRV - [2009/08/20 03:19:56 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\system32\drivers\NIS\1007000.01E\SRTSP.SYS -- (SRTSP)
DRV - [2009/08/20 03:19:56 | 000,293,424 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSvix86.sys -- (IDSVix86)
DRV - [2009/08/20 03:19:56 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\NIS\1007000.01E\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/08/20 03:19:56 | 000,087,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090713.024\NAVENG.SYS -- (NAVENG)
DRV - [2009/08/20 03:19:56 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\NIS\1007000.01E\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/08/20 03:19:56 | 000,025,648 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\SymIMV.sys -- (SymIM)
DRV - [2009/08/20 03:19:55 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\NIS\1007000.01E\ccHPx86.sys -- (ccHP)
DRV - [2009/08/20 03:19:55 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\NIS\1007000.01E\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/07/22 06:33:00 | 000,409,088 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2009/07/21 08:39:00 | 000,116,136 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\jmcr.sys -- (JMCR)
DRV - [2009/07/15 04:16:00 | 000,212,656 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2009/07/14 06:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/14 06:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/14 06:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/14 06:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/14 06:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/14 06:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/14 06:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/14 06:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/14 06:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/14 06:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/14 06:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/14 06:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/14 06:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/14 06:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/14 06:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/14 06:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/14 06:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/14 06:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/14 06:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/14 06:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/14 06:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/14 06:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/14 06:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/14 06:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/14 06:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/14 06:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/14 06:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/14 06:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/14 06:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/14 06:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/14 06:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/14 06:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/14 06:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/14 06:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/14 06:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/14 06:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/14 06:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/14 06:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/14 06:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/14 05:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/14 05:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\rdpbus.sys -- (rdpbus)
DRV - [2009/07/14 05:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/14 04:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/14 04:54:16 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\usb8023.sys -- (USB_RNDIS)
DRV - [2009/07/14 04:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/14 04:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/14 04:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/14 04:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/14 04:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/14 04:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009/07/14 04:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/14 04:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
DRV - [2009/07/14 04:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/14 04:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/14 04:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\system32\DRIVERS\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/14 04:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/14 04:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/14 04:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/14 04:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/14 04:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/14 04:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/14 03:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/14 03:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/14 03:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/14 03:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/14 03:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/14 03:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/14 03:31:00 | 000,185,344 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167)
DRV - [2009/07/14 03:13:46 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTDPV3.SYS -- (SrvHsfV92)
DRV - [2009/07/14 03:13:45 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTCNXT3.SYS -- (SrvHsfWinac)
DRV - [2009/07/14 03:13:45 | 000,207,360 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTAZL3.SYS -- (SrvHsfHDA)
DRV - [2009/07/14 03:02:52 | 000,347,264 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvm62x32.sys -- (NVENETFD)
DRV - [2009/07/14 03:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/14 03:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/14 03:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/07/09 01:48:38 | 000,025,656 | ---- | M] (Hewlett-Packard) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\hpdskflt.sys -- (hpdskflt)
DRV - [2009/07/09 01:48:22 | 000,033,848 | ---- | M] (Hewlett-Packard) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Accelerometer.sys -- (Accelerometer)
DRV - [2009/07/03 02:50:00 | 004,994,048 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/07/02 01:46:14 | 000,086,056 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwaudio.sys -- (btwaudio)
DRV - [2009/07/02 01:46:12 | 000,108,072 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwavdt.sys -- (btwavdt)
DRV - [2009/07/02 01:46:04 | 000,018,344 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwrchid.sys -- (btwrchid)
DRV - [2009/06/29 23:17:00 | 000,059,904 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\enecir.sys -- (enecir)
DRV - [2009/06/29 21:59:00 | 000,101,392 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2009/04/29 20:46:54 | 000,015,872 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\system32\DRIVERS\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2009/04/08 04:32:50 | 000,029,472 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\btwl2cap.sys -- (btwl2cap)
DRV - [2009/04/07 06:12:44 | 001,161,664 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
IE - HKLM\..\URLSearchHook: {aac4043a-8832-4abe-9963-35377f30b8e6} - C:\Program Files\Castle_Age\tbCast.dll (Conduit Ltd.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-44142466-3684198360-2551735598-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
IE - HKU\S-1-5-21-44142466-3684198360-2551735598-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
IE - HKU\S-1-5-21-44142466-3684198360-2551735598-1000\..\URLSearchHook: {aac4043a-8832-4abe-9963-35377f30b8e6} - C:\Program Files\Castle_Age\tbCast.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-44142466-3684198360-2551735598-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\otis@digitalpersona.com: C:\Program Files\DigitalPersona\Bin\FirefoxExt\ [2009/08/25 14:19:05 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/06/11 02:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (DigitalPersona Personal Extension) - {395610AE-C624-4f58-B89E-23733EA00F9A} - C:\Program Files\DigitalPersona\Bin\DpOtsPluginIe8.dll (DigitalPersona, Inc.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.0.30\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.0.30\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Castle Age Toolbar) - {aac4043a-8832-4abe-9963-35377f30b8e6} - C:\Program Files\Castle_Age\tbCast.dll (Conduit Ltd.)
O2 - BHO: (FDMIECookiesBHO Class) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll ()
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.0.30\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Castle Age Toolbar) - {aac4043a-8832-4abe-9963-35377f30b8e6} - C:\Program Files\Castle_Age\tbCast.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-44142466-3684198360-2551735598-1000\..\Toolbar\WebBrowser: (Castle Age Toolbar) - {AAC4043A-8832-4ABE-9963-35377F30B8E6} - C:\Program Files\Castle_Age\tbCast.dll (Conduit Ltd.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\DpAgent.exe (DigitalPersona, Inc.)
O4 - HKLM..\Run: [HPCam_Menu] c:\Program Files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [NortonOnlineBackupReminder] C:\Program Files\Symantec\Norton Online Backup\Activation\NobuActivation.exe (Symantec Corporation)
O4 - HKLM..\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe ()
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [UpdatePRCShortCut] C:\Program Files\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKU\S-1-5-21-44142466-3684198360-2551735598-1000..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: WallpaperStyle = 2
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: WallpaperStyle = 2
O7 - HKU\S-1-5-21-44142466-3684198360-2551735598-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: WallpaperStyle = 2
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.0.30\CoIEPlg.dll (Symantec Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/11 02:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/09 18:53:21 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Users\FO\Desktop\OTL.exe
[2010/05/09 10:23:40 | 000,000,000 | ---D | C] -- C:\Users\FO\AppData\Local\TVU Networks
[2010/05/09 10:23:40 | 000,000,000 | ---D | C] -- C:\ProgramData\TVU Networks
[2010/05/09 10:22:12 | 000,000,000 | ---D | C] -- C:\Users\FO\AppData\Roaming\HP
[2010/05/09 10:22:12 | 000,000,000 | ---D | C] -- C:\ProgramData\HP
[2010/05/01 21:02:46 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/05/01 09:04:43 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/04/28 11:58:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/04/28 11:58:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/28 11:58:11 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2010/04/28 11:58:11 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/04/28 11:58:11 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/04/28 11:58:11 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/04/28 08:06:26 | 001,037,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsasrv.dll
[2010/04/28 08:06:26 | 000,133,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\ksecpkg.sys
[2010/04/27 10:19:00 | 000,000,000 | ---D | C] -- C:\Users\FO\AppData\Roaming\QuickScan
[2010/04/25 09:21:34 | 000,000,000 | ---D | C] -- C:\Program Files\FLV Player
[2010/04/18 17:01:23 | 000,000,000 | ---D | C] -- C:\Users\FO\Desktop\A219
[2010/04/15 07:45:02 | 003,954,568 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2010/04/15 07:45:02 | 003,899,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2010/04/15 07:40:37 | 000,427,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\vbscript.dll
[2010/04/14 15:52:26 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/14 15:52:25 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/14 15:52:25 | 000,000,000 | ---D | C] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/14 15:48:52 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/14 15:46:39 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour

========== Files - Modified Within 30 Days ==========

[2010/05/09 18:55:34 | 002,097,152 | -HS- | M] () -- C:\Users\FO\NTUSER.DAT
[2010/05/09 18:53:06 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\FO\Desktop\OTL.exe
[2010/05/09 18:43:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-44142466-3684198360-2551735598-1000UA.job
[2010/05/09 18:43:00 | 000,000,842 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-44142466-3684198360-2551735598-1000Core.job
[2010/05/09 18:09:07 | 000,013,312 | ---- | M] () -- C:\Users\FO\Documents\technical and business writing A2 week 14.doc
[2010/05/09 18:06:27 | 000,012,800 | ---- | M] () -- C:\Users\FO\Documents\technical and business writing C2 week 14.doc
[2010/05/09 17:58:07 | 000,014,336 | ---- | M] () -- C:\Users\FO\Documents\CsA2marks.xls
[2010/05/09 17:54:07 | 000,018,432 | ---- | M] () -- C:\Users\FO\Desktop\CSC2marks.xls
[2010/05/09 14:56:21 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/09 14:56:21 | 000,615,360 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/09 14:56:21 | 000,103,702 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/09 06:57:17 | 000,023,024 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/09 06:57:17 | 000,023,024 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/09 06:49:56 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/09 06:49:49 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/09 06:49:44 | 1608,400,896 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/07 23:23:49 | 001,751,129 | -H-- | M] () -- C:\Users\FO\AppData\Local\IconCache.db
[2010/05/07 08:04:51 | 000,000,308 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForFO.job
[2010/05/06 09:07:38 | 000,000,075 | ---- | M] () -- C:\Users\FO\jagex_runescape_preferences2.dat
[2010/05/06 09:07:38 | 000,000,041 | ---- | M] () -- C:\Users\FO\jagex_runescape_preferences.dat
[2010/05/01 21:02:38 | 248,962,696 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/05/01 20:53:32 | 000,525,824 | ---- | M] () -- C:\Users\FO\Desktop\dds.scr
[2010/05/01 09:05:04 | 000,001,984 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/04/30 21:19:01 | 000,012,288 | ---- | M] () -- C:\Users\FO\Documents\technical and business writing c2 week 13.doc
[2010/04/30 21:16:12 | 000,012,800 | ---- | M] () -- C:\Users\FO\Documents\technical and business writing c2 week 12.doc
[2010/04/30 21:09:57 | 000,013,312 | ---- | M] () -- C:\Users\FO\Documents\technical and business writing A2 week 13.doc
[2010/04/30 21:06:32 | 000,013,824 | ---- | M] () -- C:\Users\FO\Documents\technical and business writing A2 week 12.doc
[2010/04/30 17:04:09 | 000,002,198 | ---- | M] () -- C:\Users\FO\Desktop\Google Chrome.lnk
[2010/04/24 15:13:39 | 000,011,776 | ---- | M] () -- C:\Users\FO\Documents\songs to sing.doc
[2010/04/21 21:00:42 | 000,013,824 | ---- | M] () -- C:\Users\FO\Documents\slangessay.doc
[2010/04/20 16:29:57 | 000,020,480 | ---- | M] () -- C:\Users\FO\Documents\scholarshipfor shy.doc
[2010/04/20 13:51:16 | 000,019,456 | ---- | M] () -- C:\Users\FO\Documents\Sabbie email.doc
[2010/04/18 17:04:41 | 000,011,266 | ---- | M] () -- C:\Users\FO\Documents\notes.odt
[2010/04/18 12:16:30 | 000,014,336 | ---- | M] () -- C:\Users\FO\Documents\technical and business writing A2 week 11.doc
[2010/04/18 11:41:01 | 000,012,288 | ---- | M] () -- C:\Users\FO\Documents\technical and business writing c2 week 11.doc
[2010/04/17 15:16:43 | 000,020,480 | ---- | M] () -- C:\Users\FO\Documents\CVFatimaOmerFAST.doc
[2010/04/14 15:53:11 | 000,002,429 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/04/12 21:32:39 | 000,035,277 | ---- | M] () -- C:\Users\FO\Documents\Corruption Threshold.rtf
[2010/04/12 17:29:27 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2010/04/12 17:29:26 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2010/04/12 17:29:25 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2010/04/12 08:57:41 | 000,024,064 | ---- | M] () -- C:\Users\FO\Documents\sample paragraph dev.doc
[2010/04/12 08:57:19 | 000,009,728 | ---- | M] () -- C:\Users\FO\Documents\proposallink.doc
[2010/04/12 08:56:23 | 000,115,065 | ---- | M] () -- C:\Users\FO\Documents\paragraph-comp.pdf
[2010/04/11 16:33:19 | 000,013,824 | ---- | M] () -- C:\Users\FO\Documents\technical and business writing A2 week 10.doc
[2010/04/11 16:11:52 | 000,012,288 | ---- | M] () -- C:\Users\FO\Documents\technical and business writing c2 week 10.doc
[2010/04/11 15:53:28 | 000,014,848 | ---- | M] () -- C:\Users\FO\Documents\quizcsA2wednesday.doc
[2010/04/11 15:52:27 | 000,000,086 | -H-- | M] () -- C:\Users\FO\Documents\.~lock.quizcsc2monday.doc#

========== Files Created - No Company Name ==========

[2010/05/09 18:09:06 | 000,013,312 | ---- | C] () -- C:\Users\FO\Documents\technical and business writing A2 week 14.doc
[2010/05/09 18:06:24 | 000,012,800 | ---- | C] () -- C:\Users\FO\Documents\technical and business writing C2 week 14.doc
[2010/05/01 21:02:38 | 248,962,696 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/05/01 20:53:43 | 000,525,824 | ---- | C] () -- C:\Users\FO\Desktop\dds.scr
[2010/04/30 21:18:22 | 000,012,288 | ---- | C] () -- C:\Users\FO\Documents\technical and business writing c2 week 13.doc
[2010/04/30 21:16:10 | 000,012,800 | ---- | C] () -- C:\Users\FO\Documents\technical and business writing c2 week 12.doc
[2010/04/30 21:09:56 | 000,013,312 | ---- | C] () -- C:\Users\FO\Documents\technical and business writing A2 week 13.doc
[2010/04/30 21:06:31 | 000,013,824 | ---- | C] () -- C:\Users\FO\Documents\technical and business writing A2 week 12.doc
[2010/04/29 12:16:15 | 000,000,308 | ---- | C] () -- C:\Windows\tasks\HPCeeScheduleForFO.job
[2010/04/24 15:13:37 | 000,011,776 | ---- | C] () -- C:\Users\FO\Documents\songs to sing.doc
[2010/04/21 21:00:39 | 000,013,824 | ---- | C] () -- C:\Users\FO\Documents\slangessay.doc
[2010/04/20 16:29:55 | 000,020,480 | ---- | C] () -- C:\Users\FO\Documents\scholarshipfor shy.doc
[2010/04/20 13:51:13 | 000,019,456 | ---- | C] () -- C:\Users\FO\Documents\Sabbie email.doc
[2010/04/18 17:04:40 | 000,011,266 | ---- | C] () -- C:\Users\FO\Documents\notes.odt
[2010/04/18 12:16:29 | 000,014,336 | ---- | C] () -- C:\Users\FO\Documents\technical and business writing A2 week 11.doc
[2010/04/18 11:40:58 | 000,012,288 | ---- | C] () -- C:\Users\FO\Documents\technical and business writing c2 week 11.doc
[2010/04/17 15:16:42 | 000,020,480 | ---- | C] () -- C:\Users\FO\Documents\CVFatimaOmerFAST.doc
[2010/04/14 15:53:11 | 000,002,429 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/04/12 15:32:25 | 000,035,277 | ---- | C] () -- C:\Users\FO\Documents\Corruption Threshold.rtf
[2010/04/12 08:57:39 | 000,024,064 | ---- | C] () -- C:\Users\FO\Documents\sample paragraph dev.doc
[2010/04/12 08:57:17 | 000,009,728 | ---- | C] () -- C:\Users\FO\Documents\proposallink.doc
[2010/04/12 08:56:22 | 000,115,065 | ---- | C] () -- C:\Users\FO\Documents\paragraph-comp.pdf
[2010/04/11 16:33:16 | 000,013,824 | ---- | C] () -- C:\Users\FO\Documents\technical and business writing A2 week 10.doc
[2010/04/11 16:11:44 | 000,012,288 | ---- | C] () -- C:\Users\FO\Documents\technical and business writing c2 week 10.doc
[2010/04/11 15:53:26 | 000,014,848 | ---- | C] () -- C:\Users\FO\Documents\quizcsA2wednesday.doc
[2010/04/11 15:52:27 | 000,000,086 | -H-- | C] () -- C:\Users\FO\Documents\.~lock.quizcsc2monday.doc#
[2009/08/25 13:44:23 | 000,006,656 | ---- | C] () -- C:\Windows\System32\bcmwlrc.dll
[2009/08/25 13:43:33 | 000,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/16 05:50:42 | 000,013,312 | ---- | C] () -- C:\Windows\LPRES.DLL
[2009/07/14 04:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 04:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2007/11/15 04:17:34 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CogentBioSDK.dll
< End of report >


#4 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:40 PM

Posted 09 May 2010 - 08:59 AM



OTL Extras logfile created on: 09/05/2010 06:53:52 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\FO\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 46.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 53.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 286.24 Gb Total Space | 233.73 Gb Free Space | 81.65% Space Free | Partition Type: NTFS
Drive D: | 11.65 Gb Total Space | 1.95 Gb Free Space | 16.70% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FO-PC
Current User Name: FO
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-44142466-3684198360-2551735598-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- C:\Users\FO\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PeaZip] -- Reg Error: Value error.
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = HP MediaSmart Webcam
"{07FA4960-B038-49EB-891B-9F95930AA544}" = HP Customer Experience Enhancements
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron Flash Media Controller Driver
"{266D0EEA-E5A6-4A08-A0EE-5391D4EA44A7}" = Catalyst Control Center - Branding
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 20
"{27B0C2FD-9739-8D7D-6552-307C786D9097}" = Catalyst Control Center InstallProxy
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{3023EBDA-BF1B-4831-B347-E5018555F26E}" = HP MediaSmart Movie Themes
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons
"{38022B5C-0C69-389F-DA48-B87480B5705A}" = CCC Help Turkish
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3BBBF379-6C7E-0985-18F6-6C60D6C36EC6}" = CCC Help Portuguese
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}" = PowerRecover
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{495A8A3C-8FD0-4C46-9979-95C26181A1AB}" = HP Support Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B2F56AC-C043-C84F-3EF1-E6D6F21E934F}" = Catalyst Control Center Graphics Full Existing
"{4F2C2E34-5A3E-0E70-BDFC-A5B1E3C2FFAC}" = Catalyst Control Center Graphics Light
"{532715CE-CFD6-E4F8-53C3-2F1DE31C04DA}" = CCC Help Hungarian
"{54CC7901-804D-4155-B353-21F0CC9112AB}" = HP Wireless Assistant
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{558CC8A3-F1A2-9C31-7B90-F61E476B8622}" = CCC Help Dutch
"{5A2BC38A-406C-4A5B-BF45-6991F9A05325}_is1" = PeaZip 2.9.1
"{5C3E7880-7F8B-4A06-A3C3-95509F092161}" = HP MediaSmart SmartMenu
"{5D76ABD5-262B-6D65-6C13-F38175C7A5AF}" = CCC Help Korean
"{5D92E608-E454-0C8C-D577-7F7C06151117}" = CCC Help Greek
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{67626E09-5366-4480-8F1E-93FADF50CA15}" = HP MediaSmart Live TV
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{76D0B7D8-6683-4D54-A108-046A5E542F0B}" = SoftStylus
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{79EECA21-CDFA-6012-5E8B-6CF2623D647A}" = Catalyst Control Center Graphics Full New
"{7BE6BC10-6737-CD9D-8363-F919B8D6D917}" = Catalyst Control Center Core Implementation
"{80FBA7A7-ABD1-4910-A916-023075C45593}" = CCC Help Danish
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{82EF29B1-9B60-4142-A155-0599216DD053}" = LightScribe System Software
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{85A42FF0-F0D0-44A3-B226-C124D6E8B1D5}" = HP 3D DriveGuard
"{8797DE34-22BC-CA33-6B67-A0CC2765B545}" = CCC Help German
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8136 8168 8169 Ethernet Driver
"{89D1C17B-90DE-650A-073A-A7FA7BC6ECE5}" = CCC Help French
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C664716-FD23-9902-A29E-863D056F46FC}" = CCC Help Russian
"{8F36B221-F483-B7CE-4DDA-7BDA4D81E306}" = CCC Help English
"{8FB16749-1235-D027-AF25-1D22A9FEC0D5}" = CCC Help Thai
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91A3A4DE-656A-5C7A-5B61-75FB6D167A6A}" = CCC Help Polish
"{9449FD09-6942-8BFA-05AD-D455500DA704}" = ATI Catalyst Install Manager
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9E9D49A4-1DF4-4138-B7DB-5D87A893088E}" = HP Integrated Module with Bluetooth wireless technology
"{9EDB805A-E11C-8842-2393-FDFDA17963AC}" = CCC Help Chinese Traditional
"{A16D1BBD-BE86-0183-4152-2E85FECC31F7}" = CCC Help Finnish
"{A19856E3-C9D7-988E-5B8C-70C87342B8DD}" = Catalyst Control Center Localization All
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AC76BA86-7AD7-FFFF-7B44-A91000000001}" = Adobe Reader 9.3.2 MUI
"{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}" = Adobe Shockwave Player
"{AD777154-A573-4FCA-C730-D7C33437262C}" = CCC Help Czech
"{B002889A-F359-4F2A-9113-10B0A438AD70}" = DigitalPersona Personal 4.10
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
"{B51605BF-6326-4553-AE96-6D7F1813D5F5}" = HP User Guides 0154
"{B53E61D7-7C80-40DF-82D2-CF5390D6D20A}" = HP Advisor
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{B66D2CC9-652D-EBE5-497F-74BBC1029FB4}" = CCC Help Japanese
"{B6A4D07E-725F-07CD-DE49-8AB76939631D}" = CCC Help Norwegian
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{BF704893-173F-4884-97D7-8FEEB78971BF}" = OpenOffice.org 3.1
"{BF930A5D-4F36-5158-C8DA-DECD5B51A78E}" = CCC Help Chinese Standard
"{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}" = Activate Norton Online Backup
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C6FCE95C-0072-40C0-9AB2-3EF88DA6CED9}" = Catalyst Control Center Graphics Previews Common
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D46D081B-F60E-467E-A7C4-117B70D76731}" = HP Update
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"{DF166A93-835F-DF13-E974-FD73E8D7F4F6}" = CCC Help Swedish
"{E09F7D2B-C1C1-D80B-7775-6FFE9D713C60}" = CCC Help Spanish
"{E26EEBF8-3A50-8095-5877-AE243C8852EF}" = Catalyst Control Center Graphics Previews Vista
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E553760D-D7F7-48BF-BD8B-C7E23BA04CB5}" = HP MediaSmart Internet TV
"{EC8049FF-B0E3-A963-408C-1B1D8F20DD55}" = CCC Help Italian
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F1D7AC58-554A-4A58-B784-B61558B1449A}" = QLBCASL
"{F3B912F5-EB57-45AA-B3D1-EB532BCF6EF8}" = HP Setup
"{F3FB99DB-FF0E-DECE-E497-37336243544B}" = ccc-utility
"{F65B8208-5221-43D9-AA12-DDEA64EC4AF6}" = Validity Sensors software
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FD1D88FA-E5E0-BA76-73C8-7362E9703842}" = ccc-core-static
"284D9B4A58796481EC5A61D01DCC5E654761629C" = ENE CIR Receiver Driver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AOL Toolbar" = AOL Toolbar 5.0
"avast!" = avast! Antivirus
"Broadcom 802.11 Wireless LAN Adapter" = Broadcom 802.11 Wireless LAN Adapter
"Castle_Age Toolbar" = Castle_Age Toolbar
"FLV Player" = FLV Player 2.0 (build 25)
"Free Download Manager_is1" = Free Download Manager 3.0
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = HP MediaSmart Webcam
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{3023EBDA-BF1B-4831-B347-E5018555F26E}" = HP MediaSmart Movie Themes
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{67626E09-5366-4480-8F1E-93FADF50CA15}" = HP MediaSmart Live TV
"InstallShield_{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"InstallShield_{E553760D-D7F7-48BF-BD8B-C7E23BA04CB5}" = HP MediaSmart Internet TV
"LSI Soft Modem" = LSI HDA Modem
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"NIS" = Norton Internet Security
"PROHYBRIDR" = 2007 Microsoft Office system
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WildTangent hp Master Uninstall" = HP Games
"WinLiveSuite_Wave3" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-44142466-3684198360-2551735598-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 02/01/2010 07:49:29 AM | Computer Name = FO-PC | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestOpenList Error 1753.

Error - 02/01/2010 07:49:29 AM | Computer Name = FO-PC | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::LoadFiles()
chestOpenList() failed: 2147422219.

Error - 02/01/2010 07:49:32 AM | Computer Name = FO-PC | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::OnCreate()
!m_strErrorWnd.IsEmpty().

Error - 13/04/2010 11:18:15 PM | Computer Name = FO-PC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Program Files\OpenOffice.org 3\Basis\program\formi.dll failed, 00000005.

[ Application Events ]
Error - 21/04/2010 12:33:46 PM | Computer Name = FO-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2325

Error - 21/04/2010 12:33:47 PM | Computer Name = FO-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 21/04/2010 12:33:47 PM | Computer Name = FO-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3339

Error - 21/04/2010 12:33:47 PM | Computer Name = FO-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3339

Error - 21/04/2010 12:33:48 PM | Computer Name = FO-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 21/04/2010 12:33:48 PM | Computer Name = FO-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 4368

Error - 21/04/2010 12:33:48 PM | Computer Name = FO-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 4368

Error - 21/04/2010 12:33:49 PM | Computer Name = FO-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 21/04/2010 12:33:49 PM | Computer Name = FO-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 5382

Error - 21/04/2010 12:33:49 PM | Computer Name = FO-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 5382

[ System Events ]
Error - 23/04/2010 01:49:42 AM | Computer Name = FO-PC | Source = Disk | ID = 262155
Description = The driver detected a controller error on \...\DR3.

Error - 24/04/2010 09:05:48 PM | Computer Name = FO-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the ShellHWDetection service.

Error - 25/04/2010 05:05:24 PM | Computer Name = FO-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Schedule service.

Error - 26/04/2010 09:50:32 PM | Computer Name = FO-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Wlansvc service.

Error - 27/04/2010 12:49:13 AM | Computer Name = FO-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at ???? 09:47:37 on ?27-?04-?10 was unexpected.

Error - 27/04/2010 12:49:52 AM | Computer Name = FO-PC | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Norton
Internet Security service to connect.

Error - 27/04/2010 12:49:52 AM | Computer Name = FO-PC | Source = Service Control Manager | ID = 7000
Description = The Norton Internet Security service failed to start due to the following
error: %%1053

Error - 01/05/2010 12:02:47 PM | Computer Name = FO-PC | Source = EventLog | ID = 6008
Description = The previous system shutdown at ??? 09:01:18 on ?01-?05-?10 was unexpected.

Error - 01/05/2010 12:02:51 PM | Computer Name = FO-PC | Source = BugCheck | ID = 1001
Description =

Error - 02/05/2010 10:41:30 PM | Computer Name = FO-PC | Source = DCOM | ID = 10010
Description =


< End of report >


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:40 AM

Posted 09 May 2010 - 12:05 PM

Hello, can you please also run GMER? If it causes trouble, try to run it with only the Sections option checked.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:40 PM

Posted 09 May 2010 - 12:16 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-09 22:13:42
Windows 6.1.7600
Running: 8igjioms.exe; Driver: C:\Users\FO\AppData\Local\Temp\pxldypoc.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82446AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82446104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824463F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8242E634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8242E898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824461DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82446958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824466F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82446F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 824471A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8205F599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82083F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000072 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001a6b2af2e9
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027132e8c8b
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027132e8c8b@001de9f4de8f 0xC5 0x69 0x8F 0xC7 ...
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001a6b2af2e9 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027132e8c8b (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027132e8c8b@001de9f4de8f 0xC5 0x69 0x8F 0xC7 ...

---- EOF - GMER 1.0.15 ----

I was running GMER, then it crashed and I ran it in safe mode. Sorry it took so long smile.gif

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:40 AM

Posted 09 May 2010 - 12:56 PM

Hello again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:40 PM

Posted 12 May 2010 - 02:35 AM

ComboFix rebooted the computer after saying rootkit activity found, and then continued. I am posting the log here. However, I have to transfer files between my work computer and my laptop every day, so my laptop could just as easily get infected again...even now after the scan I had to connect the USB...I might need something that I can use daily to prevent/cure whatever we find for my laptop and USB.

ComboFix 10-05-10.05 - FO 12/05/2010 12:14:37.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2045.943 [GMT 5:00]
Running from: c:\users\FO\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-12 07:20 . 2010-05-12 07:21 -------- d-----w- c:\users\FO\AppData\Local\temp
2010-05-12 07:20 . 2010-05-12 07:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-09 05:23 . 2010-05-09 05:23 -------- d-----w- c:\users\FO\AppData\Local\TVU Networks
2010-05-09 05:23 . 2010-05-09 05:23 -------- d-----w- c:\programdata\TVU Networks
2010-05-09 05:22 . 2010-05-09 05:22 -------- d-----w- c:\users\FO\AppData\Roaming\HP
2010-05-09 05:22 . 2010-05-09 05:22 -------- d-----w- c:\programdata\HP
2010-04-28 06:58 . 2010-04-28 06:58 -------- d-----w- c:\program files\Common Files\Java
2010-04-28 06:58 . 2010-04-12 12:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-28 03:06 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 03:06 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-28 02:28 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-27 05:19 . 2010-04-27 05:21 -------- d-----w- c:\users\FO\AppData\Roaming\QuickScan
2010-04-25 04:21 . 2010-04-25 04:21 -------- d-----w- c:\program files\FLV Player
2010-04-15 02:45 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 02:45 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 02:40 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 02:38 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 02:38 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 02:38 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 10:52 . 2010-04-14 10:52 -------- d-----w- c:\program files\iPod
2010-04-14 10:52 . 2010-04-14 10:53 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 10:52 . 2010-04-14 10:53 -------- d-----w- c:\program files\iTunes
2010-04-14 10:48 . 2010-04-14 10:49 -------- d-----w- c:\program files\QuickTime
2010-04-14 10:46 . 2010-04-14 10:46 -------- d-----w- c:\program files\Bonjour
2010-04-14 10:29 . 2010-04-14 10:29 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-14 01:21 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 01:21 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 07:59 . 2010-04-13 07:59 2523408 ----a-w- c:\programdata\WildTangent\My HP Game Console\Downloads\en\Installers\SetupGamesClient.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 02:50 . 2010-01-03 11:08 1 ----a-w- c:\users\FO\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-06 05:36 . 2010-01-02 11:30 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 04:07 . 2010-02-10 10:07 75 ----a-w- c:\users\FO\jagex_runescape_preferences2.dat
2010-05-06 04:07 . 2010-02-10 10:04 41 ----a-w- c:\users\FO\jagex_runescape_preferences.dat
2010-05-01 16:01 . 2010-01-02 11:51 -------- d-----w- c:\users\FO\AppData\Roaming\Free Download Manager
2010-04-30 19:11 . 2010-01-05 13:27 -------- d-----w- c:\users\FO\AppData\Roaming\Skype
2010-04-30 19:00 . 2010-01-05 13:32 -------- d-----w- c:\users\FO\AppData\Roaming\skypePM
2010-04-28 06:58 . 2009-08-20 00:18 -------- d-----w- c:\program files\Java
2010-04-21 15:30 . 2010-01-03 12:57 -------- d-----w- c:\users\FO\AppData\Roaming\Apple Computer
2010-04-16 03:20 . 2009-08-19 23:02 -------- d-----w- c:\programdata\Microsoft Help
2010-04-14 10:52 . 2010-01-03 12:54 -------- d-----w- c:\program files\Common Files\Apple
2010-04-07 12:54 . 2010-03-14 21:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 04:13 . 2010-01-03 08:09 -------- d-----w- c:\users\FO\AppData\Roaming\HP Support Assistant
2010-04-01 04:13 . 2010-01-02 09:17 -------- d-----w- c:\users\FO\AppData\Roaming\HpUpdate
2010-03-30 14:39 . 2009-08-19 22:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-30 14:36 . 2009-08-19 22:04 -------- d-----w- c:\program files\Hewlett-Packard
2010-03-30 14:35 . 2010-03-30 14:35 -------- d-----w- c:\programdata\{657095DF-DBDB-4B17-8245-B38845C97069}
2010-03-29 19:46 . 2010-03-14 21:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 19:45 . 2010-03-14 21:29 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-27 09:00 . 2010-03-27 09:00 0 ----a-w- c:\users\FO\jagex__preferences3.dat
2010-03-24 06:53 . 2010-03-24 06:53 -------- d-----w- c:\program files\Common Files\Skype
2010-03-14 21:29 . 2010-03-14 21:29 -------- d-----w- c:\users\FO\AppData\Roaming\Malwarebytes
2010-03-14 21:29 . 2010-03-14 21:29 -------- d-----w- c:\programdata\Malwarebytes
2010-03-04 09:06 . 2010-01-17 08:07 1125640 ----a-w- c:\programdata\Hewlett-Packard\HPSAUpgrade\HpSAUpgrade.exe
2010-02-23 12:12 . 2010-01-02 08:45 120208 ----a-w- c:\users\FO\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-23 07:56 . 2010-03-31 01:30 977920 ----a-w- c:\windows\system32\wininet.dll
2010-02-12 06:46 . 2010-02-12 06:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 06:46 . 2010-02-12 06:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{aac4043a-8832-4abe-9963-35377f30b8e6}"= "c:\program files\Castle_Age\tbCast.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{aac4043a-8832-4abe-9963-35377f30b8e6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aac4043a-8832-4abe-9963-35377f30b8e6}]
2010-02-22 07:05 2353176 ----a-w- c:\program files\Castle_Age\tbCast.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{aac4043a-8832-4abe-9963-35377f30b8e6}"= "c:\program files\Castle_Age\tbCast.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{aac4043a-8832-4abe-9963-35377f30b8e6}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{AAC4043A-8832-4ABE-9963-35377F30B8E6}"= "c:\program files\Castle_Age\tbCast.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{aac4043a-8832-4abe-9963-35377f30b8e6}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-07-16 1668664]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\users\FO\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-01-02 135664]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-31 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-02 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-14 1541416]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-07-22 458844]
"HPCam_Menu"="c:\program files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2009-02-25 218408]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-07-21 567864]
"DpAgent"="c:\program files\DigitalPersona\Bin\dpagent.exe" [2009-07-17 842816]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-06-24 320056]
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NobuActivation.exe" [2009-05-13 581480]
"UpdatePRCShortCut"="c:\program files\Hewlett-Packard\Recovery\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-25 142120]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-31 795936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"WallpaperStyle"= 2

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli DPPWDFLT

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

R3 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1007000.01E\BHDrvx86.sys [2009-08-19 259632]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
R3 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1007000.01E\ccHPx86.sys [2009-08-19 482432]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2009-05-05 228408]
R3 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSVix86.sys [2009-08-19 293424]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2010-01-13 3477452]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007000.01E\SYMEFA.SYS [2009-08-19 310320]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-09 1343400]
S1 aswSP;avast! Self Protection; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_8e7d5b9d3a91d8c5\aestsrv.exe [2009-03-02 81920]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-02 176128]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-11-24 53328]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2009-07-08 26168]
S2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe [2009-08-19 117640]
S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2009-06-03 599344]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-06-29 59904]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-07-21 116136]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 185344]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-44142466-3684198360-2551735598-1000Core.job
- c:\users\FO\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-02 11:35]

2010-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-44142466-3684198360-2551735598-1000UA.job
- c:\users\FO\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-02 11:35]

2010-05-07 c:\windows\Tasks\HPCeeScheduleForFO.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-06 23:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_PK&c=94&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_PK&c=94&bd=Pavilion&pf=cnnb
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -

AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-{495A8A3C-8FD0-4C46-9979-95C26181A1AB} - c:\program files\InstallShield Installation Information\{495A8A3C-8FD0-4C46-9979-95C26181A1AB}\setup.exe



**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: >>UNKNOWN [0x82C06000]<< >>UNKNOWN [0x89415000]<< >>UNKNOWN [0x89E09000]<< >>UNKNOWN [0x89E00000]<< >>UNKNOWN [0x83016000]<< >>UNKNOWN [0x89286000]<< >>UNKNOWN [0x89526000]<< >>UNKNOWN [0x893CD000]<< >>UNKNOWN [0x895A8000]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
DeleteProcedure -> 0x8aa06900
SecurityProcedure -> 0x856cf5f0
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.7.0.30\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(576)
c:\windows\system32\DPPWDFLT.DLL
.
Completion time: 2010-05-12 12:23:46
ComboFix-quarantined-files.txt 2010-05-12 07:23

Pre-Run: 249,672,011,776 bytes free
Post-Run: 250,433,695,744 bytes free

- - End Of File - - 7EB915DEC9FD665784616467C5F6274B

Edited by KJLue, 12 May 2010 - 02:37 AM.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:40 AM

Posted 12 May 2010 - 07:45 AM

Did you turn off your Antivirus completely before running the Combofix scan?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:40 PM

Posted 13 May 2010 - 07:37 AM

Yes I did. Its Avast so I turned off all the real time protection by right-clicking and pausing all the providers. When the scan rebooted and started again, avast wasn't loaded at all.

Edited by KJLue, 13 May 2010 - 07:39 AM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:40 AM

Posted 13 May 2010 - 11:51 AM

How are things running now? What problems do you still have left?

I see you are also having some symantec drivers running, if you are not currently using a Norton/Symantec product, please run the following utility.

Please click HERE and follow the instructions in STEP 2 to download and run the norton removal tool.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:40 PM

Posted 18 May 2010 - 11:40 AM

Things seem to be running fine, but I'm still a little paranoid about the Recycler virus in the USB (recurring folder) and the laptop and the rootkit.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:40 AM

Posted 19 May 2010 - 01:14 AM

Hello,
To clean your flashdrives, please use Flash Disinfector (this will not erase any data).

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,115 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:40 AM

Posted 22 May 2010 - 09:02 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 KJLue

KJLue
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:40 PM

Posted 24 May 2010 - 01:11 AM

Yes. Really sorry for taking so long these days. Wont happen again. I have already tried Flash disinfector. It doesn't seem to work on windows 7. Ran MBAM again, here is the log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

24/05/2010 12:13:19 PM
mbam-log-2010-05-24 (12-13-19).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 292496
Time elapsed: 54 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by KJLue, 24 May 2010 - 02:15 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users