Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mbam keeps finding backdoor pc client &password stealer


  • Please log in to reply
17 replies to this topic

#1 111

111

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 AM

Posted 22 March 2011 - 05:22 PM

Evertime I run it MBAM it comes back with a couple infections 1)c:\WINDOWS\system32\KgursnD.dll (Backdoor.PcClient) -> Delete on reboot. 2):\WINDOWS\system32\KgursnD.dll (Backdoor.PcClient) -> Delete on reboot.
c:\WINDOWS\system32\drivers\PCIDump.sys (Password.Stealer) -> Quarantined and deleted successfully.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by HP_Administrator at 13:40:28.35 on Tue 03/22/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.71 [GMT -7:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.att.net
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: att.net Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [RECGUARD] c:\windows\sminst\RECGUARD.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {9239E4EC-C9A6-11D2-A844-00C04F68D538}
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155782417515
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\l6b1w9on.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 4
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1823472]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-3 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081203.004\naveng.sys [2008-12-3 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081203.004\navex15.sys [2008-12-3 876112]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S2 MediadCentered;MS Mediae Control dCenter;c:\windows\system32\newrr.exe [2009-7-9 37117]
S2 MediajCenters;MS Medias Control jCenter;c:\windows\system32\svchost.exe -k krnlsvc [2004-8-3 14336]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2006-1-29 15576]
.
=============== Created Last 30 ================
.
2011-03-22 19:35:17 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{4c6e5831-0bac-4610-a5ed-9be194979797}\mpengine.dll
2011-02-27 17:04:46 -------- d-----w- c:\program files\Windows Media Connect 2
2011-02-27 17:01:41 -------- d-----w- c:\windows\system32\LogFiles
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2009-07-09 17:57:37 37117 --sh--w- c:\windows\system32\newrr.exe
.
============= FINISH: 13:41:54.07 ===============




BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:17 PM

Posted 29 March 2011 - 05:32 AM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Before we can continue, please post a fresh DDS log back here. If you have log of mbam scan then I would like to see it too! :thumbup2:
Posted Image

#3 111

111
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 AM

Posted 29 March 2011 - 12:13 PM

Thank you for taking a look..............Heres what u asked for

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by HP_Administrator at 10:01:06.82 on Tue 03/29/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.79 [GMT -7:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.att.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: att.net Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [RECGUARD] c:\windows\sminst\RECGUARD.EXE
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {9239E4EC-C9A6-11D2-A844-00C04F68D538}
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155782417515
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\l6b1w9on.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 4
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1823472]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-3 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20081016.004\naveng.sys [2008-10-16 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20081016.004\navex15.sys [2008-10-16 873552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S2 MediadCentered;MS Mediae Control dCenter;c:\windows\system32\newrr.exe [2009-7-9 37117]
S2 MediajCenters;MS Medias Control jCenter;c:\windows\system32\svchost.exe -k krnlsvc [2004-8-3 14336]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2006-1-29 15576]
.
=============== Created Last 30 ================
.
2011-03-29 15:07:28 4352 ----a-w- c:\windows\system32\drivers\PCIDump.sys
2011-03-25 22:54:31 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{11c61486-fad0-4197-a641-77f945d62fe5}\mpengine.dll
2011-03-23 17:22:22 4274816 ----a-w- c:\windows\system32\nv4_disp.dll
2011-03-23 17:22:22 4274816 ----a-w- c:\windows\system32\dllcache\nv4_disp.dll
2011-03-23 16:28:25 -------- d-----w- c:\program files\ToniArts
2011-03-23 16:24:21 32768 ----a-w- c:\program files\common files\installshield\professional\runtime\Objectps.dll
2011-03-23 16:24:19 172032 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iuser.dll
2011-03-23 16:24:18 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\ctor.dll
2011-03-23 16:24:18 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iscript.dll
2011-03-23 16:24:17 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\DotNetInstaller.exe
2011-03-23 16:24:16 733184 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iKernel.dll
2011-03-23 16:23:46 180356 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\iGdi.dll
2011-03-23 16:23:38 303236 ----a-w- c:\program files\common files\installshield\professional\runtime\10\01\intel32\setup.dll
2011-02-27 17:04:46 -------- d-----w- c:\program files\Windows Media Connect 2
2011-02-27 17:01:41 -------- d-----w- c:\windows\system32\LogFiles
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2009-07-09 17:57:37 37117 --sh--w- c:\windows\system32\newrr.exe
.
============= FINISH: 10:03:36.28 ===============
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6172

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/28/2011 9:14:29 AM
mbam-log-2011-03-28 (09-14-29).txt

Scan type: Full scan (C:\|)
Objects scanned: 220128
Time elapsed: 2 hour(s), 13 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{cabc4128-db31-4141-8bf1-8874e0da6f79}\RP396\A0024977.sys (Password.Stealer) -> Quarantined and deleted successfully.
c:\system volume information\_restore{cabc4128-db31-4141-8bf1-8874e0da6f79}\RP398\A0025049.sys (Password.Stealer) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\PCIDump.sys (Password.Stealer) -> Quarantined and deleted successfully.




#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:17 PM

Posted 30 March 2011 - 02:57 AM

Hello

Let's start with Combofix:

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
Posted Image

#5 111

111
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 AM

Posted 30 March 2011 - 11:41 AM

Heres the log from combofix

ComboFix 11-03-29.06 - HP_Administrator 03/30/2011 9:20.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.134 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\1414.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\PCIDump.sys
c:\windows\system32\winsusrm.dll
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
.
.
2011-03-29 19:31 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{59A8C5E6-BE6C-4EF9-BF1C-0BA812F1ECEE}\mpengine.dll
2011-03-23 17:22 . 2008-04-14 00:12 4274816 ----a-w- c:\windows\system32\nv4_disp.dll
2011-03-23 17:22 . 2008-04-14 00:12 4274816 ----a-w- c:\windows\system32\dllcache\nv4_disp.dll
2011-03-23 16:28 . 2011-03-23 16:28 -------- d-----w- c:\program files\ToniArts
2011-03-23 16:24 . 2004-07-16 07:16 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-03-23 16:24 . 2004-07-16 07:18 172032 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll
2011-03-23 16:24 . 2004-07-16 07:20 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll
2011-03-23 16:24 . 2004-07-16 07:19 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll
2011-03-23 16:24 . 2004-07-16 07:18 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe
2011-03-23 16:24 . 2004-07-16 07:20 733184 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll
2011-03-23 16:23 . 2011-03-23 16:23 180356 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll
2011-03-23 16:23 . 2011-03-23 16:23 303236 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2006-08-17 03:24 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:11 . 2009-10-06 17:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 05:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 05:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 05:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 05:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-04 05:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2008-11-20 23:19 . 2006-01-29 02:45 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-11-20 23:19 . 2006-01-29 02:45 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-20 23:19 . 2008-03-11 16:43 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-11-20 23:19 . 2008-03-11 16:43 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-11-20 23:19 . 2006-01-29 02:45 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-07-09 17:57 37117 --sh--w- c:\windows\system32\newrr.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"RECGUARD"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 1573888]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-10-21 126976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-1-16 27136]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALCMTR]
2005-05-03 18:43 69632 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALCWZRD]
2005-10-11 13:33 2807808 ----a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 22:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2010-10-21 14:36 126976 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 01:07 61952 ----a-w- c:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SOUNDMAN]
2005-09-21 10:24 86016 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-09 23:11 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/3/2008 5:57 PM 99376]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 10:38 PM 135664]
S2 MediadCentered;MS Mediae Control dCenter;c:\windows\system32\newrr.exe [7/9/2009 10:57 AM 37117]
S2 MediajCenters;MS Medias Control jCenter;c:\windows\System32\svchost.exe -k krnlsvc [8/3/2004 10:00 PM 14336]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [1/29/2006 11:36 AM 15576]
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
2011-03-27 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-08-04 00:12]
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:38]
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:38]
.
2011-03-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\l6b1w9on.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-CTFMON - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-30 09:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-30 09:36:18
ComboFix-quarantined-files.txt 2011-03-30 16:36
.
Pre-Run: 17,981,386,752 bytes free
Post-Run: 18,252,488,704 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A1B1FB275FC8BE8040930950EDB83119

#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:17 PM

Posted 30 March 2011 - 12:11 PM

Hello

Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,
File::
c:\windows\system32\newrr.exe

Driver::
MediadCentered
MediajCenters


Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.



Please open Malwarebytes' Anti-malware.
  • Click Update -tab and click Check updates now.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.


Please post Combofix log and Mbam log back here.
Posted Image

#7 111

111
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 AM

Posted 31 March 2011 - 01:10 PM

ComboFix 11-03-30.03 - HP_Administrator 03/31/2011 9:19.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.168 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\1414.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
FILE ::
"c:\windows\system32\newrr.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\PCIDump.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MEDIADCENTERED
-------\Legacy_MEDIAJCENTERS
-------\Service_MediadCentered
-------\Service_MediajCenters
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))
.
.
2011-03-29 19:31 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{59A8C5E6-BE6C-4EF9-BF1C-0BA812F1ECEE}\mpengine.dll
2011-03-23 17:22 . 2008-04-14 00:12 4274816 ----a-w- c:\windows\system32\nv4_disp.dll
2011-03-23 17:22 . 2008-04-14 00:12 4274816 ----a-w- c:\windows\system32\dllcache\nv4_disp.dll
2011-03-23 16:28 . 2011-03-23 16:28 -------- d-----w- c:\program files\ToniArts
2011-03-23 16:24 . 2004-07-16 07:16 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-03-23 16:24 . 2004-07-16 07:18 172032 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll
2011-03-23 16:24 . 2004-07-16 07:20 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll
2011-03-23 16:24 . 2004-07-16 07:19 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll
2011-03-23 16:24 . 2004-07-16 07:18 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe
2011-03-23 16:24 . 2004-07-16 07:20 733184 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll
2011-03-23 16:23 . 2011-03-23 16:23 180356 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll
2011-03-23 16:23 . 2011-03-23 16:23 303236 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2006-08-17 03:24 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:11 . 2009-10-06 17:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 05:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 05:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 05:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 05:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2008-11-20 23:19 . 2006-01-29 02:45 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-11-20 23:19 . 2006-01-29 02:45 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-20 23:19 . 2008-03-11 16:43 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-11-20 23:19 . 2008-03-11 16:43 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-11-20 23:19 . 2006-01-29 02:45 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-07-09 17:57 37117 --sh--w- c:\windows\system32\newrr.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"RECGUARD"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 1573888]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-10-21 126976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALCMTR]
2005-05-03 18:43 69632 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALCWZRD]
2005-10-11 13:33 2807808 ----a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 22:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2010-10-21 14:36 126976 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 01:07 61952 ----a-w- c:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SOUNDMAN]
2005-09-21 10:24 86016 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-09 23:11 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/3/2008 5:57 PM 99376]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 10:38 PM 135664]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [1/29/2006 11:36 AM 15576]
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
2011-03-27 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-08-04 00:12]
.
2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:38]
.
2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:38]
.
2011-03-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\l6b1w9on.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-31 09:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2816)
c:\windows\system32\WININET.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-03-31 09:51:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-31 16:51
ComboFix2.txt 2011-03-30 16:36
.
Pre-Run: 18,209,112,064 bytes free
Post-Run: 18,117,206,016 bytes free
.
- - End Of File - - 7AFB9E2C4E35651F36437968EF9DF305
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6228

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/31/2011 10:43:15 AM
mbam-log-2011-03-31 (10-43-15).txt

Scan type: Quick scan
Objects scanned: 157495
Time elapsed: 16 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






#8 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:17 PM

Posted 31 March 2011 - 03:19 PM

Hello

Combofix didn't remove one bad file so we have to try again.

Please click your Start button then Click on Run and type in the following without the quotes: "notepad" Then copy (Ctrl C) and paste (Ctrl V) the following text in the codebox,
Rootkit::
c:\windows\system32\newrr.exe



Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Please post Combofix log and Eset log back here.
How's computer working?
Posted Image

#9 111

111
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 AM

Posted 31 March 2011 - 08:16 PM

no Threats were found with eset so it didnt give me a logfile


ComboFix 11-03-31.01 - HP_Administrator 03/31/2011 17:15:44.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.251 [GMT -7:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\1414.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-03-29 19:31 . 2011-03-15 04:05 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{59A8C5E6-BE6C-4EF9-BF1C-0BA812F1ECEE}\mpengine.dll
2011-03-23 17:22 . 2008-04-14 00:12 4274816 ----a-w- c:\windows\system32\nv4_disp.dll
2011-03-23 17:22 . 2008-04-14 00:12 4274816 ----a-w- c:\windows\system32\dllcache\nv4_disp.dll
2011-03-23 16:28 . 2011-03-23 16:28 -------- d-----w- c:\program files\ToniArts
2011-03-23 16:24 . 2004-07-16 07:16 32768 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\Objectps.dll
2011-03-23 16:24 . 2004-07-16 07:18 172032 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iuser.dll
2011-03-23 16:24 . 2004-07-16 07:20 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\ctor.dll
2011-03-23 16:24 . 2004-07-16 07:19 266240 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iscript.dll
2011-03-23 16:24 . 2004-07-16 07:18 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\DotNetInstaller.exe
2011-03-23 16:24 . 2004-07-16 07:20 733184 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iKernel.dll
2011-03-23 16:23 . 2011-03-23 16:23 180356 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\iGdi.dll
2011-03-23 16:23 . 2011-03-23 16:23 303236 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\10\01\Intel32\setup.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 04:05 . 2006-08-17 03:24 6792528 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-03 01:11 . 2009-10-06 17:43 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58 . 2004-08-04 05:00 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-04 05:00 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 05:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-04 05:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2008-11-20 23:19 . 2006-01-29 02:45 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-11-20 23:19 . 2006-01-29 02:45 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-20 23:19 . 2008-03-11 16:43 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-11-20 23:19 . 2008-03-11 16:43 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-11-20 23:19 . 2006-01-29 02:45 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-07-09 17:57 37117 --sh--w- c:\windows\system32\newrr.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"RECGUARD"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-07-27 1573888]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-10-21 126976]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALCMTR]
2005-05-03 18:43 69632 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALCWZRD]
2005-10-11 13:33 2807808 ----a-w- c:\windows\ALCWZRD.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-07-13 22:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2010-10-21 14:36 126976 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 01:07 61952 ----a-w- c:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SOUNDMAN]
2005-09-21 10:24 86016 ----a-w- c:\windows\SOUNDMAN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-09 23:11 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/3/2008 5:57 PM 99376]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 10:38 PM 135664]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [1/29/2006 11:36 AM 15576]
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]
.
2011-03-27 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2004-08-04 00:12]
.
2011-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:38]
.
2011-04-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 05:38]
.
2011-03-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: {{9239E4EC-C9A6-11D2-A844-00C04F68D538}
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\l6b1w9on.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-31 17:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2736)
c:\windows\system32\WININET.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-03-31 17:31:41
ComboFix-quarantined-files.txt 2011-04-01 00:31
ComboFix2.txt 2011-03-31 16:51
ComboFix3.txt 2011-03-30 16:36
.
Pre-Run: 18,118,569,984 bytes free
Post-Run: 18,109,739,008 bytes free
.
- - End Of File - - 160D375302F1CD3C7C5290C0CB3766F3

#10 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:17 PM

Posted 01 April 2011 - 04:37 AM

Hello

Combofix didn't remove the file. Let's have OTL log:

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Posted Image

#11 111

111
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 AM

Posted 01 April 2011 - 11:23 AM

OTL Extras logfile created on: 4/1/2011 9:11:24 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 38.00 Mb Available Physical Memory | 7.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 57.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.25 Gb Total Space | 16.75 Gb Free Space | 57.25% Space Free | Partition Type: NTFS
Drive D: | 8.00 Gb Total Space | 1.99 Gb Free Space | 24.93% Space Free | Partition Type: FAT32

Computer Name: SALES4-DESK | User Name: HP_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Premium
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP250_series" = Canon MP250 series MP Drivers
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 20
"{2EEC2A94-7204-45C6-93BB-67EAEB19E4D6}" = Safari
"{3248F0A8-6813-11D6-A77B-00B0D0150050}" = J2SE Runtime Environment 5.0 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{382E94C0-6E22-44e4-B003-8EB31DFE296F}" = cp_LightScribeConfig
"{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}" = Microsoft Works
"{606BC780-101C-41DB-808D-4539BFA0774A}" = MobileMe Control Panel
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
"{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}" = Symantec AntiVirus
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93944F2-D2D4-4750-BFE7-9A288FEAF2CF}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C104580B-1C79-4d73-9BF0-CA0B184296A4}" = cp_LightScribePlugin
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{EB900AF8-CC61-4E15-871B-98D1EA3E8025}" = QuickTime
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F5346614-B7C4-4E94-826A-E2363155233D}" = EasyCleaner
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"ATT-HSI" = ATT-HSI
"ATT-SST" = AT&T Service & Support Tool
"ATTToolbar" = AT&T Toolbar
"Canon MP250 series User Registration" = Canon MP250 series User Registration
"CANONIJPLM100" = Canon Inkjet Printer/Scanner/Fax Extended Survey Program
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Data Fax SoftModem with SmartCP
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"ESET Online Scanner" = ESET Online Scanner v3
"ie8" = Windows Internet Explorer 8
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (1.5)" = Mozilla Firefox (1.5)
"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"RadialpointClientGateway_is1" = AT&T Internet Security Wizard 1.5.11
"Web Games Player Plugin" = Web Games Player Plugin
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = att.net Toolbar
"Yahoo! Mail" = att.net Internet Mail
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/31/2011 8:05:07 PM | Computer Name = SALES4-DESK | Source = Application Hang | ID = 1001
Description = Fault bucket -2060348231.

Error - 3/31/2011 8:10:01 PM | Computer Name = SALES4-DESK | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\pev.exe (PID 3844) Time: Thursday, March 31, 2011 5:10:00 PM

Error - 3/31/2011 8:10:01 PM | Computer Name = SALES4-DESK | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\License\iexplore.exe (PID 2096) Time: Thursday, March 31, 2011
5:10:01 PM

Error - 3/31/2011 8:10:01 PM | Computer Name = SALES4-DESK | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\pev.exe (PID 3184) Time: Thursday, March 31, 2011 5:10:01 PM

Error - 3/31/2011 8:10:03 PM | Computer Name = SALES4-DESK | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\License\firefox.exe (PID 236) Time: Thursday, March 31, 2011
5:10:03 PM

Error - 3/31/2011 8:11:29 PM | Computer Name = SALES4-DESK | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\pev.exe (PID 3916) Time: Thursday, March 31, 2011 5:11:29 PM

Error - 3/31/2011 8:11:29 PM | Computer Name = SALES4-DESK | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\License\iexplore.exe (PID 1576) Time: Thursday, March 31, 2011
5:11:29 PM

Error - 3/31/2011 8:11:30 PM | Computer Name = SALES4-DESK | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\pev.exe (PID 3184) Time: Thursday, March 31, 2011 5:11:30 PM

Error - 3/31/2011 8:11:32 PM | Computer Name = SALES4-DESK | Source = Symantec AntiVirus | ID = 16711725
Description = SYMANTEC TAMPER PROTECTION ALERT Target: C:\Program Files\Symantec
AntiVirus\VPTray.exe Event Info: Terminate Process Action Taken: Blocked Actor Process:
C:\32788R22FWJFW\License\firefox.exe (PID 3212) Time: Thursday, March 31, 2011
5:11:32 PM

Error - 4/1/2011 4:50:27 AM | Computer Name = SALES4-DESK | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 1.1.1593.0,
P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender, P8 NIL, P9 NIL, P10 NIL.

[ System Events ]
Error - 3/28/2011 12:22:03 PM | Computer Name = SALES4-DESK | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde ViaIde

Error - 3/28/2011 12:22:08 PM | Computer Name = SALES4-DESK | Source = Service Control Manager | ID = 7034
Description = The MS Mediae Control dCenter service terminated unexpectedly. It
has done this 1 time(s).

Error - 3/29/2011 11:07:41 AM | Computer Name = SALES4-DESK | Source = Service Control Manager | ID = 7023
Description = The MS Medias Control jCenter service terminated with the following
error: %%126

Error - 3/29/2011 11:07:49 AM | Computer Name = SALES4-DESK | Source = Service Control Manager | ID = 7034
Description = The MS Mediae Control dCenter service terminated unexpectedly. It
has done this 1 time(s).

Error - 3/30/2011 10:06:35 AM | Computer Name = SALES4-DESK | Source = Service Control Manager | ID = 7023
Description = The MS Medias Control jCenter service terminated with the following
error: %%126

Error - 3/30/2011 10:06:44 AM | Computer Name = SALES4-DESK | Source = Service Control Manager | ID = 7034
Description = The MS Mediae Control dCenter service terminated unexpectedly. It
has done this 1 time(s).

Error - 3/30/2011 6:45:35 PM | Computer Name = SALES4-DESK | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the MS Medias Control jCenter
service to connect.

Error - 3/30/2011 6:45:44 PM | Computer Name = SALES4-DESK | Source = Service Control Manager | ID = 7034
Description = The MS Mediae Control dCenter service terminated unexpectedly. It
has done this 1 time(s).

Error - 3/31/2011 10:31:11 AM | Computer Name = SALES4-DESK | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the MS Medias Control jCenter
service to connect.

Error - 3/31/2011 10:31:22 AM | Computer Name = SALES4-DESK | Source = Service Control Manager | ID = 7034
Description = The MS Mediae Control dCenter service terminated unexpectedly. It
has done this 1 time(s).


< End of report >
OTL logfile created on: 4/1/2011 9:11:24 AM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 38.00 Mb Available Physical Memory | 7.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 57.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.25 Gb Total Space | 16.75 Gb Free Space | 57.25% Space Free | Partition Type: NTFS
Drive D: | 8.00 Gb Total Space | 1.99 Gb Free Space | 24.93% Space Free | Partition Type: FAT32

Computer Name: SALES4-DESK | User Name: HP_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/01 09:10:18 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
PRC - [2010/10/21 07:36:27 | 000,126,976 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
PRC - [2010/07/27 03:15:50 | 001,573,888 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\ATT-SST\McciTrayApp.exe
PRC - [2009/03/23 19:00:00 | 001,983,816 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009/02/10 09:01:49 | 000,116,104 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PRC - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/03 13:12:14 | 002,061,816 | ---- | M] (AT&T) -- C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/03/17 06:35:00 | 001,823,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/03/17 06:34:30 | 000,124,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/03/17 06:34:24 | 000,115,952 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/03/07 13:02:14 | 000,053,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe


========== Modules (SafeList) ==========

MOD - [2011/04/01 09:10:18 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/07/27 02:47:12 | 000,198,656 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\McciContextHook_DSR.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (Pml Driver HPZ12)
SRV - [2009/02/10 09:01:49 | 000,116,104 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/03/17 06:35:00 | 001,823,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/03/17 06:34:24 | 000,115,952 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/02/23 11:41:02 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2006/01/24 20:06:58 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2010/07/27 02:47:30 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2010/07/27 02:47:10 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2008/11/20 10:32:46 | 000,099,376 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2008/10/16 12:26:31 | 000,873,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20081016.004\NAVEX15.SYS -- (NAVEX15)
DRV - [2008/10/16 12:26:29 | 000,089,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20081016.004\NAVENG.SYS -- (NAVENG)
DRV - [2008/09/04 12:26:17 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2006/02/06 12:50:22 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/01/31 13:29:20 | 000,107,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/01/24 20:06:36 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/01/24 20:06:32 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/12/19 20:41:58 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/12/19 20:41:56 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/10/18 06:15:42 | 004,034,048 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/04/14 14:12:12 | 000,175,616 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys -- (ftsata2)
DRV - [2005/03/04 04:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2005/01/07 18:07:16 | 000,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2004/12/15 08:18:32 | 000,220,928 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/12/15 08:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/15 08:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/11/05 08:45:12 | 000,017,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bb-run.sys -- (bb-run)
DRV - [2003/07/01 02:19:54 | 000,015,576 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbbc.sys -- (Wdm1)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-4056066521-401196378-299215640-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
IE - HKU\S-1-5-21-4056066521-401196378-299215640-1008\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-4056066521-401196378-299215640-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4056066521-401196378-299215640-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Components: C:\Program Files\Mozilla Firefox\Components [2010/08/23 09:20:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Plugins: C:\Program Files\Mozilla Firefox\Plugins [2010/08/23 09:20:05 | 000,000,000 | ---D | M]

[2010/02/16 18:01:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\l6b1w9on.default\extensions
[2010/02/16 17:51:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\l6b1w9on.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/06/24 13:20:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/24 13:20:40 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2009/10/06 15:58:46 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2008/11/20 16:19:46 | 000,067,696 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2008/11/20 16:19:46 | 000,054,376 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2008/11/20 16:19:46 | 000,034,952 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2008/11/20 16:19:46 | 000,046,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2008/11/20 16:19:46 | 000,172,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/07/02 12:19:28 | 000,102,400 | ---- | M] (Zylom) -- C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll

O1 HOSTS File: ([2011/03/31 09:34:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\Program Files\ATTToolbar\ATTToolbar.dll (AT&T)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\Program Files\ATTToolbar\ATTToolbar.dll (AT&T)
O3 - HKLM\..\Toolbar: (att.net Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-4056066521-401196378-299215640-1008\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-4056066521-401196378-299215640-1008\..\Toolbar\WebBrowser: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\Program Files\ATTToolbar\ATTToolbar.dll (AT&T)
O3 - HKU\S-1-5-21-4056066521-401196378-299215640-1008\..\Toolbar\WebBrowser: (att.net Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [ATT-SST_McciTrayApp] C:\Program Files\ATT-SST\McciTrayApp.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [ISW.exe] C:\Program Files\AT&T\Internet Security Wizard\ISW.exe (AT&T)
O4 - HKLM..\Run: [RECGUARD] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-4056066521-401196378-299215640-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4056066521-401196378-299215640-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-4056066521-401196378-299215640-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-4056066521-401196378-299215640-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-4056066521-401196378-299215640-1008\..Trusted Domains: 0.0.0.0 ([]https in Trusted sites)
O15 - HKU\S-1-5-21-4056066521-401196378-299215640-1008\..Trusted Domains: motive.com ([patttbc.att] https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155782417515 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 () - http://by109w.bay109.mail.live.com/att/GetAttachment.aspx?tnail=0&messageId=37b991a1-38fc-4b27-a395-df20edc81f7d&Aux=44|0|8CBFEBD325FCD60||
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/11/13 04:51:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 05:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/01 09:10:12 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2011/03/31 17:47:56 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/03/30 09:18:02 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/30 09:14:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/30 09:14:41 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/30 09:14:41 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/30 09:14:41 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/30 09:14:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/30 09:11:55 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/23 10:22:22 | 004,274,816 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nv4_disp.dll
[2011/03/23 10:22:22 | 004,274,816 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\dllcache\nv4_disp.dll
[2011/03/23 09:28:25 | 000,000,000 | ---D | C] -- C:\Program Files\ToniArts
[2011/03/23 09:28:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EasyCleaner
[2011/03/22 15:41:30 | 002,951,802 | ---- | C] (InstallShield Software Corporation) -- C:\Documents and Settings\HP_Administrator\Desktop\EClea2_0.exe
[2011/03/07 10:47:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/01 09:10:18 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2011/04/01 09:00:08 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/01 01:50:37 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/03/31 17:11:11 | 004,310,832 | R--- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\1414.exe
[2011/03/31 16:00:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/31 09:37:50 | 000,000,186 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT
[2011/03/31 09:35:10 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/03/31 09:34:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/31 09:33:45 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/03/30 09:18:15 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/03/27 15:00:00 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defrag.job
[2011/03/24 22:06:36 | 000,445,798 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/03/24 22:06:36 | 000,073,004 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/03/22 15:41:32 | 002,951,802 | ---- | M] (InstallShield Software Corporation) -- C:\Documents and Settings\HP_Administrator\Desktop\EClea2_0.exe
[2011/03/22 15:38:16 | 000,001,955 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AT&T Service & Support Tool.lnk
[2011/03/22 13:40:05 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
[2011/03/18 13:56:09 | 000,000,252 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\Watch Featured Videos Online Free Streaming Kids Videos PBS KIDS Sprout.url
[2011/03/16 08:03:37 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/30 09:14:41 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/30 09:14:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/30 09:14:41 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/30 09:14:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/30 09:14:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/30 09:13:05 | 004,310,832 | R--- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\1414.exe
[2011/03/22 13:39:51 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
[2009/07/09 07:45:07 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/06/24 16:40:54 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\ESTSNMP.DLL
[2006/08/16 21:44:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2006/01/29 17:04:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/01/29 11:36:30 | 000,015,576 | R--- | C] () -- C:\WINDOWS\System32\drivers\usbbc.sys
[2006/01/28 19:45:57 | 000,107,132 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2006/01/28 19:45:47 | 000,002,411 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/01/16 23:47:05 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/01/16 23:24:57 | 000,022,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2006/01/16 23:20:26 | 000,118,842 | R--- | C] () -- C:\WINDOWS\HPCPCUninstaller-6.3.2.116-9972322.exe
[2006/01/16 23:18:56 | 000,013,565 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2006/01/16 23:18:49 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2006/01/16 23:16:39 | 000,000,031 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2006/01/16 23:14:10 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/01/16 23:04:11 | 000,000,212 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/01/16 23:03:01 | 000,045,929 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006/01/16 23:03:01 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/01/16 22:57:27 | 000,072,881 | ---- | C] () -- C:\WINDOWS\hpiins01.dat
[2006/01/16 22:51:20 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/01/16 22:47:09 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/01/16 22:31:30 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2005/10/25 09:14:29 | 000,003,584 | ---- | C] () -- C:\WINDOWS\VIEWS.DAT
[2005/07/01 20:21:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/07/01 20:12:36 | 000,445,798 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/07/01 20:12:36 | 000,073,004 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/11/13 04:54:46 | 000,262,232 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/11/13 04:51:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/11/13 04:48:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/04 12:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/03 22:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/03 22:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/03 22:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/03 22:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/03 22:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/03 22:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/03 22:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/06/15 23:04:22 | 000,000,560 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/01/02 17:34:32 | 000,009,897 | ---- | C] () -- C:\WINDOWS\extend.dat
[2001/08/23 09:12:28 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 09:11:02 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/01/22 11:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

< End of report >




#12 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:17 PM

Posted 01 April 2011 - 12:45 PM

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :files
    c:\windows\system32\newrr.exe
    
    :commands
    [emptytemp]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.



Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.


Please post OTL fix log back here. How's the computer working?
Posted Image

#13 111

111
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 AM

Posted 07 April 2011 - 11:16 AM

Apologize about the delay....heres the log........computer runs good

All processes killed
========== FILES ==========
c:\windows\system32\newrr.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 2575483 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: HP_Administrator
->Temp folder emptied: 321024 bytes
->Temporary Internet Files folder emptied: 19830029 bytes
->Java cache emptied: 74389791 bytes
->FireFox cache emptied: 7523070 bytes
->Google Chrome cache emptied: 5876372 bytes
->Flash cache emptied: 82607 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes

User: NetworkService
->Temp folder emptied: 1176 bytes
->Temporary Internet Files folder emptied: 582082 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 3244049 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4735 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 109.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04012011_161153

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF57E9.tmp not found!
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF57FB.tmp not found!
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF587C.tmp not found!
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF588C.tmp not found!
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF59B2.tmp not found!
File\Folder C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF59C2.tmp not found!
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXMR4HUJ\ads[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXMR4HUJ\LocalStorage[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXMR4HUJ\Messenger[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\OPQ3W56R\page__pid__2178790[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\KPA78HIF\GRedirect[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\HZRB1DKE\adloader[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\GDMF4DYR\xmlProxy[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\C3T3IUR5\4242298[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\AXP27IXK\ads[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\43XZQ6ZT\InboxLight[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\16XJM6Y9\default[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\16XJM6Y9\resourcespreload[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\0P8IF1CW\xmlProxy[1].htm moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...




#14 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:17 PM

Posted 08 April 2011 - 02:14 AM

Yep all looks good but post a fresh OTL log once back here so we can make sure you are clean :thumbup2:
Posted Image

#15 111

111
  • Topic Starter

  • Members
  • 114 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:17 AM

Posted 15 April 2011 - 03:23 PM

OTL logfile created on: 4/15/2011 1:02:42 PM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\HP_Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.00 Mb Total Physical Memory | 77.00 Mb Available Physical Memory | 15.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 60.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.25 Gb Total Space | 16.74 Gb Free Space | 57.22% Space Free | Partition Type: NTFS
Drive D: | 8.00 Gb Total Space | 1.99 Gb Free Space | 24.93% Space Free | Partition Type: FAT32

Computer Name: SALES4-DESK | User Name: HP_Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/01 09:10:18 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
PRC - [2010/10/21 07:36:27 | 000,126,976 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
PRC - [2010/07/27 03:15:50 | 001,573,888 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\ATT-SST\McciTrayApp.exe
PRC - [2009/03/23 19:00:00 | 001,983,816 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009/02/10 09:01:49 | 000,116,104 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PRC - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/03 13:12:14 | 002,061,816 | ---- | M] (AT&T) -- C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/03/17 06:35:00 | 001,823,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/03/17 06:34:30 | 000,124,656 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/03/17 06:34:24 | 000,115,952 | ---- | M] (symantec) -- C:\Program Files\Symantec AntiVirus\SavRoam.exe
PRC - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/03/17 06:34:12 | 000,024,816 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DoScan.exe
PRC - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/03/07 13:02:14 | 000,053,408 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe


========== Modules (SafeList) ==========

MOD - [2011/04/01 09:10:18 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
MOD - [2010/08/23 09:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/07/27 02:47:12 | 000,198,656 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\McciContextHook_DSR.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (Pml Driver HPZ12)
SRV - [2009/02/10 09:01:49 | 000,116,104 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/03/17 06:35:00 | 001,823,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/03/17 06:34:24 | 000,115,952 | ---- | M] (symantec) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/02/23 11:41:02 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2006/01/24 20:06:58 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)


========== Driver Services (SafeList) ==========

DRV - [2010/07/27 02:47:30 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2010/07/27 02:47:10 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2008/11/20 10:32:46 | 000,099,376 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2008/10/16 12:26:31 | 000,873,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20081016.004\NAVEX15.SYS -- (NAVEX15)
DRV - [2008/10/16 12:26:29 | 000,089,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20081016.004\NAVENG.SYS -- (NAVENG)
DRV - [2008/09/04 12:26:17 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2006/02/06 12:50:22 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2006/01/31 13:29:20 | 000,107,696 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/01/24 20:06:36 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/01/24 20:06:32 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2005/12/19 20:41:58 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2005/12/19 20:41:56 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2005/10/18 06:15:42 | 004,034,048 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/04/14 14:12:12 | 000,175,616 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ftsata2.sys -- (ftsata2)
DRV - [2005/03/04 04:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2005/01/07 18:07:16 | 000,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2004/12/15 08:18:32 | 000,220,928 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2004/12/15 08:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/15 08:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2003/11/05 08:45:12 | 000,017,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\bb-run.sys -- (bb-run)
DRV - [2003/07/01 02:19:54 | 000,015,576 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbbc.sys -- (Wdm1)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official"
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Components: C:\Program Files\Mozilla Firefox\Components [2010/08/23 09:20:05 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 1.5\Extensions\\Plugins: C:\Program Files\Mozilla Firefox\Plugins [2010/08/23 09:20:05 | 000,000,000 | ---D | M]

[2010/02/16 18:01:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\l6b1w9on.default\extensions
[2010/02/16 17:51:26 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\l6b1w9on.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/01 17:12:14 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/01 17:12:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/04/01 17:11:13 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2008/11/20 16:19:46 | 000,067,696 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2008/11/20 16:19:46 | 000,054,376 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2008/11/20 16:19:46 | 000,034,952 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2008/11/20 16:19:46 | 000,046,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2008/11/20 16:19:46 | 000,172,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2011/04/01 17:11:09 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/07/02 12:19:28 | 000,102,400 | ---- | M] (Zylom) -- C:\Program Files\Mozilla Firefox\plugins\npzylomgamesplayer.dll

O1 HOSTS File: ([2011/03/31 09:34:53 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\Program Files\ATTToolbar\ATTToolbar.dll (AT&T)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\Program Files\ATTToolbar\ATTToolbar.dll (AT&T)
O3 - HKLM\..\Toolbar: (att.net Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (AT&&T Toolbar) - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\Program Files\ATTToolbar\ATTToolbar.dll (AT&T)
O3 - HKCU\..\Toolbar\WebBrowser: (att.net Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [ATT-SST_McciTrayApp] C:\Program Files\ATT-SST\McciTrayApp.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (Google Inc.)
O4 - HKLM..\Run: [ISW.exe] C:\Program Files\AT&T\Internet Security Wizard\ISW.exe (AT&T)
O4 - HKLM..\Run: [RECGUARD] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: 0.0.0.0 ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: motive.com ([patttbc.att] https in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1155782417515 (WUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop Components:0 () - http://by109w.bay109.mail.live.com/att/GetAttachment.aspx?tnail=0&messageId=37b991a1-38fc-4b27-a395-df20edc81f7d&Aux=44|0|8CBFEBD325FCD60||
O24 - Desktop Components:1 (My Current Home Page) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/11/13 04:51:38 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 05:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/01 17:13:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2011/04/01 17:12:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/04/01 17:12:08 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/04/01 17:12:06 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/04/01 17:12:06 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/04/01 17:12:06 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/04/01 16:28:35 | 016,525,088 | ---- | C] (Sun Microsystems, Inc.) -- C:\Documents and Settings\HP_Administrator\Desktop\jre-6u24-windows-i586.exe
[2011/04/01 16:11:53 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/04/01 09:46:30 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/04/01 09:10:12 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2011/03/31 17:47:56 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/03/30 09:18:02 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/03/30 09:14:41 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/03/30 09:14:41 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/03/30 09:14:41 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/03/30 09:14:41 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/03/30 09:14:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/03/30 09:11:55 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/23 10:22:22 | 004,274,816 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\nv4_disp.dll
[2011/03/23 10:22:22 | 004,274,816 | ---- | C] (NVIDIA Corporation) -- C:\WINDOWS\System32\dllcache\nv4_disp.dll
[2011/03/23 09:28:25 | 000,000,000 | ---D | C] -- C:\Program Files\ToniArts
[2011/03/23 09:28:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EasyCleaner
[2011/03/22 15:41:30 | 002,951,802 | ---- | C] (InstallShield Software Corporation) -- C:\Documents and Settings\HP_Administrator\Desktop\EClea2_0.exe

========== Files - Modified Within 30 Days ==========

[2011/04/15 13:01:29 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/15 12:59:03 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/04/15 12:57:08 | 000,000,186 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT
[2011/04/15 12:56:34 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/04/15 12:55:49 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/15 12:55:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/04/12 16:43:26 | 000,262,232 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/04/12 13:30:06 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/04/12 13:20:28 | 000,445,798 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/04/12 13:20:28 | 000,073,004 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/04/01 17:11:07 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/04/01 17:11:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2011/04/01 17:11:06 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/04/01 17:11:06 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/04/01 17:11:06 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2011/04/01 16:28:41 | 016,525,088 | ---- | M] (Sun Microsystems, Inc.) -- C:\Documents and Settings\HP_Administrator\Desktop\jre-6u24-windows-i586.exe
[2011/04/01 11:58:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/04/01 09:10:18 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator\Desktop\OTL.exe
[2011/03/31 17:11:11 | 004,310,832 | R--- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\1414.exe
[2011/03/31 09:34:53 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/03/30 09:18:15 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/03/27 15:00:00 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\defrag.job
[2011/03/22 15:41:32 | 002,951,802 | ---- | M] (InstallShield Software Corporation) -- C:\Documents and Settings\HP_Administrator\Desktop\EClea2_0.exe
[2011/03/22 13:40:05 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
[2011/03/18 13:56:09 | 000,000,252 | ---- | M] () -- C:\Documents and Settings\HP_Administrator\Desktop\Watch Featured Videos Online Free Streaming Kids Videos PBS KIDS Sprout.url

========== Files Created - No Company Name ==========

[2011/03/30 09:14:41 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/03/30 09:14:41 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/03/30 09:14:41 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/03/30 09:14:41 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/03/30 09:14:41 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/03/30 09:13:05 | 004,310,832 | R--- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\1414.exe
[2011/03/22 13:39:51 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
[2009/07/09 07:45:07 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/06/24 16:40:54 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\ESTSNMP.DLL
[2006/08/16 21:44:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\VPC32.INI
[2006/01/29 17:04:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2006/01/29 11:36:30 | 000,015,576 | R--- | C] () -- C:\WINDOWS\System32\drivers\usbbc.sys
[2006/01/28 19:45:57 | 000,107,132 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2006/01/28 19:45:47 | 000,002,411 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2006/01/16 23:47:05 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/01/16 23:24:57 | 000,022,396 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2006/01/16 23:20:26 | 000,118,842 | R--- | C] () -- C:\WINDOWS\HPCPCUninstaller-6.3.2.116-9972322.exe
[2006/01/16 23:18:56 | 000,013,565 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2006/01/16 23:18:49 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2006/01/16 23:16:39 | 000,000,031 | ---- | C] () -- C:\WINDOWS\Quicken.ini
[2006/01/16 23:14:10 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/01/16 23:04:11 | 000,000,212 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/01/16 23:03:01 | 000,045,929 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.EXE
[2006/01/16 23:03:01 | 000,000,698 | ---- | C] () -- C:\WINDOWS\NSSetDefaultBrowser.ini
[2006/01/16 22:57:27 | 000,072,881 | ---- | C] () -- C:\WINDOWS\hpiins01.dat
[2006/01/16 22:51:20 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/01/16 22:47:09 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2006/01/16 22:31:30 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2005/10/25 09:14:29 | 000,003,584 | ---- | C] () -- C:\WINDOWS\VIEWS.DAT
[2005/07/01 20:21:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/07/01 20:12:36 | 000,445,798 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/07/01 20:12:36 | 000,073,004 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/11/13 04:54:46 | 000,262,232 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2004/11/13 04:51:16 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/11/13 04:48:46 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2004/08/04 12:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/03 22:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/03 22:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/03 22:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/03 22:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/03 22:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/03 22:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/03 22:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2004/06/15 23:04:22 | 000,000,560 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/01/02 17:34:32 | 000,009,897 | ---- | C] () -- C:\WINDOWS\extend.dat
[2001/08/23 09:12:28 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 09:11:02 | 000,004,490 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[1999/01/22 11:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

< End of report >







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users