Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Hijack this log file


  • This topic is locked This topic is locked
13 replies to this topic

#1 JamWal

JamWal

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 14 September 2010 - 09:07 PM

I have one specific website ( www.channel3000.com ) a local news site that I constantly get redirected from. I have scanned with Malwarebytes, AdAware, spyware Dr, and a bunch of others and have come up with no solutions. I do have Malwarebytes actively defending while I am surfing, and that does block the redirects so I can read the site; but has not solved the over all problem yet. Here is my Hijack this log, whats wrong? Please help, Thanks, James in Wisconsin

Logfile of HijackThis v1.99.1
Scan saved at 8:52:00 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\James\Local Settings\Temp\USBMonit.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\James\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ancestry.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.ancestry.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WorksFUD] "C:\Program Files\Microsoft Works\wkfud.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] "C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] "C:\Program Files\BroadJump\Client Foundation\CFD.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by hamluis, 15 September 2010 - 06:22 AM.
Moved from XP forum to Malware Removal Logs ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:45 PM

Posted 21 September 2010 - 04:36 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 JamWal

JamWal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 21 September 2010 - 08:43 AM

Awesome! Along with the problem I am also interested in removing any junk that may appear in a log to help my computers performance. The problem is that while using Mozilla Firefox & going to a few local news sites; I'll get on the site for maybe 2-3 seconds, and I get redirected to a blank white screen, that looks as if its trying to load a page. On a hunch I disabled Java Script within firefox, and my problem was fixed- except that I lost all the benefit of surfing the net while using Java Script. That is my issue & what I need to fix. Firefox is updated to the latest version.

Here are the log files, Thank you! - I've attached/uploaded the log files, when I cut and pasted I was told the size of the post was too large. Thanks, James.


EDIT: OTL.txt removed in order to create attachment space ~ Elise

Attached Files


Edited by elise025, 23 September 2010 - 08:00 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:45 PM

Posted 21 September 2010 - 09:06 AM

Hello again,

I notice the presence of Uniblue Registry Booster Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners for several reasons.

• Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

• Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

• Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

• Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

• The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.
COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 JamWal

JamWal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 21 September 2010 - 01:10 PM

Thanks for the advise, Elise. I dumped the registry cleaner. I guess if there is something wrong, its more than likely not going to be a registry issue. I did as you said & ran ComboFix, installing recovery console. Seemed to go o.k.. Here is the log file. Thank you! B.t.w., after I ran combo-fix, I got online with firefox using java-script & I wasent booted off of the website I had been having problems with. James

ComboFix 10-09-20.07 - HP_Owner 09/21/2010 12:48:38.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1919.1382 [GMT -5:00]
Running from: c:\documents and settings\HP_Owner.JAMESOFFICE\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\91988426.ini
c:\program files\RegGenie
c:\program files\RegGenie\Backups\40439.9774267477
c:\program files\RegGenie\RegGenie.ini
c:\program files\RegGenie\RegGenieOnUninstall.exe
c:\windows\explorer(2).exe
c:\windows\explorer(3).exe
c:\windows\explorer(4).exe
c:\windows\Install.txt
c:\windows\system32\ps2.bat

.
((((((((((((((((((((((((( Files Created from 2010-08-21 to 2010-09-21 )))))))))))))))))))))))))))))))
.

2010-09-19 04:30 . 2010-09-19 04:30 49152 ----a-w- c:\windows\system32\hpzjrd01.dll
2010-09-18 22:48 . 2010-09-07 14:53 340048 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2010-09-18 22:48 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-18 22:48 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-18 22:48 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-18 22:48 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-18 22:48 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-18 22:48 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-18 22:48 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-18 22:48 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-09-18 22:48 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-18 22:48 . 2010-09-18 22:48 -------- d-----w- c:\program files\Alwil Software
2010-09-18 22:48 . 2010-09-18 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-18 21:51 . 2010-09-18 21:51 -------- d-sh--w- c:\documents and settings\HP_Owner.JAMESOFFICE\UserData
2010-09-18 21:43 . 2010-09-18 21:44 102006 ----a-w- c:\windows\hpoins04.dat
2010-09-18 21:43 . 2004-06-22 11:20 17218 ------w- c:\windows\hpomdl04.dat
2010-09-18 21:42 . 2004-04-13 08:10 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-09-18 21:42 . 2004-04-13 08:10 90112 ----a-w- c:\windows\system32\hpovst08.dll
2010-09-18 21:42 . 2004-03-14 10:43 135249 ----a-w- c:\windows\system32\hpzlnt10.dll
2010-09-18 00:38 . 2008-03-02 08:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-09-18 00:38 . 2010-09-18 00:38 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\InstallShield
2010-09-17 20:52 . 2010-09-17 20:58 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-09-14 03:24 . 2010-09-14 03:24 -------- d-----w- c:\windows\Downloaded Program Files
2010-09-13 19:56 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-13 19:56 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-13 19:33 . 2010-09-13 19:33 -------- d-----w- c:\program files\Common Files\XoftSpySE
2010-09-13 19:33 . 2010-09-13 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-09-13 19:33 . 2010-09-13 19:33 -------- d-----w- c:\program files\XoftSpySE6
2010-09-13 17:32 . 2001-08-17 18:57 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2010-09-13 17:32 . 2001-08-17 18:57 16128 ----a-w- c:\windows\system32\dllcache\modemcsa.sys
2010-09-13 17:31 . 2006-01-27 04:35 68096 ------w- c:\windows\system32\agrsmdel.exe
2010-09-13 17:03 . 2006-06-08 13:00 143360 ------w- c:\windows\system32\RtlCPAPI.dll
2010-09-13 17:03 . 2006-06-21 10:35 10527744 ------w- c:\windows\system32\RTLCPL.exe
2010-09-13 17:03 . 2005-07-15 21:48 40960 ------w- c:\windows\system32\ChCfg.exe
2010-09-13 17:03 . 2010-09-13 17:03 -------- d-----w- c:\program files\Realtek AC97
2010-09-13 16:55 . 2002-04-26 05:07 86275 ----a-w- c:\windows\system32\waitwnd.exe
2010-09-13 16:55 . 2002-03-15 15:48 155648 ----a-w- c:\windows\system32\setuplib.dll
2010-09-13 16:39 . 2005-12-19 21:43 32768 ----a-r- c:\windows\system32\drivers\sisnicxp.sys
2010-09-13 16:35 . 2002-10-17 05:14 49024 ----a-r- c:\windows\system32\drivers\sisidex.sys
2010-09-13 16:35 . 2002-08-20 07:19 9472 ----a-r- c:\windows\system32\drivers\sisperf.sys
2010-09-13 16:35 . 2003-03-25 07:50 4096 ----a-r- c:\windows\system32\drivers\siside.sys
2010-09-13 16:06 . 2010-09-13 16:06 -------- d-----w- c:\documents and settings\HP_OWN~1~JAM\LOCALS~1
2010-09-13 16:06 . 2010-09-13 16:06 -------- d-----w- c:\documents and settings\HP_OWN~1~JAM
2010-09-13 15:52 . 2010-09-13 15:52 -------- d-----w- c:\program files\DIFX
2010-09-13 15:52 . 2010-09-13 15:52 -------- d-----w- C:\Drivers
2010-09-13 15:40 . 2010-09-13 15:40 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\DriverCure
2010-09-13 15:40 . 2010-09-13 15:40 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\ParetoLogic
2010-09-13 15:39 . 2010-09-13 15:39 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-09-13 15:39 . 2010-09-13 15:39 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-09-13 15:39 . 2010-09-13 15:39 -------- d-----w- c:\program files\ParetoLogic
2010-09-11 21:26 . 2010-09-11 21:26 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Local Settings\Application Data\Symantec
2010-09-11 19:44 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-09-11 15:47 . 2010-09-13 14:20 -------- d-----w- c:\windows\system32\scripting
2010-09-11 15:47 . 2010-09-13 14:39 -------- d-----w- c:\windows\system32\bits
2010-09-11 15:41 . 2008-04-14 00:12 132608 ----a-w- c:\windows\system32\msv1_0.dll
2010-09-11 15:41 . 2008-12-05 06:54 144896 ----a-w- c:\windows\system32\schannel.dll
2010-09-11 15:05 . 2010-09-11 15:05 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Local Settings\Application Data\Threat Expert
2010-09-08 16:59 . 2010-09-08 16:59 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Tific
2010-09-08 16:48 . 2010-09-18 04:59 -------- d-----w- c:\program files\1283385560
2010-09-08 16:34 . 2010-09-13 15:52 -------- dc----w- c:\windows\system32\DRVSTORE
2010-09-08 16:27 . 2010-09-08 16:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2010-09-08 16:21 . 2010-09-19 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-09-08 16:21 . 2010-09-18 23:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-09-08 14:51 . 2010-09-08 14:51 -------- d-----w- c:\program files\IrfanView
2010-09-07 09:42 . 2010-09-07 09:42 -------- d-----w- c:\program files\Windows Sidebar
2010-09-07 08:54 . 2004-03-19 02:36 270336 ----a-w- c:\windows\system32\HPZc3212.dll
2010-09-07 08:54 . 2004-03-14 10:32 278528 ----a-w- c:\windows\system32\hpgwiamd.dll
2010-09-07 08:54 . 2004-04-07 14:34 196608 ----a-w- c:\windows\system32\hpzcoi10.dll
2010-09-07 08:54 . 2004-04-07 14:33 344064 ----a-w- c:\windows\system32\hpzcon10.dll
2010-09-07 07:14 . 2010-09-07 07:14 -------- d-----w- c:\windows\Options
2010-09-07 06:26 . 2010-09-13 13:58 38544 ----a-w- c:\documents and settings\HP_Owner.JAMESOFFICE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-07 04:43 . 2010-09-07 04:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-09-07 04:39 . 2010-09-07 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-09-06 16:25 . 2010-09-06 16:25 -------- d-sh--w- c:\documents and settings\HP_Owner.JAMESOFFICE\PrivacIE
2010-09-06 15:58 . 2010-09-06 15:58 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\FireShot
2010-09-06 06:14 . 2010-09-07 07:11 -------- d-----w- c:\program files\Passware
2010-09-05 16:54 . 2010-09-07 07:13 -------- d-----w- c:\program files\ElcomSoft
2010-09-04 10:21 . 2010-09-04 10:21 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\AdobeUM
2010-09-04 10:21 . 2010-09-07 04:48 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Local Settings\Application Data\Adobe
2010-09-03 15:14 . 2010-09-05 17:15 -------- d-----w- c:\program files\Intelore
2010-09-03 07:07 . 2010-09-03 07:07 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-03 07:01 . 2004-09-24 09:45 7168 ----a-w- c:\windows\InstFunc.dll
2010-09-03 06:42 . 2010-09-03 06:42 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Uniblue
2010-09-03 06:08 . 2010-09-03 06:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\Symantec
2010-09-03 06:03 . 2010-09-03 06:03 -------- d-sh--w- c:\documents and settings\HP_Owner.JAMESOFFICE\IETldCache
2010-09-03 05:55 . 2010-05-06 10:41 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-09-03 05:55 . 2010-05-06 10:41 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-09-03 05:55 . 2010-05-06 10:41 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-09-03 05:55 . 2010-05-06 10:41 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-09-03 05:55 . 2010-05-06 10:41 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-09-03 05:55 . 2010-05-06 10:41 11076096 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-09-03 05:55 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-09-02 17:20 . 2008-04-14 00:12 7680 ----a-w- c:\windows\system32\spdwnwxp.exe
2010-09-02 15:43 . 2009-01-07 23:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-09-02 06:29 . 2010-09-02 06:29 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Malwarebytes
2010-09-02 00:27 . 2009-11-27 16:37 8704 ----a-w- c:\windows\system32\dllcache\tsbyuv.dll
2010-09-02 00:16 . 2010-09-02 00:16 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Local Settings\Application Data\Mozilla
2010-09-02 00:05 . 2010-09-05 15:53 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Local Settings\Application Data\Identities
2010-09-02 00:01 . 2004-08-04 10:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-09-01 23:59 . 2004-12-02 06:07 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2010-09-01 23:59 . 2004-12-02 06:00 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2010-09-01 23:59 . 2004-12-02 05:46 -------- d-----w- c:\windows\system32\config\systemprofile\WINDOWS
2010-09-01 23:59 . 2004-12-02 05:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2010-09-01 23:47 . 2004-08-04 07:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-09-01 23:47 . 2001-08-17 20:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-09-01 22:32 . 2010-09-01 22:39 -------- d-----r- C:\MSOCache
2010-09-01 22:30 . 2010-09-14 10:58 -------- d-sh--r- c:\windows\system32\dllcache
2010-08-31 20:07 . 2010-08-31 20:07 -------- d-----w- C:\$AVG
2010-08-31 19:27 . 2010-09-18 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-08-30 04:56 . 2010-09-02 15:59 -------- d-----w- c:\program files\Trend Micro
2010-08-24 15:00 . 2010-08-24 15:11 -------- d-----w- c:\program files\Content Manager
2010-08-24 15:00 . 2010-08-24 15:00 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2055-09-19 06:29 . 2009-09-19 06:00 2012 ----a-w- c:\windows\system32\NAV_75_cltDynam.dat
2010-09-19 02:35 . 2009-06-18 22:01 -------- d-----w- c:\program files\IObit
2010-09-18 14:29 . 2004-12-02 05:46 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-09-18 04:38 . 2009-02-10 14:59 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-18 00:38 . 2004-12-02 05:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-13 19:56 . 2009-06-23 01:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-13 16:06 . 2004-12-02 05:41 -------- d-----w- c:\program files\Common Files\InstallShield
2010-09-13 14:36 . 2004-10-15 10:37 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-09-13 13:53 . 2004-12-02 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-09-13 13:53 . 2004-12-02 05:24 -------- d-----w- c:\program files\HP
2010-09-13 13:51 . 2009-02-01 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-09-13 13:51 . 2009-02-01 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-07 08:19 . 2004-12-02 05:46 -------- d-----w- c:\program files\iTunes
2010-09-07 08:14 . 2004-12-02 06:08 -------- d-----w- c:\program files\Norton AntiVirus
2010-09-07 08:12 . 2004-12-02 05:54 -------- d-----w- c:\program files\PC-Doctor for Windows
2010-09-07 08:00 . 2004-12-02 06:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-09-07 07:30 . 2004-12-02 05:28 -------- d-----w- c:\program files\Common Files\HP
2010-09-07 07:20 . 2004-12-02 05:50 -------- d-----w- c:\program files\Help and Support Additions
2010-09-07 07:14 . 2010-09-02 00:00 143 ----a-w- c:\documents and settings\HP_Owner.JAMESOFFICE\Local Settings\Application Data\fusioncache.dat
2010-09-07 07:12 . 2004-12-02 05:55 -------- d-----w- c:\program files\Easy Internet signup
2010-09-03 07:07 . 2010-09-03 07:07 503808 ----a-w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2aef06f3-n\msvcp71.dll
2010-09-03 07:07 . 2010-09-03 07:07 499712 ----a-w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2aef06f3-n\jmc.dll
2010-09-03 07:07 . 2010-09-03 07:07 348160 ----a-w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-2aef06f3-n\msvcr71.dll
2010-09-03 07:07 . 2004-12-02 05:15 -------- d-----w- c:\program files\Common Files\Java
2010-09-03 07:07 . 2010-09-03 07:07 61440 ----a-w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-302cebe0-n\decora-sse.dll
2010-09-03 07:07 . 2010-09-03 07:07 12800 ----a-w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-302cebe0-n\decora-d3d.dll
2010-09-03 07:07 . 2004-12-02 05:15 -------- d-----w- c:\program files\Java
2010-09-02 15:59 . 2010-09-02 15:59 388096 ----a-r- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-02 00:31 . 2010-09-02 00:00 -------- d-----w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Symantec
2010-09-02 00:01 . 2010-09-02 00:01 1818 --sha-r- c:\windows\system32\drivers\103C_HP_CPC_PP164AA-ABA a810n_YC_0Pavi_QMXF507_E51NAheBLA2_47_ISalmon_SASUSTek Computer INC._V1.04_B3.07_T050110_WXH2_L409_M1920_J160_7AMD_8Athlon 64_92.41_#090201_N10390900_Z11C1048C_G10396330_O_DNEC61BA.MRK
2010-09-01 23:58 . 2009-02-01 05:36 -------- d-----w- c:\program files\SiS VGA Utilities V3.63
2010-08-31 19:42 . 2009-04-02 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-08-31 19:27 . 2009-06-16 02:10 -------- d-----w- c:\program files\AVG
2010-08-30 05:00 . 2009-09-05 03:04 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\uTorrent
2010-08-19 20:27 . 2009-08-29 18:40 -------- d-----w- c:\program files\Common Files\Apple
2010-08-05 18:21 . 2010-02-11 22:16 -------- d-----w- c:\program files\ZWCAD 2010 Eng
2010-08-03 02:57 . 2010-08-03 02:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2010-08-03 02:57 . 2009-07-18 18:19 -------- d-----w- c:\program files\NCH Software
2010-07-31 22:37 . 2010-09-05 14:47 3862016 ----a-w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Mozilla\Firefox\Profiles\kd720326.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll
2010-07-31 22:37 . 2010-08-13 10:45 3862016 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\kd720326.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll
2010-07-29 01:52 . 2010-09-05 14:47 24576 ----a-w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Mozilla\Firefox\Profiles\kd720326.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
2010-07-29 01:52 . 2010-08-13 10:45 24576 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\kd720326.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
2010-06-25 08:37 . 2010-09-05 14:47 110592 ----a-w- c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Mozilla\Firefox\Profiles\kd720326.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\FSAddin.dll
2010-06-25 08:37 . 2010-08-13 10:45 110592 ----a-w- c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\kd720326.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\FSAddin.dll
2005-03-28 02:41 . 2009-02-01 04:31 0 --sha-w- c:\windows\SMINST\HPCD.SYS
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-09-07 15:14 152160 ----a-w- c:\program files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-18 196608]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"AGRSMMSG"="AGRSMMSG.exe" [2006-04-29 89542]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ParetoLogic\\PCHA\\PCHA.exe"=

R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [9/18/2010 5:48 PM 340048]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/18/2010 5:48 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/18/2010 5:48 PM 17744]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/13/2010 2:56 PM 304464]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [9/13/2010 2:56 PM 20952]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [9/17/2010 7:38 PM 206608]
S2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [9/17/2010 7:38 PM 582992]
S3 Normandy;Normandy SR2; [x]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [9/17/2010 7:38 PM 206608]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [10/23/2009 4:58 PM 582424]
.
Contents of the 'Scheduled Tasks' folder

2010-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-21 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-07-05 19:11]

2010-09-20 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-07-05 21:18]

2010-08-31 c:\windows\Tasks\expressaccountsDowngrade.job
- c:\program files\NCH Software\ExpressAccounts\expressaccounts.exe [2010-08-03 02:57]

2010-08-31 c:\windows\Tasks\expressaccountsShakeIcon.job
- c:\program files\NCH Software\ExpressAccounts\expressaccounts.exe [2010-08-03 02:57]

2010-09-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-02 21:44]

2010-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-02 21:46]

2010-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-02 21:46]

2010-09-20 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]

2010-09-13 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]

2010-09-13 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-08-24 22:47]

2010-09-18 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-08-24 22:47]

2010-09-13 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-06-20 23:15]

2010-09-13 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE6\XoftSpySELauncher.exe [2009-10-23 21:58]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Mozilla\Firefox\Profiles\kd720326.default\
FF - prefs.js: browser.startup.homepage - hxxp://weather.weatherbug.com/WI/Columbus-weather.html?zcode=z6286&zip=53925
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\HP_Owner.JAMESOFFICE\Application Data\Mozilla\Firefox\Profiles\kd720326.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegGenie Scheduler - c:\program files\RegGenie\RegGenieScheduler.exe
Notify-dimsntfy - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-21 12:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1997477680-2013023808-3698007892-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D3C0F0A9-C343-EE24-87CB-327D40CE30CA}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2964)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\ALCXMNTR.EXE
c:\windows\AGRSMMSG.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Trend Micro\RUBotted\TMRUBottedLite.exe
.
**************************************************************************
.
Completion time: 2010-09-21 13:01:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-21 18:01

Pre-Run: 108,378,779,648 bytes free
Post-Run: 108,449,005,568 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=1 Default=1 Failed=0 LastKnownGood=6 Sets=,1,2,3,6
- - End Of File - - 4AD2160DEE5ECFDAE2A5752A7DABA0D8

Edited by JamWal, 21 September 2010 - 01:11 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:45 PM

Posted 21 September 2010 - 01:51 PM

Thats looking quite good! Do you have any problems left.


MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 JamWal

JamWal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 21 September 2010 - 04:00 PM

I thought the problem was resolved, but was on that site & it happened again. Seems to redirect to "Gugle"

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:45 PM

Posted 22 September 2010 - 02:31 AM

Please post me the MBAM results and a new OTL log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 JamWal

JamWal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 22 September 2010 - 05:15 PM

Elise, When I try to post I get a message from bleepingcomputer about the post being to large, please reduce the size of the post, any advise? Thanks, James

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:45 PM

Posted 23 September 2010 - 03:06 AM

Please try to attach the OTL log to the post instead of pasting it in.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 JamWal

JamWal
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 23 September 2010 - 07:52 AM

I tried both, getting the same message. On this console (where you type a message) it says the attachment space used 480.92k of 512k, leaving enough space for 31.08k. OTL alone is 426k. Maybe some of the previous attachments need to be deleted; or could the files be sent to you directly?

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:45 PM

Posted 23 September 2010 - 08:00 AM

Hi, I removed your previous OTL log so you can upload the new one.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:45 PM

Posted 27 September 2010 - 05:34 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:45 PM

Posted 04 October 2010 - 05:21 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users