Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirecting, Security Center Alert pop-up


  • This topic is locked This topic is locked
27 replies to this topic

#1 Nicholas334

Nicholas334

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 24 March 2011 - 05:15 PM

A week ago, Firefox began to pop up a new window unasked saying things like "Your Realplayer is out of date" Sometimes, it would also crash Firefox. The computer would also refuse to shut down using the shut down feature, and I would have to do a hard shutdown. I ran MBAM, and that helped a little, but the popups still occurred. Today, "Security Center Alert" showed up, with repeated popups wanting me to buy the software, and an icon saying "Antivirus Antispyware 2011" showed up in my toolbar. I ran MBAM again, but I think I am still infected. My cable internet company called and said they detected a worm on our system.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Edward Pena at 17:04:34.61 on Thu 03/24/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.861 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINXP\system32\Ati2evxx.exe
C:\WINXP\system32\svchost -k DcomLaunch
svchost.exe
C:\WINXP\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\system32\Ati2evxx.exe
svchost.exe
C:\WINXP\system32\PackethSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINXP\system32\svchost.exe -k imgsvc
C:\WINXP\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\mswinext.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Documents and Settings\Edward Pena\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Documents and Settings\Edward Pena\Desktop\virus removal\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://webcenters.netscape.compuserve.com/menu/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://search.bearshare.com/sidebar.html?src=ssb
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\drop down deals\YontooIEClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: @c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2348.0\npwinext.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\edward pena\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\6.3.2348.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {00001026-A15C-11D4-97A4-0050BF0FBE67} - hxxp://download.netmarble.net/web/nmstarter/NMStarter26_20091109.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5C1B293E-DA77-4AFF-8B52-63DEF8C8A071} - hxxp://download.netmarble.net/ActiveX/NMAutoUpdateX/NMAutoUpdateX_1.0.1.1_20091109.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {89F434A7-4A49-4394-AC02-007480331AE2} - hxxp://download.netmarble.net/ActiveX/NMAutoUpdateX/SystemIDInfo/NMSystemIDInfo_1.0.0.1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxp://download.netmarble.net/kdefence/kdfense8237.cab
DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R2 PackethSvc;Virtual NIC Service;c:\winxp\system32\PackethSvc.exe [2010-8-9 64512]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\winxp\system32\drivers\libusb0.sys [2011-1-14 28672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\winxp\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-9 133104]
S3 dsiarhwprog;dsiarhwprog;c:\winxp\system32\drivers\dsiarhwprog.sys [2010-12-14 29184]
S3 MUD;Driver for Magellan USB Device;c:\winxp\system32\drivers\MUD.sys [2010-7-8 51200]
S3 npggsvc;nProtect GameGuard Service;c:\winxp\system32\gamemon.des -service --> c:\winxp\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\winxp\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\winxp\system32\drivers\wpro_40_1340.sys --> c:\winxp\system32\drivers\WPRO_40_1340.sys [?]
S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-03-24 20:15:27 -------- d-----w- C:\AntiVirus AntiSpyware 2011
2011-03-16 18:45:47 -------- d-----w- c:\program files\whitesmoketoolbar
2011-03-16 18:45:22 -------- d-----w- c:\program files\Drop Down Deals
2011-03-16 18:45:22 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Tarma Installer
2011-03-16 18:44:33 -------- d-----w- c:\docume~1\edward~1\applic~1\Nyke
2011-03-16 18:44:33 -------- d-----w- c:\docume~1\edward~1\applic~1\Hyybme
2011-03-15 03:35:47 -------- d-----w- c:\docume~1\edward~1\applic~1\cerasus.media
2011-03-13 19:55:26 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\MysteryChronicles
2011-03-13 17:24:59 -------- d-----w- c:\docume~1\edward~1\applic~1\TikisLab
2011-03-05 01:05:41 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Kristanix Games
.
==================== Find3M ====================
.
2011-03-17 22:29:26 71072 ----a-w- c:\winxp\CouponPrinter.ocx
2011-02-26 23:42:42 398760 ----a-r- c:\winxp\system32\cpnprt2.cid
2009-01-15 04:04:41 36868 -c--a-w- c:\program files\uninst-shine.exe
2006-07-15 09:01:22 774144 ----a-w- c:\program files\RngInterstitial.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3200826AS rev.3.03 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x899955DC]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8999b7b8]; MOV EAX, [0x8999b834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x899E9AB8]
3 CLASSPNP[0xBA118FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000005d[0x899EF138]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x89A1AD98]
\Driver\atapi[0x899E9540] -> IRP_MJ_CREATE -> 0x899955DC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3200826AS_____________________________3.03____#5&2cf5e12d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x89995422
user & kernel MBR OK
copy of MBR has been found in sector 9 !
malicious code @ sector 0x1749ddc1 size 0x1b2 !
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:06:22.30 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:20 AM

Posted 30 March 2011 - 01:55 PM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Option button, and, in the drop-down list, click on 'Track this topic'. Under Subscription Information, click on 'Immediate Email Notification' and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#3 Nicholas334

Nicholas334
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 30 March 2011 - 05:24 PM

I had no trouble running the scan. :thumbup2: BUT I should tell you that my hubby decided to download and install Norton AV since I posted the original post. It hasn't seemed to help. Also, something called "Offerbox browser" has installed itself on my machine, and I can't make it go away. My searches continue to be re-directed, with popups in new windows happening every 2 minutes or so.


OTL Extras logfile created on: 3/30/2011 6:08:08 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Edward Pena\Desktop\virus removal
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 12.00% Memory free
3.00 Gb Paging File | 1.00 Gb Available in Paging File | 55.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINXP | %ProgramFiles% = C:\Program Files
Drive C: | 178.37 Gb Total Space | 9.18 Gb Free Space | 5.15% Space Free | Partition Type: NTFS
Drive H: | 7.91 Gb Total Space | 0.55 Gb Free Space | 6.95% Space Free | Partition Type: FAT32

Computer Name: EDWARD-9A2E13D7 | User Name: Edward Pena | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"56115:TCP" = 56115:TCP:*:Enabled:Pando Media Booster
"56115:UDP" = 56115:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3724:TCP" = 3724:TCP:*:Enabled:Blizzard Downloader: 3724
"56115:TCP" = 56115:TCP:*:Enabled:Pando Media Booster
"56115:UDP" = 56115:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\World of Warcraft\Launcher.exe" = C:\Program Files\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\BackgroundDownloader.exe" = C:\Program Files\World of Warcraft\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Ntreev\Grand Chase\main.exe" = C:\Ntreev\Grand Chase\main.exe:*:Enabled:GrandChase -- (KOG)
"C:\Program Files\Raptr\raptr.exe" = C:\Program Files\Raptr\raptr.exe:*:Enabled:Raptr Client -- ()
"C:\Program Files\Raptr\raptr_im.exe" = C:\Program Files\Raptr\raptr_im.exe:*:Enabled:Raptr IM -- ()
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Microsoft Games\Halo Custom Edition\haloce.exe" = C:\Program Files\Microsoft Games\Halo Custom Edition\haloce.exe:*:Enabled:Halo -- (Microsoft Corporation)
"C:\Documents and Settings\Edward Pena\Desktop\Nick's Files\World of Warcraft\WoW-x.x.x.x-4.0.0.12911-Downloader.exe" = C:\Documents and Settings\Edward Pena\Desktop\Nick's Files\World of Warcraft\WoW-x.x.x.x-4.0.0.12911-Downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\World of Warcraft\WoW-x.x.x.x-4.0.0.12911-Downloader.exe" = C:\Program Files\World of Warcraft\WoW-x.x.x.x-4.0.0.12911-Downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\WINXP\explorer.exe" = C:\WINXP\explorer.exe:*:Disabled:Windows Explorer -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007811BF-E310-4285-BFC6-55DB29B3EDDE}" = WinPatrol
"{02EE107B-8D95-4949-8935-4DEBE8F08BE3}" = Bing Bar Platform
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{08234a0d-cf39-4dca-99f0-0c5cb496da81}" = Bing Bar
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{1CAC7A41-583B-4483-9FA5-3E5465AFF8C2}" = Microsoft Default Manager
"{1D21ED4F-3C5E-45C3-9795-8C8CB2AB31DC}" = VantagePoint
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2476A580-A916-417F-A182-28ACBB9A27C5}" = Nanovor
"{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java™ 6 Update 23
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3EA962FB-B79E-4A0C-A0F8-191E9FBF5278}" = AVG 2011
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}" = Bing Rewards Client Installer
"{63CEA2E4-4FE7-4F2C-B388-C1313D24157C}" = SPORE™ Galactic Adventures
"{676B241C-AED4-400B-98FF-267773B94B11}_is1" = QuickFreedom 1.1.0
"{67D15B01-9A6B-0397-002A-D2A015212748}" = FlipShare
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{754127CC-BAF0-40EE-8211-4964CC48A23D}" = Hidden Identity - Chicago Blackout
"{81FA4663-C0EA-4953-9B2B-6C8BDF508539}" = Time Mysteries - Inheritance
"{82C96A65-AF5E-438B-900F-259869219BA0}" = ATI Catalyst Control Center
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{928B06E4-DDAA-476A-926A-641620326327}" = Microsoft Search Enhancement Pack
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A374F31D-4FFC-4B91-B736-40426CBB1B45}" = Minds Eye - Secrets Of The Forgotten
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA0000000001}" = Adobe Reader X (10.0.1)
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}}_is1" = Invoke Solutions Participant 6.2.0.1452
"{DC525714-3134-4749-A39F-E3216A4FF9BD}" = Halo CE Cracked Setup
"{DD44C055-A531-48CF-905B-27345E87E6B8}" = Pirate Mysteries - A Tale of Monkeys, Masks, and Hidden Objects
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F4C68898-EBA5-46A9-82B3-2D30426086BF}" = AVG 2011
"{F57D2C3E-5F88-4A76-BEDE-0F2E6B469B55}" = NetmarbleGrandChase
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"Action Replay DSi Code Manager_is1" = Action Replay DSi Code Manager
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AI RoboForm" = AI RoboForm (All Users)
"All ATI Software" = ATI - Software Uninstall Utility
"Art of Murder. FBI Confidential 1.00" = Art of Murder. FBI Confidential 1.00
"ATI Display Driver" = ATI Display Driver
"BFGC" = Big Fish Games: Game Manager
"Broken Sword - The Sleeping Dragon" = Broken Sword - The Sleeping Dragon
"Broken Sword - The Sleeping Dragon_is1" = Broken Sword - The Sleeping Dragon
"CamStudio" = CamStudio
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"EADM" = EA Download Manager
"EKS Descartes Rainbow" = EKS Descartes Rainbow
"EKS Dinner With Moriarty" = EKS Dinner With Moriarty
"EKS Inspector Lestrade" = EKS Inspector Lestrade
"EKS Scotland Yard" = EKS Scotland Yard
"ESET Online Scanner" = ESET Online Scanner v3
"Foxit Reader" = Foxit Reader
"Grand Chase" = Grand Chase
"grandchase" = Grand Chase
"GSAK_is1" = GSAK 7.7.1.34 (Final)
"Hidden Mysteries - The Fateful Voyage - Titanic 1.00" = Hidden Mysteries - The Fateful Voyage - Titanic 1.00
"ie8" = Windows Internet Explorer 8
"InstallShield_{1D21ED4F-3C5E-45C3-9795-8C8CB2AB31DC}" = VantagePoint
"Journalistic Stories" = Journalistic Stories
"jZip" = jZip
"kdefense" = K-Defense8 Control - Å°º¸µå º¸¾È
"LibUSB-Win32_is1" = LibUSB-Win32-0.1.12.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.16)" = Mozilla Firefox (3.6.16)
"Mystic Diary - Lost Brother1.0" = Mystic Diary - Lost Brother
"N360" = Norton Security Suite
"Nat Geo - Lilly Wu And The Terra Cotta Mystery 1.00" = Nat Geo - Lilly Wu And The Terra Cotta Mystery 1.00
"OfferBox Browser" = OfferBox Browser
"OpenAL" = OpenAL
"Raptr" = Raptr
"Reincarnations Uncover the Past Regular 1.00" = Reincarnations Uncover the Past Regular 1.00
"Save Our Spirit 1.00" = Save Our Spirit 1.00
"Tribes 2" = Tribes 2
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.1.7
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"World of Warcraft" = World of Warcraft
"Xfire" = Xfire (remove only)
"Yahoo! Companion" = Yahoo! Toolbar

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"AntiVirus AntiSpyware 2011" = AntiVirus AntiSpyware 2011

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"AntiVirus AntiSpyware 2011" = AntiVirus AntiSpyware 2011

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1292428093-2049760794-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{373B1718-8CC5-4567-8EE2-9033AD08A680}" = Roblox for Edward Pena
"Facebook Plug-In" = Facebook Plug-In
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/15/2011 9:34:30 PM | Computer Name = EDWARD-9A2E13D7 | Source = ESENT | ID = 489
Description = wuauclt (896) An attempt to open the file "C:\WINXP\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 3/15/2011 9:34:30 PM | Computer Name = EDWARD-9A2E13D7 | Source = ESENT | ID = 455
Description = wuaueng.dll (896) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred
while opening logfile C:\WINXP\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 3/15/2011 9:34:44 PM | Computer Name = EDWARD-9A2E13D7 | Source = ESENT | ID = 489
Description = wuauclt (3636) An attempt to open the file "C:\WINXP\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 3/15/2011 9:34:44 PM | Computer Name = EDWARD-9A2E13D7 | Source = ESENT | ID = 455
Description = wuaueng.dll (3636) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINXP\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 3/15/2011 9:34:54 PM | Computer Name = EDWARD-9A2E13D7 | Source = ESENT | ID = 489
Description = wuauclt (3636) An attempt to open the file "C:\WINXP\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 3/15/2011 9:34:54 PM | Computer Name = EDWARD-9A2E13D7 | Source = ESENT | ID = 455
Description = wuaueng.dll (3636) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINXP\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 3/15/2011 9:35:06 PM | Computer Name = EDWARD-9A2E13D7 | Source = ESENT | ID = 489
Description = wuauclt (3092) An attempt to open the file "C:\WINXP\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 3/15/2011 9:35:06 PM | Computer Name = EDWARD-9A2E13D7 | Source = ESENT | ID = 455
Description = wuaueng.dll (3092) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINXP\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 3/15/2011 9:35:16 PM | Computer Name = EDWARD-9A2E13D7 | Source = ESENT | ID = 489
Description = wuauclt (3092) An attempt to open the file "C:\WINXP\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 3/15/2011 9:35:16 PM | Computer Name = EDWARD-9A2E13D7 | Source = ESENT | ID = 455
Description = wuaueng.dll (3092) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINXP\SoftwareDistribution\DataStore\Logs\edb.log.

[ System Events ]
Error - 3/28/2011 8:40:45 PM | Computer Name = EDWARD-9A2E13D7 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
COMPAQ-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{EAC6AB29-8AF2-4668. The master browser is stopping or an election is
being forced.

Error - 3/28/2011 9:40:46 PM | Computer Name = EDWARD-9A2E13D7 | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
COMPAQ-PC that believes that it is the master browser for the domain on transport
NetBT_Tcpip_{EAC6AB29-8AF2-4668. The master browser is stopping or an election is
being forced.

Error - 3/28/2011 10:41:20 PM | Computer Name = EDWARD-9A2E13D7 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000243'
while processing the file 'SrtETmp' on the volume 'HarddiskVolume1'. It has stopped
monitoring the volume.

Error - 3/28/2011 10:43:40 PM | Computer Name = EDWARD-9A2E13D7 | Source = Service Control Manager | ID = 7023
Description = The srv96C service terminated with the following error: %%998

Error - 3/28/2011 11:35:23 PM | Computer Name = EDWARD-9A2E13D7 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service McComponentHostService
with arguments "" in order to run the server: {CC6F4D12-8575-4CFF-9455-CF5774AEB13B}

Error - 3/29/2011 8:51:38 AM | Computer Name = EDWARD-9A2E13D7 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.100 for the Network Card with network
address 001B2F2B9F72 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 3/29/2011 8:53:46 AM | Computer Name = EDWARD-9A2E13D7 | Source = Service Control Manager | ID = 7023
Description = The srv96C service terminated with the following error: %%998

Error - 3/29/2011 11:37:36 PM | Computer Name = EDWARD-9A2E13D7 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service McComponentHostService
with arguments "" in order to run the server: {CC6F4D12-8575-4CFF-9455-CF5774AEB13B}

Error - 3/30/2011 8:59:53 AM | Computer Name = EDWARD-9A2E13D7 | Source = Service Control Manager | ID = 7023
Description = The srv96C service terminated with the following error: %%998

Error - 3/30/2011 9:08:34 AM | Computer Name = EDWARD-9A2E13D7 | Source = Service Control Manager | ID = 7023
Description = The srv96C service terminated with the following error: %%998


< End of report >


OTL logfile created on: 3/30/2011 6:08:08 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Edward Pena\Desktop\virus removal
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 0.00 Gb Available Physical Memory | 12.00% Memory free
3.00 Gb Paging File | 1.00 Gb Available in Paging File | 55.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINXP | %ProgramFiles% = C:\Program Files
Drive C: | 178.37 Gb Total Space | 9.18 Gb Free Space | 5.15% Space Free | Partition Type: NTFS
Drive H: | 7.91 Gb Total Space | 0.55 Gb Free Space | 6.95% Space Free | Partition Type: FAT32

Computer Name: EDWARD-9A2E13D7 | User Name: Edward Pena | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/30 18:06:29 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Edward Pena\Desktop\virus removal\OTL.exe
PRC - [2011/03/24 07:31:36 | 001,966,936 | ---- | M] (Secure Digital Services Limited) -- C:\Program Files\OfferBox\OfferBox.exe
PRC - [2011/03/23 12:54:22 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/17 14:22:57 | 000,329,096 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2010/10/20 09:07:20 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Edward Pena\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
PRC - [2010/09/17 21:14:22 | 000,460,144 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2010/05/14 12:44:46 | 000,501,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe
PRC - [2010/01/15 08:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINXP\explorer.exe
PRC - [2001/08/09 16:46:44 | 000,064,512 | -H-- | M] (America Online, Inc.) -- C:\WINXP\system32\PackethSvc.exe


========== Modules (SafeList) ==========

MOD - [2011/03/30 18:06:29 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Edward Pena\Desktop\virus removal\OTL.exe
MOD - [2010/09/20 15:26:01 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.3.0.5\asoehook.dll
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINXP\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009/07/12 00:02:02 | 000,653,120 | ---- | M] (Microsoft Corporation) -- C:\WINXP\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
MOD - [2009/07/12 00:02:00 | 000,569,664 | ---- | M] (Microsoft Corporation) -- C:\WINXP\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
MOD - [2007/03/26 14:03:20 | 000,057,344 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\patrolpro.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - File not found [Disabled | Stopped] -- -- (6to4)
SRV - [2011/03/25 13:27:47 | 000,058,368 | -HS- | M] () [Auto | Stopped] -- \\?\globalroot\Device\HarddiskVolume1\WINXP\Temp\srv96C.tmp [WARNING: \\?\globalroot\Device\HarddiskVolume1\WINXP\Temp\srv96C.tmp] -- (srv96C)
SRV - [2010/09/17 21:14:22 | 000,460,144 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe -- (N360)
SRV - [2010/02/10 12:01:00 | 003,428,588 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINXP\System32\GameMon.des -- (npggsvc)
SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2001/08/09 16:46:44 | 000,064,512 | -H-- | M] (America Online, Inc.) [Auto | Running] -- C:\WINXP\system32\PackethSvc.exe -- (PackethSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/03/28 01:38:46 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/03/27 01:00:00 | 001,360,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110330.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/03/27 01:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/03/27 01:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/03/27 01:00:00 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110330.003\NAVENG.SYS -- (NAVENG)
DRV - [2011/03/14 14:58:34 | 000,341,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110325.002\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/03/09 21:11:42 | 000,800,376 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110309.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/05/06 00:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINXP\System32\Drivers\N360\0403000.005\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/04/29 01:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINXP\system32\drivers\N360\0403000.005\Ironx86.SYS -- (SymIRON)
DRV - [2010/04/21 23:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINXP\system32\drivers\N360\0403000.005\SYMEFA.SYS -- (SymEFA)
DRV - [2010/04/21 22:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINXP\System32\Drivers\N360\0403000.005\SRTSP.SYS -- (SRTSP)
DRV - [2010/04/21 22:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINXP\system32\drivers\N360\0403000.005\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 20:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINXP\system32\drivers\N360\0403000.005\ccHPx86.sys -- (ccHP)
DRV - [2009/10/14 23:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINXP\system32\drivers\N360\0403000.005\SYMDS.SYS -- (SymDS)
DRV - [2008/09/24 11:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2008/04/13 18:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2008/02/05 13:51:38 | 000,051,200 | ---- | M] (Magellan) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\MUD.sys -- (MUD)
DRV - [2007/03/20 12:33:26 | 000,028,672 | ---- | M] (http://libusb-win32.sourceforge.net) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\libusb0.sys -- (libusb0)
DRV - [2007/02/08 09:45:14 | 000,029,184 | R--- | M] (Thesycon GmbH, Germany) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\dsiarhwprog.sys -- (dsiarhwprog)
DRV - [2006/01/18 19:41:58 | 000,080,512 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/12/12 17:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/08/13 22:35:54 | 001,313,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2001/08/09 18:26:02 | 000,022,608 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\wandrv.sys -- (wandrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\system32\blank.htm
IE - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://webcenters.netscape.compuserve.com/menu/
IE - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "BearShare Web Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Swag Bucks Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.order.1: "BearShare Web Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://webcenters.netscape.compuserve.com/menu/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: ConsumerInput@Compete:8477
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..extensions.enabledItems: FFToolbar@upromise:7.0.2.4181
FF - prefs.js..extensions.enabledItems: toolbar@shopathome.com:5.2.0.0
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.7.1.3
FF - prefs.js..extensions.enabledItems: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}:3.3.3.2
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.87
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.10.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: offerboxffx@offerbox.com:2.1.3600.135
FF - prefs.js..extensions.enabledItems: {759A70EF-CF25-4165-A342-5460FD538680}:1.9.1
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6


FF - HKLM\software\mozilla\Firefox\extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2010/08/11 18:38:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\msntoolbar@msn.com: C:\Program Files\MSN Toolbar\Platform\6.3.2348.0\Firefox [2010/12/31 22:15:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2010/12/31 22:15:29 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2010/12/31 22:15:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\offerboxffx@offerbox.com: C:\Program Files\OfferBox\offerboxffx@offerbox.com [2011/03/27 16:15:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{759A70EF-CF25-4165-A342-5460FD538680}: C:\Documents and Settings\Edward Pena\Local Settings\Application Data\{759A70EF-CF25-4165-A342-5460FD538680} [2011/03/27 16:17:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2011/03/28 09:51:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\ [2011/03/28 01:39:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/23 12:54:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/23 12:54:28 | 000,000,000 | ---D | M]

[2010/02/17 17:02:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Extensions
[2011/03/30 16:19:13 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions
[2011/01/12 22:34:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/11/03 04:44:13 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2011/03/21 08:54:39 | 000,000,000 | ---D | M] (Swag Bucks Community Toolbar) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}
[2010/08/12 01:56:17 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2011/03/21 08:54:39 | 000,000,000 | ---D | M] ("Consumer Input") -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\ConsumerInput@Compete
[2011/03/21 08:54:39 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\engine@conduit.com
[2011/03/21 08:54:40 | 000,000,000 | ---D | M] ("Upromise TurboSaver") -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\FFToolbar@upromise
[2010/12/16 23:15:41 | 000,000,000 | ---D | M] (ShopAtHome.com Intelligent Shopping Toolbar) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\toolbar@shopathome.com
[2009/12/03 11:54:24 | 000,002,476 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\searchplugins\BearShareWebSearch.xml
[2010/01/20 13:15:44 | 000,000,923 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\searchplugins\conduit.xml
[2011/03/30 16:19:13 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/30 11:38:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/28 01:39:40 | 000,000,000 | ---D | M] (Norton Toolbar) -- C:\DOCUMENTS AND SETTINGS\ALL USERS.WINXP\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\COFFPLGN
[2011/03/28 09:51:46 | 000,000,000 | ---D | M] (Norton IPS) -- C:\DOCUMENTS AND SETTINGS\ALL USERS.WINXP\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPLGN
[2011/03/27 16:17:19 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\EDWARD PENA\LOCAL SETTINGS\APPLICATION DATA\{759A70EF-CF25-4165-A342-5460FD538680}
[2010/11/24 18:57:31 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/03/27 16:15:42 | 000,000,000 | ---D | M] (OfferBox) -- C:\PROGRAM FILES\OFFERBOX\OFFERBOXFFX@OFFERBOX.COM
[2010/08/11 18:38:11 | 000,000,000 | ---D | M] (AI Roboform Toolbar for Firefox) -- C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\FIREFOX
[2010/12/29 17:51:03 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol400.dll
[2010/12/29 17:51:03 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol500.dll
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/03/09 19:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
[2009/12/03 11:54:24 | 000,002,476 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\BearShareWebSearch.xml
[2011/03/16 14:45:19 | 000,001,919 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml

O1 HOSTS File: ([2010/12/29 10:38:37 | 000,000,027 | ---- | M]) - C:\WINXP\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ipsbho.dll (Symantec Corporation)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Drop Down Deals\YontooIEClient.dll (Yontoo Technology, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003..\Run: [Hgidadazayujup] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2008/08/01 01:03:06 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\..Trusted Domains: compuserve.com ([]* is out of zone range - 5)
O15 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\..Trusted Domains: compuserve.com ([objects] * is out of zone range - 6)
O16 - DPF: {00001026-A15C-11D4-97A4-0050BF0FBE67} http://download.netmarble.net/web/nmstarter/NMStarter26_20091109.cab (NetmarbleStarter26 Class)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {5C1B293E-DA77-4AFF-8B52-63DEF8C8A071} http://download.netmarble.net/ActiveX/NMAutoUpdateX/NMAutoUpdateX_1.0.1.1_20091109.cab (NetmarbleAutoUpdater Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {89F434A7-4A49-4394-AC02-007480331AE2} http://download.netmarble.net/ActiveX/NMAutoUpdateX/SystemIDInfo/NMSystemIDInfo_1.0.0.1.cab (NetmarbleSystemIDInfo Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} http://download.netmarble.net/kdefence/kdfense8237.cab (Kdfense8 Control)
O16 - DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} http://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab (Invoke Solutions MILiveParticipantPadHelper Control)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} Reg Error: Key error. (Invoke Solutions Participant Control(MR))
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Value error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINXP\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINXP\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Edward Pena\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Edward Pena\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/07 15:48:45 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/04/04 16:40:01 | 000,000,000 | ---- | M] () - C:\.autoreg -- [ NTFS ]
O32 - AutoRun File - [2008/01/20 17:58:26 | 000,000,000 | ---D | M] - C:\Autoruns -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 15:07:38 | 000,000,000 | -HS- | M] () - H:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/03/28 09:52:13 | 000,361,904 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\symtdi.sys
[2011/03/28 09:52:13 | 000,339,504 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\symtdiv.sys
[2011/03/28 09:52:13 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\symds.sys
[2011/03/28 09:52:13 | 000,325,680 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\srtsp.sys
[2011/03/28 09:52:13 | 000,173,104 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\symefa.sys
[2011/03/28 09:52:13 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\ironx86.sys
[2011/03/28 09:52:13 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\srtspx.sys
[2011/03/28 09:52:12 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\cchpx86.sys
[2011/03/28 09:51:50 | 000,000,000 | ---D | C] -- C:\WINXP\System32\drivers\N360\0403000.005
[2011/03/28 01:38:47 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\SYMEVENT.SYS
[2011/03/28 01:38:47 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\S32EVNT1.DLL
[2011/03/28 01:38:46 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2011/03/28 01:38:17 | 000,000,000 | ---D | C] -- C:\WINXP\System32\drivers\N360
[2011/03/28 01:38:16 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2011/03/28 01:38:16 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Security Suite
[2011/03/28 01:38:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Norton Security Suite
[2011/03/28 01:35:53 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2011/03/28 01:35:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Application Data\NortonInstaller
[2011/03/28 01:35:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\My Documents\Symantec
[2011/03/28 01:34:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Documents\Norton
[2011/03/28 01:34:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Application Data\Norton
[2011/03/27 16:17:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Local Settings\Application Data\{759A70EF-CF25-4165-A342-5460FD538680}
[2011/03/27 16:15:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Application Data\OfferBox
[2011/03/27 16:15:38 | 000,000,000 | ---D | C] -- C:\Program Files\OfferBox
[2011/03/24 17:02:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Desktop\virus removal
[2011/03/24 16:15:27 | 000,000,000 | ---D | C] -- C:\AntiVirus AntiSpyware 2011
[2011/03/16 14:45:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Application Data\Tarma Installer
[2011/03/16 14:45:22 | 000,000,000 | ---D | C] -- C:\Program Files\Drop Down Deals
[2011/03/16 14:44:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Application Data\Nyke
[2011/03/16 14:44:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Application Data\Hyybme
[2011/03/14 23:35:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Application Data\cerasus.media
[2011/03/13 15:55:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Application Data\MysteryChronicles
[2011/03/13 13:24:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Application Data\TikisLab
[2011/03/13 10:00:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Desktop\Baby shower
[2011/03/07 19:47:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\My Documents\EdensQuest
[2011/03/04 21:05:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Application Data\Kristanix Games
[2011/03/04 20:44:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Pirate Mysteries - A Tale of Monkeys, Masks, and Hidden Objects
[2006/07/15 05:01:31 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[2 C:\WINXP\System32\*.tmp files -> C:\WINXP\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/03/30 18:12:03 | 000,000,896 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskMachineUA.job
[2011/03/30 18:07:37 | 000,000,664 | ---- | M] () -- C:\WINXP\System32\d3d9caps.dat
[2011/03/30 18:03:20 | 000,000,430 | -H-- | M] () -- C:\WINXP\tasks\User_Feed_Synchronization-{63424663-E5C6-4A2D-98B8-0B95B86A8715}.job
[2011/03/30 17:16:00 | 000,001,002 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-2049760794-682003330-1003UA.job
[2011/03/30 16:16:00 | 000,000,950 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-2049760794-682003330-1003Core.job
[2011/03/30 09:20:03 | 000,000,284 | ---- | M] () -- C:\WINXP\tasks\AppleSoftwareUpdate.job
[2011/03/30 09:12:00 | 000,000,892 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskMachineCore.job
[2011/03/30 09:08:38 | 000,013,646 | ---- | M] () -- C:\WINXP\System32\wpa.dbl
[2011/03/30 09:06:24 | 000,002,048 | --S- | M] () -- C:\WINXP\bootstat.dat
[2011/03/28 14:25:04 | 000,002,018 | ---- | M] () -- C:\Documents and Settings\All Users.WINXP\Desktop\Norton Security Suite.LNK
[2011/03/28 14:23:24 | 000,561,048 | ---- | M] () -- C:\WINXP\System32\drivers\N360\0403000.005\Cat.DB
[2011/03/28 01:38:46 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINXP\System32\drivers\SYMEVENT.SYS
[2011/03/28 01:38:46 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINXP\System32\S32EVNT1.DLL
[2011/03/28 01:38:46 | 000,007,443 | ---- | M] () -- C:\WINXP\System32\drivers\SYMEVENT.CAT
[2011/03/28 01:38:46 | 000,000,805 | ---- | M] () -- C:\WINXP\System32\drivers\SYMEVENT.INF
[2011/03/28 01:34:21 | 000,000,851 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Desktop\Norton Installation Files.lnk
[2011/03/28 01:33:15 | 000,000,120 | ---- | M] () -- C:\WINXP\Udaxubozerah.dat
[2011/03/28 01:33:15 | 000,000,000 | ---- | M] () -- C:\WINXP\Dsomajurijafecuf.bin
[2011/03/26 16:19:14 | 000,002,316 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/26 16:19:13 | 000,002,338 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Desktop\Google Chrome.lnk
[2011/03/25 13:28:08 | 000,001,935 | ---- | M] () -- C:\AntiVirus AntiSpyware 2011.lnk
[2011/03/24 17:03:30 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Edward Pena\defogger_reenable
[2011/03/19 09:23:49 | 000,071,680 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/17 18:29:26 | 000,071,072 | ---- | M] () -- C:\WINXP\CouponPrinter.ocx
[2011/03/17 00:28:04 | 000,000,031 | ---- | M] () -- C:\WINXP\sav.ini
[2011/03/13 06:28:15 | 000,475,466 | ---- | M] () -- C:\WINXP\System32\perfh009.dat
[2011/03/13 06:28:15 | 000,076,374 | ---- | M] () -- C:\WINXP\System32\perfc009.dat
[2011/03/08 23:54:44 | 012,799,908 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Desktop\13 - Hallelujah.mp3
[2 C:\WINXP\System32\*.tmp files -> C:\WINXP\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/28 14:23:16 | 000,561,048 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\Cat.DB
[2011/03/28 09:52:13 | 000,007,873 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symefa.cat
[2011/03/28 09:52:13 | 000,007,787 | R--- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symnetv.cat
[2011/03/28 09:52:13 | 000,007,442 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\srtspx.cat
[2011/03/28 09:52:13 | 000,007,438 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\srtsp.cat
[2011/03/28 09:52:13 | 000,007,425 | R--- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symds.cat
[2011/03/28 09:52:13 | 000,007,368 | R--- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symnet.cat
[2011/03/28 09:52:13 | 000,003,373 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symefa.inf
[2011/03/28 09:52:13 | 000,002,793 | R--- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symds.inf
[2011/03/28 09:52:13 | 000,001,473 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symnetv.inf
[2011/03/28 09:52:13 | 000,001,445 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symnet.inf
[2011/03/28 09:52:13 | 000,001,388 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\srtspx.inf
[2011/03/28 09:52:13 | 000,001,382 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\srtsp.inf
[2011/03/28 09:52:13 | 000,000,741 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\iron.inf
[2011/03/28 09:52:12 | 000,007,438 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\iron.cat
[2011/03/28 09:52:12 | 000,007,396 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\cchpx86.cat
[2011/03/28 09:52:12 | 000,001,754 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\cchpx86.inf
[2011/03/28 09:51:50 | 000,000,172 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\isolate.ini
[2011/03/28 01:38:47 | 000,007,443 | ---- | C] () -- C:\WINXP\System32\drivers\SYMEVENT.CAT
[2011/03/28 01:38:47 | 000,000,805 | ---- | C] () -- C:\WINXP\System32\drivers\SYMEVENT.INF
[2011/03/28 01:38:41 | 000,002,018 | ---- | C] () -- C:\Documents and Settings\All Users.WINXP\Desktop\Norton Security Suite.LNK
[2011/03/28 01:34:21 | 000,000,851 | ---- | C] () -- C:\Documents and Settings\Edward Pena\Desktop\Norton Installation Files.lnk
[2011/03/27 16:17:20 | 000,000,120 | ---- | C] () -- C:\WINXP\Udaxubozerah.dat
[2011/03/27 16:17:20 | 000,000,000 | ---- | C] () -- C:\WINXP\Dsomajurijafecuf.bin
[2011/03/27 16:15:44 | 000,000,834 | ---- | C] () -- C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\OfferBox Browser.lnk
[2011/03/24 17:03:30 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Edward Pena\defogger_reenable
[2011/03/24 16:15:27 | 000,001,935 | ---- | C] () -- C:\AntiVirus AntiSpyware 2011.lnk
[2011/03/17 00:13:20 | 000,000,031 | ---- | C] () -- C:\WINXP\sav.ini
[2010/11/25 04:52:31 | 000,000,552 | ---- | C] () -- C:\WINXP\System32\d3d8caps.dat
[2010/11/15 16:38:42 | 000,000,664 | ---- | C] () -- C:\WINXP\System32\d3d9caps.dat
[2010/11/11 10:16:52 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\Edward Pena\Application Data\start
[2010/09/11 23:50:49 | 000,004,096 | ---- | C] () -- C:\WINXP\d3dx.dat
[2010/07/29 22:03:33 | 000,000,056 | -H-- | C] () -- C:\WINXP\System32\ezsidmv.dat
[2010/07/08 12:47:14 | 000,000,577 | ---- | C] () -- C:\WINXP\System32\gmsblist.dll
[2010/02/23 00:48:00 | 000,071,680 | ---- | C] () -- C:\Documents and Settings\Edward Pena\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/17 17:02:24 | 000,000,000 | ---- | C] () -- C:\WINXP\nsreg.dat
[2010/02/17 14:15:31 | 000,000,370 | ---- | C] () -- C:\WINXP\ODBC.INI
[2010/02/17 13:53:39 | 000,049,152 | ---- | C] () -- C:\WINXP\System32\ChCfg.exe
[2010/02/17 13:53:06 | 000,147,456 | ---- | C] () -- C:\WINXP\System32\RtlCPAPI.dll
[2010/02/17 12:28:24 | 000,516,096 | ---- | C] () -- C:\WINXP\System32\ati2sgag.exe
[2010/02/17 11:22:33 | 000,002,048 | --S- | C] () -- C:\WINXP\bootstat.dat
[2010/02/17 11:16:12 | 000,021,640 | ---- | C] () -- C:\WINXP\System32\emptyregdb.dat
[2010/02/17 10:49:48 | 000,000,004 | ---- | C] () -- C:\Program Files\216640.dat
[2010/02/17 06:06:47 | 000,004,073 | ---- | C] () -- C:\WINXP\ODBCINST.INI
[2010/02/17 06:05:34 | 000,264,616 | ---- | C] () -- C:\WINXP\System32\FNTCACHE.DAT
[2010/02/16 15:19:39 | 000,000,004 | ---- | C] () -- C:\Program Files\515703.dat
[2010/02/16 15:10:11 | 000,000,004 | ---- | C] () -- C:\Program Files\380000.dat
[2010/02/16 14:55:02 | 000,000,004 | ---- | C] () -- C:\Program Files\203125.dat
[2010/02/09 20:36:03 | 000,000,004 | ---- | C] () -- C:\Program Files\4337265.dat
[2010/02/09 11:34:27 | 000,000,004 | ---- | C] () -- C:\Program Files\801734.dat
[2010/02/08 17:07:31 | 000,000,004 | ---- | C] () -- C:\Program Files\642250.dat
[2010/02/08 16:30:36 | 000,000,004 | ---- | C] () -- C:\Program Files\4091031.dat
[2010/02/08 16:23:41 | 000,012,516 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\3MCpwemL5YTJrov4siH01YW7mxkNBjFY8TpTq
[2010/02/08 14:57:48 | 000,000,004 | ---- | C] () -- C:\Program Files\936093.dat
[2010/02/08 14:41:33 | 000,000,004 | ---- | C] () -- C:\Program Files\1661062.dat
[2010/02/08 14:13:02 | 000,000,004 | ---- | C] () -- C:\Program Files\8665968.dat
[2010/02/08 11:47:46 | 000,000,004 | ---- | C] () -- C:\Program Files\1236390.dat
[2010/02/08 11:26:09 | 000,000,004 | ---- | C] () -- C:\Program Files\2282265.dat
[2010/02/08 10:47:17 | 000,000,004 | ---- | C] () -- C:\Program Files\5707171.dat
[2010/02/08 09:11:21 | 000,000,004 | ---- | C] () -- C:\Program Files\1911609.dat
[2010/02/07 22:08:20 | 000,000,004 | ---- | C] () -- C:\Program Files\1643296.dat
[2010/02/07 21:42:33 | 000,009,662 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\cXkOhMbP87Kh
[2010/02/06 18:11:34 | 000,015,606 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\cXkOhMbP87Kh
[2009/09/10 20:01:44 | 000,041,872 | ---- | C] () -- C:\WINXP\System32\xfcodec.dll
[2009/06/07 13:50:53 | 000,000,251 | ---- | C] () -- C:\Program Files\wt3d.ini
[2009/01/15 00:03:54 | 000,036,868 | ---- | C] () -- C:\Program Files\uninst-shine.exe
[2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINXP\System32\mlang.dat
[2008/04/14 08:00:00 | 000,475,466 | ---- | C] () -- C:\WINXP\System32\perfh009.dat
[2008/04/14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINXP\System32\perfi009.dat
[2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINXP\System32\dssec.dat
[2008/04/14 08:00:00 | 000,076,374 | ---- | C] () -- C:\WINXP\System32\perfc009.dat
[2008/04/14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINXP\System32\mib.bin
[2008/04/14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINXP\System32\perfd009.dat
[2008/04/14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINXP\System32\secupd.dat
[2008/04/14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINXP\System32\Dcache.bin
[2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINXP\System32\noise.dat
[2008/02/19 02:33:34 | 000,446,352 | ---- | C] () -- C:\WINXP\System32\OpenQuicktimeLib.dll
[2008/01/03 18:32:36 | 000,000,246 | ---- | C] () -- C:\Program Files\Common Files\quha
[2005/09/06 20:13:44 | 000,086,016 | ---- | C] () -- C:\WINXP\NMUninst18.exe
[2005/07/19 09:25:16 | 000,104,361 | ---- | C] () -- C:\WINXP\System32\atiicdxx.dat
[2005/04/24 21:56:33 | 000,000,561 | -H-- | C] () -- C:\Documents and Settings\Edward Pena\Application Data\Edward Penalog.dat
[2004/08/18 13:59:14 | 013,107,200 | ---- | C] () -- C:\WINXP\System32\oembios.bin
[2004/08/18 13:58:40 | 000,005,269 | ---- | C] () -- C:\WINXP\System32\oembios.dat
[2003/01/07 11:05:08 | 000,002,695 | ---- | C] () -- C:\WINXP\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:9E46FAD0
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:637A9205
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:D1AD90C3
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:35CC801E
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:1170D6E4
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:D4BE48F5
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:B30D9A49
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:92A815D8
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:BB8B6B1E
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:207C4C79
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:1CB4A530
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:12D2EB9C
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:E40EED9B

< End of report >

#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:20 AM

Posted 31 March 2011 - 12:19 PM

Hi-

Thank you for the logs. They did show some problems and one was a backdoor trojan. A backdoor trojan allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue with the cleanup -

First, please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.21.0) from Kaspersky's website.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.

    To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.

  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. C:\TDSSKiller.2.4.21_23.07.2010_15.31.43_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Next, download Combofix from either of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable your Anti-virusl


Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please copy the "C:\ComboFix.txt" into your reply.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


In your reply, copy in the contents of the TDSSKiller report and the ComboFix report. How is your computer running now?
Shannon

#5 Nicholas334

Nicholas334
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 31 March 2011 - 06:19 PM

At this time, I do not have a reinstall disk, since my computer does not have one. I will have to see about getting a disk and a product key, and I need to backup my picture and video files. Then I will do a clean reinstall. I will have to change all my passwords, and have warned my husband about not doing any important work on our computer until I can do a clean reinstall.

ComboFix 11-03-31.01 - Edward Pena 03/31/2011 18:35:39.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.789 [GMT -4:00]
Running from: c:\documents and settings\Edward Pena\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINXP\Application Data\Tarma Installer
c:\documents and settings\All Users.WINXP\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users.WINXP\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\documents and settings\All Users.WINXP\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users.WINXP\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users.WINXP\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\All Users.WINXP\Start Menu\Programs\OfferBox Browser.lnk
c:\documents and settings\Edward Pena\Application Data\Edward Penalog.dat
c:\documents and settings\Edward Pena\Application Data\OfferBox
c:\documents and settings\Edward Pena\Application Data\OfferBox\config.dat
c:\documents and settings\Edward Pena\Application Data\OfferBox\config.xml
c:\documents and settings\Edward Pena\Local Settings\Application Data\{759A70EF-CF25-4165-A342-5460FD538680}
c:\documents and settings\Edward Pena\Local Settings\Application Data\{759A70EF-CF25-4165-A342-5460FD538680}\chrome.manifest
c:\documents and settings\Edward Pena\Local Settings\Application Data\{759A70EF-CF25-4165-A342-5460FD538680}\chrome\content\_cfg.js
c:\documents and settings\Edward Pena\Local Settings\Application Data\{759A70EF-CF25-4165-A342-5460FD538680}\chrome\content\overlay.xul
c:\documents and settings\Edward Pena\Local Settings\Application Data\{759A70EF-CF25-4165-A342-5460FD538680}\install.rdf
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\AntiVirus AntiSpyware 2011
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\AntiVirus AntiSpyware 2011\IcoActivate.ico
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\AntiVirus AntiSpyware 2011\IcoHelp.ico
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\AntiVirus AntiSpyware 2011\IcoUninstall.ico
c:\documents and settings\NetworkService.NT AUTHORITY\Application Data\AntiVirus AntiSpyware 2011\securityhelper.exe
c:\program files\Drop Down Deals
c:\program files\Drop Down Deals\YontooIEClient.dll
c:\program files\OfferBox
c:\program files\OfferBox\OfferBox.exe
c:\program files\OfferBox\OfferBoxBHO.dll
c:\program files\OfferBox\OfferBoxChromeExtension.crx
c:\program files\OfferBox\OfferBoxEngine.dll
c:\program files\OfferBox\offerboxffx@offerbox.com\chrome.manifest
c:\program files\OfferBox\offerboxffx@offerbox.com\chrome\content\events.js
c:\program files\OfferBox\offerboxffx@offerbox.com\chrome\content\overlay.xul
c:\program files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.dll
c:\program files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.xpt
c:\program files\OfferBox\offerboxffx@offerbox.com\install.rdf
c:\program files\OfferBox\OfferBoxLauncher.exe
c:\program files\OfferBox\res\language.xml
c:\program files\OfferBox\res\loader.gif
c:\program files\OfferBox\uninst.exe
c:\winxp\system32\midas.dll
c:\winxp\WINDOWS
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_SRV96C
-------\Service_6to4
-------\Service_srv96C
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-31 )))))))))))))))))))))))))))))))
.
.
2011-03-28 05:38 . 2011-03-28 05:38 60808 ----a-w- c:\winxp\system32\S32EVNT1.DLL
2011-03-28 05:38 . 2011-03-28 05:38 124976 ----a-w- c:\winxp\system32\drivers\SYMEVENT.SYS
2011-03-28 05:38 . 2011-03-28 05:38 -------- d-----w- c:\program files\Symantec
2011-03-28 05:38 . 2011-03-28 18:25 -------- d-----w- c:\winxp\system32\drivers\N360
2011-03-28 05:38 . 2011-03-28 05:38 -------- d-----w- c:\program files\Norton Security Suite
2011-03-28 05:38 . 2011-03-28 05:38 -------- d-----w- c:\program files\Windows Sidebar
2011-03-28 05:35 . 2011-03-28 05:35 -------- d-----w- c:\program files\NortonInstaller
2011-03-28 05:34 . 2011-03-28 05:38 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Norton
2011-03-27 20:17 . 2011-03-28 05:33 0 ----a-w- c:\winxp\Dsomajurijafecuf.bin
2011-03-24 20:15 . 2011-03-24 20:15 -------- d-----w- C:\AntiVirus AntiSpyware 2011
2011-03-16 18:44 . 2011-03-16 22:19 -------- d-----w- c:\documents and settings\Edward Pena\Application Data\Hyybme
2011-03-16 18:44 . 2011-03-16 20:54 -------- d-----w- c:\documents and settings\Edward Pena\Application Data\Nyke
2011-03-15 03:35 . 2011-03-15 03:35 -------- d-----w- c:\documents and settings\Edward Pena\Application Data\cerasus.media
2011-03-13 19:55 . 2011-03-13 19:55 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\MysteryChronicles
2011-03-13 17:24 . 2011-03-13 17:24 -------- d-----w- c:\documents and settings\Edward Pena\Application Data\TikisLab
2011-03-05 01:05 . 2011-03-05 01:05 -------- d-----w- c:\documents and settings\All Users.WINXP\Application Data\Kristanix Games
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-17 22:29 . 2011-02-14 22:05 71072 ----a-w- c:\winxp\CouponPrinter.ocx
2011-02-26 23:42 . 2010-11-26 15:04 398760 ----a-r- c:\winxp\system32\cpnprt2.cid
2011-02-03 01:40 . 2010-11-24 22:58 472808 ----a-w- c:\winxp\system32\deployJava1.dll
2011-02-02 23:19 . 2010-11-24 22:58 73728 ----a-w- c:\winxp\system32\javacpl.cpl
2009-01-15 04:04 . 2009-01-15 04:03 36868 -c--a-w- c:\program files\uninst-shine.exe
2006-07-15 09:01 . 2006-07-15 09:01 774144 ----a-w- c:\program files\RngInterstitial.dll
.
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-07 68856]
"Google Update"="c:\documents and settings\Edward Pena\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-20 136176]
"Hgidadazayujup"="c:\winxp\washpapi.dll" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-11-17 329096]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\6.3.2348.0\mswinext.exe" [2010-10-11 273672]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\documents and settings\All Users.WINXP\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-14 27136]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINXP^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
path=c:\documents and settings\All Users.WINXP\Start Menu\Programs\Startup\ATI CATALYST System Tray.lnk
backup=c:\winxp\pss\ATI CATALYST System Tray.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2005-08-14 05:34 57344 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 20:44 61440 -c--a-w- c:\hp\KBD\kbd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
c:\winxp\system32\ps2.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Ntreev\\Grand Chase\\main.exe"=
"c:\\Program Files\\Raptr\\raptr.exe"=
"c:\\Program Files\\Raptr\\raptr_im.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Custom Edition\\haloce.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Edward Pena\\Desktop\\Nick's Files\\World of Warcraft\\WoW-x.x.x.x-4.0.0.12911-Downloader.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-x.x.x.x-4.0.0.12911-Downloader.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"56115:TCP"= 56115:TCP:Pando Media Booster
"56115:UDP"= 56115:UDP:Pando Media Booster
.
R0 SymDS;Symantec Data Store;c:\winxp\system32\drivers\N360\0403000.005\symds.sys [3/28/2011 9:52 AM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\winxp\system32\drivers\N360\0403000.005\symefa.sys [3/28/2011 9:52 AM 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110309.001\BHDrvx86.sys [3/9/2011 9:11 PM 800376]
R1 ccHP;Symantec Hash Provider;c:\winxp\system32\drivers\N360\0403000.005\cchpx86.sys [3/28/2011 9:52 AM 501888]
R1 SymIRON;Symantec Iron Driver;c:\winxp\system32\drivers\N360\0403000.005\ironx86.sys [3/28/2011 9:52 AM 116784]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe [3/28/2011 9:51 AM 126392]
R2 PackethSvc;Virtual NIC Service;c:\winxp\system32\PackethSvc.exe [8/9/2010 11:41 PM 64512]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/28/2011 1:39 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110330.001\IDSXpx86.sys [3/31/2011 2:09 AM 341944]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\winxp\system32\drivers\libusb0.sys [1/14/2011 3:02 AM 28672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\winxp\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/9/2009 4:57 PM 133104]
S3 dsiarhwprog;dsiarhwprog;c:\winxp\system32\drivers\dsiarhwprog.sys [12/14/2010 1:13 AM 29184]
S3 MUD;Driver for Magellan USB Device;c:\winxp\system32\drivers\MUD.sys [7/8/2010 1:24 PM 51200]
S3 npggsvc;nProtect GameGuard Service;c:\winxp\system32\GameMon.des -service --> c:\winxp\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\winxp\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\winxp\system32\drivers\WPRO_40_1340.sys --> c:\winxp\system32\drivers\WPRO_40_1340.sys [?]
S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\winxp\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-03-31 c:\winxp\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-09 20:57]
.
2011-03-31 c:\winxp\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-09 20:57]
.
2011-03-31 c:\winxp\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-2049760794-682003330-1003Core.job
- c:\documents and settings\Edward Pena\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-30 13:07]
.
2011-03-31 c:\winxp\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-2049760794-682003330-1003UA.job
- c:\documents and settings\Edward Pena\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-12-30 13:07]
.
2011-03-31 c:\winxp\Tasks\User_Feed_Synchronization-{63424663-E5C6-4A2D-98B8-0B95B86A8715}.job
- c:\winxp\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://webcenters.netscape.compuserve.com/menu/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: {00001026-A15C-11D4-97A4-0050BF0FBE67} - hxxp://download.netmarble.net/web/nmstarter/NMStarter26_20091109.cab
DPF: {5C1B293E-DA77-4AFF-8B52-63DEF8C8A071} - hxxp://download.netmarble.net/ActiveX/NMAutoUpdateX/NMAutoUpdateX_1.0.1.1_20091109.cab
DPF: {89F434A7-4A49-4394-AC02-007480331AE2} - hxxp://download.netmarble.net/ActiveX/NMAutoUpdateX/SystemIDInfo/NMSystemIDInfo_1.0.0.1.cab
DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} - hxxp://download.netmarble.net/kdefence/kdfense8237.cab
DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Hidden Mysteries - The Fateful Voyage - Titanic 1.00 - c:\documents and settings\Edward Pena\Desktop\mystic\Hidden Mysteries - The Fateful Voyage - Titanic\Uninstall.exe
AddRemove-Journalistic Stories - c:\program files\Journalistic Stories\Uninstal.exe
AddRemove-Nat Geo - Lilly Wu And The Terra Cotta Mystery 1.00 - c:\documents and settings\Edward Pena\Desktop\mystic\Nat Geo - Lilly Wu And The Terra Cotta Mystery\Uninstall.exe
AddRemove-OfferBox Browser - c:\program files\OfferBox\uninst.exe
AddRemove-Reincarnations Uncover the Past Regular 1.00 - c:\documents and settings\Edward Pena\Desktop\mystic\Reincarnations Uncover the Past Regular\Uninstall.exe
AddRemove-Save Our Spirit 1.00 - c:\program files\Games\Save Our Spirit\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-31 19:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\winxp\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1292428093-2049760794-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:6c,b8,a6,e5,03,3e,f6,5c,a0,23,c2,42,1e,23,ac,c5,43,fc,6a,2e,f4,
15,5c,5e,15,ee,43,41,12,7f,28,2c,ce,48,9f,77,e0,36,a1,0b,75,f4,05,e7,5f,ee,\
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINXP\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINXP\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\winxp\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3336)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\progra~1\WINDOW~1\wmpband.dll
c:\winxp\system32\ieframe.dll
c:\winxp\system32\webcheck.dll
c:\winxp\system32\OneX.DLL
c:\winxp\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winxp\system32\Ati2evxx.exe
c:\winxp\system32\Ati2evxx.exe
c:\documents and settings\Edward Pena\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\winxp\system32\locator.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\winxp\system32\wdfmgr.exe
c:\winxp\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\winxp\SoftwareDistribution\Download\6189e468edd5590d58e8ee89d5ba249f\update\update.exe
.
**************************************************************************
.
Completion time: 2011-03-31 19:11:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-31 23:10
.
Pre-Run: 8,727,900,160 bytes free
Post-Run: 10,250,629,120 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINXP
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINXP="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 1674307BDF4FB211495B673BCA563149


2011/03/31 18:06:00.0781 3556 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/31 18:06:01.0078 3556 ================================================================================
2011/03/31 18:06:01.0078 3556 SystemInfo:
2011/03/31 18:06:01.0078 3556
2011/03/31 18:06:01.0078 3556 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/31 18:06:01.0078 3556 Product type: Workstation
2011/03/31 18:06:01.0078 3556 ComputerName: EDWARD-9A2E13D7
2011/03/31 18:06:01.0078 3556 UserName: Edward Pena
2011/03/31 18:06:01.0078 3556 Windows directory: C:\WINXP
2011/03/31 18:06:01.0078 3556 System windows directory: C:\WINXP
2011/03/31 18:06:01.0078 3556 Processor architecture: Intel x86
2011/03/31 18:06:01.0078 3556 Number of processors: 1
2011/03/31 18:06:01.0078 3556 Page size: 0x1000
2011/03/31 18:06:01.0078 3556 Boot type: Normal boot
2011/03/31 18:06:01.0078 3556 ================================================================================
2011/03/31 18:06:01.0968 3556 Initialize success
2011/03/31 18:06:51.0140 3596 ================================================================================
2011/03/31 18:06:51.0140 3596 Scan started
2011/03/31 18:06:51.0140 3596 Mode: Manual;
2011/03/31 18:06:51.0140 3596 ================================================================================
2011/03/31 18:06:51.0437 3596 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINXP\system32\DRIVERS\ACPI.sys
2011/03/31 18:06:51.0500 3596 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINXP\system32\drivers\ACPIEC.sys
2011/03/31 18:06:51.0640 3596 aec (8bed39e3c35d6a489438b8141717a557) C:\WINXP\system32\drivers\aec.sys
2011/03/31 18:06:51.0890 3596 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINXP\System32\drivers\afd.sys
2011/03/31 18:06:52.0125 3596 ALCXWDM (dd8520280304b6145a6be31008748c7c) C:\WINXP\system32\drivers\ALCXWDM.SYS
2011/03/31 18:06:52.0375 3596 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINXP\system32\DRIVERS\arp1394.sys
2011/03/31 18:06:52.0500 3596 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINXP\system32\DRIVERS\asyncmac.sys
2011/03/31 18:06:52.0578 3596 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINXP\system32\DRIVERS\atapi.sys
2011/03/31 18:06:52.0718 3596 ati2mtag (7a6cf9f411a9c5bd5c442a1cd46af401) C:\WINXP\system32\DRIVERS\ati2mtag.sys
2011/03/31 18:06:52.0796 3596 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINXP\system32\DRIVERS\atmarpc.sys
2011/03/31 18:06:52.0906 3596 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINXP\system32\DRIVERS\audstub.sys
2011/03/31 18:06:53.0000 3596 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINXP\system32\drivers\Beep.sys
2011/03/31 18:06:53.0281 3596 BHDrvx86 (32d6e07922d17bed40ae746fc86b8a68) C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110309.001\BHDrvx86.sys
2011/03/31 18:06:53.0421 3596 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINXP\system32\drivers\cbidf2k.sys
2011/03/31 18:06:53.0578 3596 ccHP (e941e709847fa00e0dd6d58d2b8fb5e1) C:\WINXP\system32\drivers\N360\0403000.005\ccHPx86.sys
2011/03/31 18:06:53.0656 3596 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINXP\system32\drivers\Cdaudio.sys
2011/03/31 18:06:53.0734 3596 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINXP\system32\drivers\Cdfs.sys
2011/03/31 18:06:53.0796 3596 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINXP\system32\DRIVERS\cdrom.sys
2011/03/31 18:06:54.0078 3596 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINXP\system32\DRIVERS\disk.sys
2011/03/31 18:06:54.0171 3596 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINXP\system32\drivers\dmboot.sys
2011/03/31 18:06:54.0265 3596 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINXP\system32\drivers\dmio.sys
2011/03/31 18:06:54.0343 3596 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINXP\system32\drivers\dmload.sys
2011/03/31 18:06:54.0437 3596 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINXP\system32\drivers\DMusic.sys
2011/03/31 18:06:54.0531 3596 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINXP\system32\drivers\drmkaud.sys
2011/03/31 18:06:54.0609 3596 dsiarhwprog (f35b5d0cc142b87e687fc504baa69d82) C:\WINXP\system32\Drivers\dsiarhwprog.sys
2011/03/31 18:06:54.0812 3596 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/03/31 18:06:54.0875 3596 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/03/31 18:06:55.0031 3596 Fastfat (38d332a6d56af32635675f132548343e) C:\WINXP\system32\drivers\Fastfat.sys
2011/03/31 18:06:55.0109 3596 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINXP\system32\drivers\Fdc.sys
2011/03/31 18:06:55.0171 3596 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINXP\system32\drivers\Fips.sys
2011/03/31 18:06:55.0203 3596 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINXP\system32\drivers\Flpydisk.sys
2011/03/31 18:06:55.0281 3596 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINXP\system32\DRIVERS\fltMgr.sys
2011/03/31 18:06:55.0328 3596 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINXP\system32\drivers\Fs_Rec.sys
2011/03/31 18:06:55.0375 3596 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINXP\system32\DRIVERS\ftdisk.sys
2011/03/31 18:06:55.0453 3596 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINXP\system32\DRIVERS\GEARAspiWDM.sys
2011/03/31 18:06:55.0515 3596 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINXP\system32\DRIVERS\msgpc.sys
2011/03/31 18:06:55.0609 3596 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINXP\system32\DRIVERS\hidusb.sys
2011/03/31 18:06:55.0734 3596 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINXP\system32\Drivers\HTTP.sys
2011/03/31 18:06:55.0859 3596 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINXP\system32\DRIVERS\i8042prt.sys
2011/03/31 18:06:56.0265 3596 IDSxpx86 (50fa4c70534cf3b5c17ec83debe07afd) C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110330.001\IDSxpx86.sys
2011/03/31 18:06:56.0531 3596 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINXP\system32\DRIVERS\imapi.sys
2011/03/31 18:06:56.0781 3596 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINXP\system32\DRIVERS\Ip6Fw.sys
2011/03/31 18:06:56.0843 3596 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINXP\system32\DRIVERS\ipfltdrv.sys
2011/03/31 18:06:56.0890 3596 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINXP\system32\DRIVERS\ipinip.sys
2011/03/31 18:06:56.0921 3596 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINXP\system32\DRIVERS\ipnat.sys
2011/03/31 18:06:57.0015 3596 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINXP\system32\DRIVERS\ipsec.sys
2011/03/31 18:06:57.0078 3596 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINXP\system32\DRIVERS\irenum.sys
2011/03/31 18:06:57.0171 3596 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINXP\system32\DRIVERS\isapnp.sys
2011/03/31 18:06:57.0234 3596 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINXP\system32\DRIVERS\kbdclass.sys
2011/03/31 18:06:57.0312 3596 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINXP\system32\DRIVERS\kbdhid.sys
2011/03/31 18:06:57.0390 3596 kmixer (692bcf44383d056aed41b045a323d378) C:\WINXP\system32\drivers\kmixer.sys
2011/03/31 18:06:57.0453 3596 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINXP\system32\drivers\KSecDD.sys
2011/03/31 18:06:57.0578 3596 libusb0 (34d6730e198a5b0fce0790a6b4769ef2) C:\WINXP\system32\drivers\libusb0.sys
2011/03/31 18:06:57.0734 3596 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINXP\system32\drivers\mnmdd.sys
2011/03/31 18:06:57.0781 3596 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINXP\system32\drivers\Modem.sys
2011/03/31 18:06:57.0859 3596 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINXP\system32\DRIVERS\mouclass.sys
2011/03/31 18:06:57.0937 3596 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINXP\system32\DRIVERS\mouhid.sys
2011/03/31 18:06:58.0000 3596 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINXP\system32\drivers\MountMgr.sys
2011/03/31 18:06:58.0109 3596 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINXP\system32\DRIVERS\mrxdav.sys
2011/03/31 18:06:58.0156 3596 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINXP\system32\DRIVERS\mrxsmb.sys
2011/03/31 18:06:58.0234 3596 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINXP\system32\drivers\Msfs.sys
2011/03/31 18:06:58.0312 3596 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINXP\system32\drivers\MSKSSRV.sys
2011/03/31 18:06:58.0375 3596 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINXP\system32\drivers\MSPCLOCK.sys
2011/03/31 18:06:58.0421 3596 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINXP\system32\drivers\MSPQM.sys
2011/03/31 18:06:58.0484 3596 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINXP\system32\DRIVERS\mssmbios.sys
2011/03/31 18:06:58.0562 3596 MUD (21e41f5b3e17ba93fbaff33758af8048) C:\WINXP\system32\DRIVERS\MUD.sys
2011/03/31 18:06:58.0640 3596 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINXP\system32\drivers\Mup.sys
2011/03/31 18:06:58.0953 3596 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110331.003\NAVENG.SYS
2011/03/31 18:06:59.0062 3596 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110331.003\NAVEX15.SYS
2011/03/31 18:06:59.0234 3596 NDIS (1df7f42665c94b825322fae71721130d) C:\WINXP\system32\drivers\NDIS.sys
2011/03/31 18:06:59.0281 3596 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINXP\system32\DRIVERS\ndistapi.sys
2011/03/31 18:06:59.0343 3596 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINXP\system32\DRIVERS\ndisuio.sys
2011/03/31 18:06:59.0375 3596 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINXP\system32\DRIVERS\ndiswan.sys
2011/03/31 18:06:59.0421 3596 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINXP\system32\drivers\NDProxy.sys
2011/03/31 18:06:59.0484 3596 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINXP\system32\DRIVERS\netbios.sys
2011/03/31 18:06:59.0531 3596 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINXP\system32\DRIVERS\netbt.sys
2011/03/31 18:06:59.0640 3596 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINXP\system32\DRIVERS\nic1394.sys
2011/03/31 18:06:59.0671 3596 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINXP\system32\drivers\Npfs.sys
2011/03/31 18:06:59.0734 3596 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINXP\system32\drivers\Ntfs.sys
2011/03/31 18:06:59.0812 3596 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINXP\system32\drivers\Null.sys
2011/03/31 18:06:59.0875 3596 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINXP\system32\DRIVERS\nwlnkflt.sys
2011/03/31 18:06:59.0921 3596 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINXP\system32\DRIVERS\nwlnkfwd.sys
2011/03/31 18:07:00.0000 3596 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINXP\system32\DRIVERS\ohci1394.sys
2011/03/31 18:07:00.0078 3596 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINXP\system32\DRIVERS\parport.sys
2011/03/31 18:07:00.0156 3596 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINXP\system32\drivers\PartMgr.sys
2011/03/31 18:07:00.0234 3596 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINXP\system32\drivers\ParVdm.sys
2011/03/31 18:07:00.0296 3596 PCI (a219903ccf74233761d92bef471a07b1) C:\WINXP\system32\DRIVERS\pci.sys
2011/03/31 18:07:00.0390 3596 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINXP\system32\DRIVERS\pciide.sys
2011/03/31 18:07:00.0468 3596 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINXP\system32\drivers\Pcmcia.sys
2011/03/31 18:07:00.0718 3596 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINXP\system32\DRIVERS\raspptp.sys
2011/03/31 18:07:00.0796 3596 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINXP\system32\DRIVERS\processr.sys
2011/03/31 18:07:00.0859 3596 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINXP\system32\DRIVERS\PS2.sys
2011/03/31 18:07:00.0921 3596 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINXP\system32\DRIVERS\psched.sys
2011/03/31 18:07:01.0000 3596 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINXP\system32\DRIVERS\ptilink.sys
2011/03/31 18:07:01.0156 3596 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINXP\system32\DRIVERS\rasacd.sys
2011/03/31 18:07:01.0218 3596 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINXP\system32\DRIVERS\rasl2tp.sys
2011/03/31 18:07:01.0265 3596 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINXP\system32\DRIVERS\raspppoe.sys
2011/03/31 18:07:01.0328 3596 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINXP\system32\DRIVERS\raspti.sys
2011/03/31 18:07:01.0406 3596 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINXP\system32\DRIVERS\rdbss.sys
2011/03/31 18:07:01.0453 3596 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINXP\system32\DRIVERS\RDPCDD.sys
2011/03/31 18:07:01.0515 3596 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINXP\system32\DRIVERS\rdpdr.sys
2011/03/31 18:07:01.0609 3596 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINXP\system32\drivers\RDPWD.sys
2011/03/31 18:07:01.0687 3596 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINXP\system32\DRIVERS\redbook.sys
2011/03/31 18:07:01.0765 3596 RTL8023xp (7988bfe882bcd94199225b5c3482f1bd) C:\WINXP\system32\DRIVERS\Rtnicxp.sys
2011/03/31 18:07:01.0812 3596 rtl8139 (d507c1400284176573224903819ffda3) C:\WINXP\system32\DRIVERS\RTL8139.SYS
2011/03/31 18:07:01.0906 3596 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINXP\system32\DRIVERS\secdrv.sys
2011/03/31 18:07:02.0000 3596 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINXP\system32\drivers\Serial.sys
2011/03/31 18:07:02.0078 3596 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINXP\system32\drivers\Sfloppy.sys
2011/03/31 18:07:02.0250 3596 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINXP\system32\drivers\splitter.sys
2011/03/31 18:07:02.0343 3596 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINXP\system32\DRIVERS\sr.sys
2011/03/31 18:07:02.0546 3596 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINXP\System32\Drivers\N360\0403000.005\SRTSP.SYS
2011/03/31 18:07:02.0625 3596 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINXP\system32\drivers\N360\0403000.005\SRTSPX.SYS
2011/03/31 18:07:02.0718 3596 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINXP\system32\DRIVERS\srv.sys
2011/03/31 18:07:02.0796 3596 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINXP\system32\DRIVERS\swenum.sys
2011/03/31 18:07:02.0875 3596 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINXP\system32\drivers\swmidi.sys
2011/03/31 18:07:03.0078 3596 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINXP\system32\drivers\N360\0403000.005\SYMDS.SYS
2011/03/31 18:07:03.0125 3596 SymEFA (1c91df5188150510a6f0cf78f7d94b69) C:\WINXP\system32\drivers\N360\0403000.005\SYMEFA.SYS
2011/03/31 18:07:03.0203 3596 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINXP\system32\Drivers\SYMEVENT.SYS
2011/03/31 18:07:03.0343 3596 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINXP\system32\drivers\N360\0403000.005\Ironx86.SYS
2011/03/31 18:07:03.0421 3596 SYMTDI (41aad61f87ca8e3b5d0f7fe7fba0797d) C:\WINXP\System32\Drivers\N360\0403000.005\SYMTDI.SYS
2011/03/31 18:07:03.0593 3596 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINXP\system32\drivers\sysaudio.sys
2011/03/31 18:07:03.0687 3596 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINXP\system32\DRIVERS\tcpip.sys
2011/03/31 18:07:03.0750 3596 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINXP\system32\drivers\TDPIPE.sys
2011/03/31 18:07:03.0812 3596 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINXP\system32\drivers\TDTCP.sys
2011/03/31 18:07:03.0875 3596 TermDD (88155247177638048422893737429d9e) C:\WINXP\system32\DRIVERS\termdd.sys
2011/03/31 18:07:04.0015 3596 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINXP\system32\drivers\Udfs.sys
2011/03/31 18:07:04.0156 3596 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINXP\system32\DRIVERS\update.sys
2011/03/31 18:07:04.0250 3596 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINXP\system32\Drivers\usbaapl.sys
2011/03/31 18:07:04.0343 3596 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINXP\system32\DRIVERS\usbehci.sys
2011/03/31 18:07:04.0375 3596 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINXP\system32\DRIVERS\usbhub.sys
2011/03/31 18:07:04.0406 3596 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINXP\system32\DRIVERS\usbohci.sys
2011/03/31 18:07:04.0468 3596 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINXP\system32\DRIVERS\usbscan.sys
2011/03/31 18:07:04.0531 3596 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINXP\system32\DRIVERS\USBSTOR.SYS
2011/03/31 18:07:04.0625 3596 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINXP\System32\drivers\vga.sys
2011/03/31 18:07:04.0687 3596 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINXP\system32\drivers\VolSnap.sys
2011/03/31 18:07:04.0765 3596 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINXP\system32\DRIVERS\wanarp.sys
2011/03/31 18:07:04.0843 3596 wandrv (30211add92098d4b5cfadbf3da01e69b) C:\WINXP\system32\DRIVERS\wandrv.sys
2011/03/31 18:07:04.0953 3596 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINXP\system32\drivers\wdmaud.sys
2011/03/31 18:07:05.0140 3596 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/31 18:07:05.0156 3596 ================================================================================
2011/03/31 18:07:05.0156 3596 Scan finished
2011/03/31 18:07:05.0156 3596 ================================================================================
2011/03/31 18:07:05.0171 3016 Detected object count: 1
2011/03/31 18:07:20.0500 3016 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/03/31 18:07:20.0500 3016 \HardDisk0 - ok
2011/03/31 18:07:20.0500 3016 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/31 18:07:27.0156 0916 Deinitialize success

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:20 AM

Posted 01 April 2011 - 08:41 AM

Hi-

It looks like TDSSKiller and ComboFix did a good job, but there is still more to do.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the codebox below into it:

RenV::
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hgidadazayujup"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Next, do a new OTL scan.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it into your reply:
  • OTL.txt <-- Will be the opened report

In your reply, please copy in the contents of the ComboFix and OTL reports. How is your computer doing now?
Shannon

#7 Nicholas334

Nicholas334
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 02 April 2011 - 08:41 AM

OTL logfile created on: 4/2/2011 9:34:00 AM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Edward Pena\Desktop\virus removal
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 62.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINXP | %ProgramFiles% = C:\Program Files
Drive C: | 178.37 Gb Total Space | 9.09 Gb Free Space | 5.10% Space Free | Partition Type: NTFS
Drive H: | 7.91 Gb Total Space | 0.55 Gb Free Space | 6.95% Space Free | Partition Type: FAT32

Computer Name: EDWARD-9A2E13D7 | User Name: Edward Pena | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/03/30 18:06:29 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Edward Pena\Desktop\virus removal\OTL.exe
PRC - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2010/11/17 14:22:57 | 000,329,096 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2010/09/17 21:14:22 | 000,460,144 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccsvchst.exe
PRC - [2010/01/15 08:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2008/04/14 08:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINXP\explorer.exe
PRC - [2001/08/09 16:46:44 | 000,064,512 | -H-- | M] (America Online, Inc.) -- C:\WINXP\system32\PackethSvc.exe


========== Modules (SafeList) ==========

MOD - [2011/03/30 18:06:29 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Edward Pena\Desktop\virus removal\OTL.exe
MOD - [2010/09/20 15:26:01 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.3.0.5\asoehook.dll
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINXP\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009/07/12 00:02:02 | 000,653,120 | ---- | M] (Microsoft Corporation) -- C:\WINXP\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
MOD - [2009/07/12 00:02:00 | 000,569,664 | ---- | M] (Microsoft Corporation) -- C:\WINXP\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
MOD - [2007/03/26 14:03:20 | 000,057,344 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\patrolpro.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/02/28 18:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2010/09/17 21:14:22 | 000,460,144 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2010/02/25 20:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ccSvcHst.exe -- (N360)
SRV - [2010/02/10 12:01:00 | 003,428,588 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINXP\System32\GameMon.des -- (npggsvc)
SRV - [2010/01/15 08:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [Disabled | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2008/04/13 20:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2001/08/09 16:46:44 | 000,064,512 | -H-- | M] (America Online, Inc.) [Auto | Running] -- C:\WINXP\system32\PackethSvc.exe -- (PackethSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2011/03/31 02:08:51 | 001,393,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110401.032\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/03/31 02:08:51 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110401.032\NAVENG.SYS -- (NAVENG)
DRV - [2011/03/28 01:38:46 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/03/27 01:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/03/27 01:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/03/14 14:58:34 | 000,341,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110330.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/03/09 21:11:42 | 000,800,376 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110309.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/05/06 00:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINXP\System32\Drivers\N360\0403000.005\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/04/29 01:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINXP\system32\drivers\N360\0403000.005\Ironx86.SYS -- (SymIRON)
DRV - [2010/04/21 23:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINXP\system32\drivers\N360\0403000.005\SYMEFA.SYS -- (SymEFA)
DRV - [2010/04/21 22:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINXP\System32\Drivers\N360\0403000.005\SRTSP.SYS -- (SRTSP)
DRV - [2010/04/21 22:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINXP\system32\drivers\N360\0403000.005\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 20:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINXP\system32\drivers\N360\0403000.005\ccHPx86.sys -- (ccHP)
DRV - [2009/10/14 23:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINXP\system32\drivers\N360\0403000.005\SYMDS.SYS -- (SymDS)
DRV - [2008/09/24 11:40:22 | 004,122,368 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2008/04/13 18:05:40 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2008/02/05 13:51:38 | 000,051,200 | ---- | M] (Magellan) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\MUD.sys -- (MUD)
DRV - [2007/03/20 12:33:26 | 000,028,672 | ---- | M] (http://libusb-win32.sourceforge.net) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\libusb0.sys -- (libusb0)
DRV - [2007/02/08 09:45:14 | 000,029,184 | R--- | M] (Thesycon GmbH, Germany) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\dsiarhwprog.sys -- (dsiarhwprog)
DRV - [2006/01/18 19:41:58 | 000,080,512 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/12/12 17:27:00 | 000,019,072 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINXP\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/08/13 22:35:54 | 001,313,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2001/08/09 18:26:02 | 000,022,608 | ---- | M] (America Online, Inc.) [Kernel | On_Demand | Running] -- C:\WINXP\system32\drivers\wandrv.sys -- (wandrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINXP\system32\blank.htm
IE - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://webcenters.netscape.compuserve.com/menu/
IE - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-1292428093-2049760794-682003330-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
IE - HKU\S-1-5-21-1292428093-2049760794-682003330-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKU\S-1-5-21-1292428093-2049760794-682003330-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = CA 41 33 55 AE 81 CB 01 [binary data]
IE - HKU\S-1-5-21-1292428093-2049760794-682003330-500\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch =
IE - HKU\S-1-5-21-1292428093-2049760794-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "BearShare Web Search"
FF - prefs.js..browser.search.defaultthis.engineName: "Swag Bucks Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.order.1: "BearShare Web Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://webcenters.netscape.compuserve.com/menu/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: ConsumerInput@Compete:8477
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..extensions.enabledItems: toolbar@shopathome.com:5.2.0.0
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.7.1.3
FF - prefs.js..extensions.enabledItems: {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}:3.3.3.2
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1.6.2.87
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.10.0
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24


FF - HKLM\software\mozilla\Firefox\extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2010/08/11 18:38:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2010/12/31 22:15:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\offerboxffx@offerbox.com: C:\Program Files\OfferBox\offerboxffx@offerbox.com
FF - HKLM\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2011/03/28 09:51:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users.WINXP\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\ [2011/03/28 01:39:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/02 09:32:51 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/03/23 12:54:28 | 000,000,000 | ---D | M]

[2010/02/17 17:02:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Extensions
[2011/04/02 08:51:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions
[2011/01/12 22:34:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/11/03 04:44:13 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2011/03/21 08:54:39 | 000,000,000 | ---D | M] (Swag Bucks Community Toolbar) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}
[2010/08/12 01:56:17 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2011/03/21 08:54:39 | 000,000,000 | ---D | M] ("Consumer Input") -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\ConsumerInput@Compete
[2011/03/21 08:54:39 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\engine@conduit.com
[2011/03/21 08:54:40 | 000,000,000 | ---D | M] ("Upromise TurboSaver") -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\FFToolbar@upromise
[2010/12/16 23:15:41 | 000,000,000 | ---D | M] (ShopAtHome.com Intelligent Shopping Toolbar) -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\extensions\toolbar@shopathome.com
[2009/12/03 11:54:24 | 000,002,476 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\searchplugins\BearShareWebSearch.xml
[2010/01/20 13:15:44 | 000,000,923 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Application Data\Mozilla\Firefox\Profiles\cumc6jwr.default\searchplugins\conduit.xml
[2011/04/02 08:51:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/30 11:38:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/31 01:56:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/03/28 01:39:40 | 000,000,000 | ---D | M] (Norton Toolbar) -- C:\DOCUMENTS AND SETTINGS\ALL USERS.WINXP\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\COFFPLGN
[2011/03/28 09:51:46 | 000,000,000 | ---D | M] (Norton IPS) -- C:\DOCUMENTS AND SETTINGS\ALL USERS.WINXP\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPLGN
[2010/11/24 18:57:31 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2010/08/11 18:38:11 | 000,000,000 | ---D | M] (AI Roboform Toolbar for Firefox) -- C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\FIREFOX
[2010/12/29 17:51:03 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol400.dll
[2010/12/29 17:51:03 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPcol500.dll
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2007/03/09 19:16:44 | 000,189,496 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npyaxmpb.dll
[2009/12/03 11:54:24 | 000,002,476 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\BearShareWebSearch.xml
[2011/03/16 14:45:19 | 000,001,919 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml

O1 HOSTS File: ([2011/03/31 18:59:02 | 000,000,027 | ---- | M]) - C:\WINXP\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\ipsbho.dll (Symantec Corporation)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.3.0.5\coieplg.dll (Symantec Corporation)
O3 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2008/08/01 01:03:06 | 000,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1292428093-2049760794-682003330-500\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1292428093-2049760794-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\..Trusted Domains: compuserve.com ([]* is out of zone range - 5)
O15 - HKU\S-1-5-21-1292428093-2049760794-682003330-1003\..Trusted Domains: compuserve.com ([objects] * is out of zone range - 6)
O16 - DPF: {00001026-A15C-11D4-97A4-0050BF0FBE67} http://download.netmarble.net/web/nmstarter/NMStarter26_20091109.cab (NetmarbleStarter26 Class)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab (Symantec AntiVirus scanner)
O16 - DPF: {5C1B293E-DA77-4AFF-8B52-63DEF8C8A071} http://download.netmarble.net/ActiveX/NMAutoUpdateX/NMAutoUpdateX_1.0.1.1_20091109.cab (NetmarbleAutoUpdater Class)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {89F434A7-4A49-4394-AC02-007480331AE2} http://download.netmarble.net/ActiveX/NMAutoUpdateX/SystemIDInfo/NMSystemIDInfo_1.0.0.1.cab (NetmarbleSystemIDInfo Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} http://download.netmarble.net/kdefence/kdfense8237.cab (Kdfense8 Control)
O16 - DPF: {A7846ED2-9DE6-4E8A-B116-A8ACEBFA7DB1} http://rms2.invokesolutions.com/events/bin/6.2.0.1452/MILive.cab (Invoke Solutions MILiveParticipantPadHelper Control)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab (Java Plug-in 1.6.0_24)
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} Reg Error: Key error. (Invoke Solutions Participant Control(MR))
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Value error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINXP\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINXP\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Edward Pena\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Edward Pena\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/07 15:48:45 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/04/04 16:40:01 | 000,000,000 | ---- | M] () - C:\.autoreg -- [ NTFS ]
O32 - AutoRun File - [2008/01/20 17:58:26 | 000,000,000 | ---D | M] - C:\Autoruns -- [ NTFS ]
O32 - AutoRun File - [2001/07/27 15:07:38 | 000,000,000 | -HS- | M] () - H:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/02 09:13:09 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/04/02 09:02:02 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/03/31 18:20:34 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINXP\SWXCACLS.exe
[2011/03/31 18:20:34 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINXP\SWREG.exe
[2011/03/31 18:20:34 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINXP\SWSC.exe
[2011/03/31 18:20:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINXP\NIRCMD.exe
[2011/03/31 18:19:55 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/03/31 01:56:39 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINXP\System32\javaws.exe
[2011/03/31 01:56:39 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINXP\System32\javaw.exe
[2011/03/31 01:56:39 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINXP\System32\java.exe
[2011/03/28 09:52:13 | 000,361,904 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\symtdi.sys
[2011/03/28 09:52:13 | 000,339,504 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\symtdiv.sys
[2011/03/28 09:52:13 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\symds.sys
[2011/03/28 09:52:13 | 000,325,680 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\srtsp.sys
[2011/03/28 09:52:13 | 000,173,104 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\symefa.sys
[2011/03/28 09:52:13 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\ironx86.sys
[2011/03/28 09:52:13 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\srtspx.sys
[2011/03/28 09:52:12 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\N360\0403000.005\cchpx86.sys
[2011/03/28 09:51:50 | 000,000,000 | ---D | C] -- C:\WINXP\System32\drivers\N360\0403000.005
[2011/03/28 01:38:47 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\drivers\SYMEVENT.SYS
[2011/03/28 01:38:47 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINXP\System32\S32EVNT1.DLL
[2011/03/28 01:38:46 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2011/03/28 01:38:17 | 000,000,000 | ---D | C] -- C:\WINXP\System32\drivers\N360
[2011/03/28 01:38:16 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2011/03/28 01:38:16 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Security Suite
[2011/03/28 01:38:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Norton Security Suite
[2011/03/28 01:35:53 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2011/03/28 01:35:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Application Data\NortonInstaller
[2011/03/28 01:35:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\My Documents\Symantec
[2011/03/28 01:34:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Documents\Norton
[2011/03/28 01:34:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Application Data\Norton
[2011/03/24 17:02:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Desktop\virus removal
[2011/03/24 16:15:27 | 000,000,000 | ---D | C] -- C:\AntiVirus AntiSpyware 2011
[2011/03/16 14:44:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Application Data\Nyke
[2011/03/16 14:44:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Application Data\Hyybme
[2011/03/14 23:35:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Application Data\cerasus.media
[2011/03/13 15:55:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Application Data\MysteryChronicles
[2011/03/13 13:24:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Application Data\TikisLab
[2011/03/13 10:00:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\Desktop\Baby shower
[2011/03/07 19:47:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Edward Pena\My Documents\EdensQuest
[2011/03/04 21:05:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Application Data\Kristanix Games
[2011/03/04 20:44:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Pirate Mysteries - A Tale of Monkeys, Masks, and Hidden Objects
[2006/07/15 05:01:31 | 000,774,144 | ---- | C] (RealNetworks, Inc.) -- C:\Program Files\RngInterstitial.dll
[2 C:\WINXP\System32\*.tmp files -> C:\WINXP\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/02 09:13:15 | 000,000,431 | RHS- | M] () -- C:\boot.ini
[2011/04/02 09:02:51 | 000,000,430 | -H-- | M] () -- C:\WINXP\tasks\User_Feed_Synchronization-{63424663-E5C6-4A2D-98B8-0B95B86A8715}.job
[2011/04/02 08:16:00 | 000,001,002 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-2049760794-682003330-1003UA.job
[2011/04/02 08:12:00 | 000,000,896 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/02 01:45:49 | 000,013,646 | ---- | M] () -- C:\WINXP\System32\wpa.dbl
[2011/04/02 01:43:47 | 000,000,892 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/02 01:43:30 | 000,002,048 | --S- | M] () -- C:\WINXP\bootstat.dat
[2011/04/01 16:16:02 | 000,000,950 | ---- | M] () -- C:\WINXP\tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-2049760794-682003330-1003Core.job
[2011/04/01 03:51:20 | 000,264,616 | ---- | M] () -- C:\WINXP\System32\FNTCACHE.DAT
[2011/04/01 03:15:10 | 000,577,842 | ---- | M] () -- C:\WINXP\System32\drivers\N360\0403000.005\Cat.DB
[2011/04/01 03:14:50 | 000,001,355 | ---- | M] () -- C:\WINXP\imsins.BAK
[2011/03/31 18:59:02 | 000,000,027 | ---- | M] () -- C:\WINXP\System32\drivers\etc\hosts
[2011/03/31 18:28:48 | 000,000,431 | ---- | M] () -- C:\Boot.bak
[2011/03/31 17:49:53 | 000,000,664 | ---- | M] () -- C:\WINXP\System32\d3d9caps.dat
[2011/03/30 09:20:03 | 000,000,284 | ---- | M] () -- C:\WINXP\tasks\AppleSoftwareUpdate.job
[2011/03/28 14:25:04 | 000,002,018 | ---- | M] () -- C:\Documents and Settings\All Users.WINXP\Desktop\Norton Security Suite.LNK
[2011/03/28 01:38:46 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINXP\System32\drivers\SYMEVENT.SYS
[2011/03/28 01:38:46 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINXP\System32\S32EVNT1.DLL
[2011/03/28 01:38:46 | 000,007,443 | ---- | M] () -- C:\WINXP\System32\drivers\SYMEVENT.CAT
[2011/03/28 01:38:46 | 000,000,805 | ---- | M] () -- C:\WINXP\System32\drivers\SYMEVENT.INF
[2011/03/28 01:34:21 | 000,000,851 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Desktop\Norton Installation Files.lnk
[2011/03/28 01:33:15 | 000,000,120 | ---- | M] () -- C:\WINXP\Udaxubozerah.dat
[2011/03/28 01:33:15 | 000,000,000 | ---- | M] () -- C:\WINXP\Dsomajurijafecuf.bin
[2011/03/26 16:19:14 | 000,002,316 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/03/26 16:19:13 | 000,002,338 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Desktop\Google Chrome.lnk
[2011/03/25 13:28:08 | 000,001,935 | ---- | M] () -- C:\AntiVirus AntiSpyware 2011.lnk
[2011/03/24 17:03:30 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Edward Pena\defogger_reenable
[2011/03/19 09:23:49 | 000,071,680 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/17 18:29:26 | 000,071,072 | ---- | M] () -- C:\WINXP\CouponPrinter.ocx
[2011/03/17 00:28:04 | 000,000,031 | ---- | M] () -- C:\WINXP\sav.ini
[2011/03/13 06:28:15 | 000,475,466 | ---- | M] () -- C:\WINXP\System32\perfh009.dat
[2011/03/13 06:28:15 | 000,076,374 | ---- | M] () -- C:\WINXP\System32\perfc009.dat
[2011/03/08 23:54:44 | 012,799,908 | ---- | M] () -- C:\Documents and Settings\Edward Pena\Desktop\13 - Hallelujah.mp3
[2 C:\WINXP\System32\*.tmp files -> C:\WINXP\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/03/31 18:20:34 | 000,256,512 | ---- | C] () -- C:\WINXP\PEV.exe
[2011/03/31 18:20:34 | 000,098,816 | ---- | C] () -- C:\WINXP\sed.exe
[2011/03/31 18:20:34 | 000,089,088 | ---- | C] () -- C:\WINXP\MBR.exe
[2011/03/31 18:20:34 | 000,080,412 | ---- | C] () -- C:\WINXP\grep.exe
[2011/03/31 18:20:34 | 000,068,096 | ---- | C] () -- C:\WINXP\zip.exe
[2011/03/28 14:23:16 | 000,577,842 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\Cat.DB
[2011/03/28 09:52:13 | 000,007,873 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symefa.cat
[2011/03/28 09:52:13 | 000,007,787 | R--- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symnetv.cat
[2011/03/28 09:52:13 | 000,007,442 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\srtspx.cat
[2011/03/28 09:52:13 | 000,007,438 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\srtsp.cat
[2011/03/28 09:52:13 | 000,007,425 | R--- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symds.cat
[2011/03/28 09:52:13 | 000,007,368 | R--- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symnet.cat
[2011/03/28 09:52:13 | 000,003,373 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symefa.inf
[2011/03/28 09:52:13 | 000,002,793 | R--- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symds.inf
[2011/03/28 09:52:13 | 000,001,473 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symnetv.inf
[2011/03/28 09:52:13 | 000,001,445 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\symnet.inf
[2011/03/28 09:52:13 | 000,001,388 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\srtspx.inf
[2011/03/28 09:52:13 | 000,001,382 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\srtsp.inf
[2011/03/28 09:52:13 | 000,000,741 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\iron.inf
[2011/03/28 09:52:12 | 000,007,438 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\iron.cat
[2011/03/28 09:52:12 | 000,007,396 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\cchpx86.cat
[2011/03/28 09:52:12 | 000,001,754 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\cchpx86.inf
[2011/03/28 09:51:50 | 000,000,172 | ---- | C] () -- C:\WINXP\System32\drivers\N360\0403000.005\isolate.ini
[2011/03/28 01:38:47 | 000,007,443 | ---- | C] () -- C:\WINXP\System32\drivers\SYMEVENT.CAT
[2011/03/28 01:38:47 | 000,000,805 | ---- | C] () -- C:\WINXP\System32\drivers\SYMEVENT.INF
[2011/03/28 01:38:41 | 000,002,018 | ---- | C] () -- C:\Documents and Settings\All Users.WINXP\Desktop\Norton Security Suite.LNK
[2011/03/28 01:34:21 | 000,000,851 | ---- | C] () -- C:\Documents and Settings\Edward Pena\Desktop\Norton Installation Files.lnk
[2011/03/27 16:17:20 | 000,000,120 | ---- | C] () -- C:\WINXP\Udaxubozerah.dat
[2011/03/27 16:17:20 | 000,000,000 | ---- | C] () -- C:\WINXP\Dsomajurijafecuf.bin
[2011/03/24 17:03:30 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Edward Pena\defogger_reenable
[2011/03/24 16:15:27 | 000,001,935 | ---- | C] () -- C:\AntiVirus AntiSpyware 2011.lnk
[2011/03/17 00:13:20 | 000,000,031 | ---- | C] () -- C:\WINXP\sav.ini
[2010/11/25 04:52:31 | 000,000,552 | ---- | C] () -- C:\WINXP\System32\d3d8caps.dat
[2010/11/15 16:38:42 | 000,000,664 | ---- | C] () -- C:\WINXP\System32\d3d9caps.dat
[2010/11/11 10:16:52 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\Edward Pena\Application Data\start
[2010/09/11 23:50:49 | 000,004,096 | ---- | C] () -- C:\WINXP\d3dx.dat
[2010/07/29 22:03:33 | 000,000,056 | -H-- | C] () -- C:\WINXP\System32\ezsidmv.dat
[2010/07/08 12:47:14 | 000,000,577 | ---- | C] () -- C:\WINXP\System32\gmsblist.dll
[2010/02/23 00:48:00 | 000,071,680 | ---- | C] () -- C:\Documents and Settings\Edward Pena\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/17 17:02:24 | 000,000,000 | ---- | C] () -- C:\WINXP\nsreg.dat
[2010/02/17 14:15:31 | 000,000,370 | ---- | C] () -- C:\WINXP\ODBC.INI
[2010/02/17 13:53:39 | 000,049,152 | ---- | C] () -- C:\WINXP\System32\ChCfg.exe
[2010/02/17 13:53:06 | 000,147,456 | ---- | C] () -- C:\WINXP\System32\RtlCPAPI.dll
[2010/02/17 12:28:24 | 000,516,096 | ---- | C] () -- C:\WINXP\System32\ati2sgag.exe
[2010/02/17 11:22:33 | 000,002,048 | --S- | C] () -- C:\WINXP\bootstat.dat
[2010/02/17 11:16:12 | 000,021,640 | ---- | C] () -- C:\WINXP\System32\emptyregdb.dat
[2010/02/17 10:49:48 | 000,000,004 | ---- | C] () -- C:\Program Files\216640.dat
[2010/02/17 06:06:47 | 000,004,073 | ---- | C] () -- C:\WINXP\ODBCINST.INI
[2010/02/17 06:05:34 | 000,264,616 | ---- | C] () -- C:\WINXP\System32\FNTCACHE.DAT
[2010/02/16 15:19:39 | 000,000,004 | ---- | C] () -- C:\Program Files\515703.dat
[2010/02/16 15:10:11 | 000,000,004 | ---- | C] () -- C:\Program Files\380000.dat
[2010/02/16 14:55:02 | 000,000,004 | ---- | C] () -- C:\Program Files\203125.dat
[2010/02/09 20:36:03 | 000,000,004 | ---- | C] () -- C:\Program Files\4337265.dat
[2010/02/09 11:34:27 | 000,000,004 | ---- | C] () -- C:\Program Files\801734.dat
[2010/02/08 17:07:31 | 000,000,004 | ---- | C] () -- C:\Program Files\642250.dat
[2010/02/08 16:30:36 | 000,000,004 | ---- | C] () -- C:\Program Files\4091031.dat
[2010/02/08 16:23:41 | 000,012,516 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\3MCpwemL5YTJrov4siH01YW7mxkNBjFY8TpTq
[2010/02/08 14:57:48 | 000,000,004 | ---- | C] () -- C:\Program Files\936093.dat
[2010/02/08 14:41:33 | 000,000,004 | ---- | C] () -- C:\Program Files\1661062.dat
[2010/02/08 14:13:02 | 000,000,004 | ---- | C] () -- C:\Program Files\8665968.dat
[2010/02/08 11:47:46 | 000,000,004 | ---- | C] () -- C:\Program Files\1236390.dat
[2010/02/08 11:26:09 | 000,000,004 | ---- | C] () -- C:\Program Files\2282265.dat
[2010/02/08 10:47:17 | 000,000,004 | ---- | C] () -- C:\Program Files\5707171.dat
[2010/02/08 09:11:21 | 000,000,004 | ---- | C] () -- C:\Program Files\1911609.dat
[2010/02/07 22:08:20 | 000,000,004 | ---- | C] () -- C:\Program Files\1643296.dat
[2010/02/07 21:42:33 | 000,009,662 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\cXkOhMbP87Kh
[2010/02/06 18:11:34 | 000,015,606 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\cXkOhMbP87Kh
[2009/09/10 20:01:44 | 000,041,872 | ---- | C] () -- C:\WINXP\System32\xfcodec.dll
[2009/06/07 13:50:53 | 000,000,251 | ---- | C] () -- C:\Program Files\wt3d.ini
[2009/01/15 00:03:54 | 000,036,868 | ---- | C] () -- C:\Program Files\uninst-shine.exe
[2008/04/14 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINXP\System32\mlang.dat
[2008/04/14 08:00:00 | 000,475,466 | ---- | C] () -- C:\WINXP\System32\perfh009.dat
[2008/04/14 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINXP\System32\perfi009.dat
[2008/04/14 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINXP\System32\dssec.dat
[2008/04/14 08:00:00 | 000,076,374 | ---- | C] () -- C:\WINXP\System32\perfc009.dat
[2008/04/14 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINXP\System32\mib.bin
[2008/04/14 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINXP\System32\perfd009.dat
[2008/04/14 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINXP\System32\secupd.dat
[2008/04/14 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINXP\System32\Dcache.bin
[2008/04/14 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINXP\System32\noise.dat
[2008/02/19 02:33:34 | 000,446,352 | ---- | C] () -- C:\WINXP\System32\OpenQuicktimeLib.dll
[2008/01/03 18:32:36 | 000,000,246 | ---- | C] () -- C:\Program Files\Common Files\quha
[2005/09/06 20:13:44 | 000,086,016 | ---- | C] () -- C:\WINXP\NMUninst18.exe
[2005/07/19 09:25:16 | 000,104,361 | ---- | C] () -- C:\WINXP\System32\atiicdxx.dat
[2004/08/18 13:59:14 | 013,107,200 | ---- | C] () -- C:\WINXP\System32\oembios.bin
[2004/08/18 13:58:40 | 000,005,269 | ---- | C] () -- C:\WINXP\System32\oembios.dat
[2003/01/07 11:05:08 | 000,002,695 | ---- | C] () -- C:\WINXP\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:9E46FAD0
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:637A9205
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:D1AD90C3
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:35CC801E
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:1170D6E4
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:D4BE48F5
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:B30D9A49
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:92A815D8
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:BB8B6B1E
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:207C4C79
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:1CB4A530
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:12D2EB9C
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users.WINXP\Application Data\TEMP:E40EED9B

< End of report >


ComboFix 11-04-01.01 - Edward Pena 04/02/2011 9:20:21.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1470.939 [GMT -4:00]
Running from: C:\Documents and Settings\Edward Pena\Desktop\virus removal\ComboFix.exe
Command switches used :: C:\Documents and Settings\Edward Pena\Desktop\virus removal\CFScript.txt
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}


((((((((((((((((((((((((( Files Created from 2011-03-02 to 2011-04-02 )))))))))))))))))))))))))))))))


2011-03-28 05:38:47 . 2011-03-28 05:38:46 60808 ----a-w- C:\WINXP\system32\S32EVNT1.DLL
2011-03-28 05:38:47 . 2011-03-28 05:38:46 124976 ----a-w- C:\WINXP\system32\drivers\SYMEVENT.SYS
2011-03-28 05:38:46 . 2011-03-28 05:38:47 -------- d-----w- C:\Program Files\Symantec
2011-03-28 05:38:17 . 2011-03-28 18:25:59 -------- d-----w- C:\WINXP\system32\drivers\N360
2011-03-28 05:38:16 . 2011-03-28 05:38:17 -------- d-----w- C:\Program Files\Norton Security Suite
2011-03-28 05:38:16 . 2011-03-28 05:38:16 -------- d-----w- C:\Program Files\Windows Sidebar
2011-03-28 05:35:53 . 2011-03-28 05:35:53 -------- d-----w- C:\Program Files\NortonInstaller
2011-03-28 05:34:21 . 2011-03-28 05:38:16 -------- d-----w- C:\Documents and Settings\All Users.WINXP\Application Data\Norton
2011-03-27 20:17:20 . 2011-03-28 05:33:15 0 ----a-w- C:\WINXP\Dsomajurijafecuf.bin
2011-03-24 20:15:27 . 2011-03-24 20:15:27 -------- d-----w- C:\AntiVirus AntiSpyware 2011
2011-03-16 18:44:33 . 2011-03-16 22:19:42 -------- d-----w- C:\Documents and Settings\Edward Pena\Application Data\Hyybme
2011-03-16 18:44:33 . 2011-03-16 20:54:21 -------- d-----w- C:\Documents and Settings\Edward Pena\Application Data\Nyke
2011-03-15 03:35:47 . 2011-03-15 03:35:47 -------- d-----w- C:\Documents and Settings\Edward Pena\Application Data\cerasus.media
2011-03-13 19:55:26 . 2011-03-13 19:55:26 -------- d-----w- C:\Documents and Settings\All Users.WINXP\Application Data\MysteryChronicles
2011-03-13 17:24:59 . 2011-03-13 17:24:59 -------- d-----w- C:\Documents and Settings\Edward Pena\Application Data\TikisLab
2011-03-05 01:05:41 . 2011-03-05 01:05:41 -------- d-----w- C:\Documents and Settings\All Users.WINXP\Application Data\Kristanix Games


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-03-17 22:29:26 . 2011-02-14 22:05:00 71072 ----a-w- C:\WINXP\CouponPrinter.ocx
2011-02-26 23:42:42 . 2010-11-26 15:04:45 398760 ----a-r- C:\WINXP\system32\cpnprt2.cid
2011-02-09 13:53:52 . 2008-04-14 12:00:00 270848 ----a-w- C:\WINXP\system32\sbe.dll
2011-02-09 13:53:52 . 2008-04-14 12:00:00 186880 ----a-w- C:\WINXP\system32\encdec.dll
2011-02-03 01:40:23 . 2010-11-24 22:58:03 472808 ----a-w- C:\WINXP\system32\deployJava1.dll
2011-02-02 23:19:39 . 2010-11-24 22:58:04 73728 ----a-w- C:\WINXP\system32\javacpl.cpl
2011-02-02 07:58:35 . 2010-02-17 15:15:21 2067456 ----a-w- C:\WINXP\system32\mstscax.dll
2011-01-27 11:57:06 . 2010-02-17 15:15:21 677888 ----a-w- C:\WINXP\system32\mstsc.exe
2011-01-21 14:44:37 . 2008-04-14 12:00:00 439296 ----a-w- C:\WINXP\system32\shimgvw.dll
2011-01-07 14:09:02 . 2008-04-14 12:00:00 290048 ----a-w- C:\WINXP\system32\atmfd.dll
2009-01-15 04:04:41 . 2009-01-15 04:03:54 36868 -c--a-w- C:\Program Files\uninst-shine.exe
2006-07-15 09:01:22 . 2006-07-15 09:01:31 774144 ----a-w- C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-07 15:46:17 68856]
"Google Update"="C:\Documents and Settings\Edward Pena\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-20 13:07:20 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2010-11-17 18:22:57 329096]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-11-29 22:38:18 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-12-13 22:16:18 421160]
"Microsoft Default Manager"="C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 19:12:28 439568]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 15:45:14 35736]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 17:08:30 935288]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 18:49:28 249064]

#8 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:20 AM

Posted 02 April 2011 - 10:33 AM

How is your computer doing now?
Shannon

#9 Nicholas334

Nicholas334
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 03 April 2011 - 11:16 AM

I am getting a lot of script issues, with a popup that says "A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete.

Script: chrome://ciff/content/core/dca/utils/DCAPostDataParser.js:29" with a button for Continue or Stop Script. If I click continue, the page hangs up, as does the internet.

#10 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:20 AM

Posted 03 April 2011 - 04:12 PM

HI-

Thanks for the update. Let's see if we can help that Java script problem.

First, we will clear the Java cache -
  • From the Start button, click Settings > Control Panel
  • In the Control Panel, open the "Java Plug-in Control Panel"
  • Select the Cache Tab
  • Click the Clear button inside the Cache Tab, which will clear your Java cache directory

Your Java runtimes are out of date. Please follow these steps to remove older version Java components and update:
  • Download the latest version here - Java Runtime Environment (JRE) Version 6
  • Scroll down to where it says "JDK 6 Update 24 (JRE) ...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.

Please run Malwarebytes' Anti-Malware (MBAM)
  • Click on the Update tab and click the Check for Updates button.
  • When the update is finished, click on the Scanner tab.
  • Select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.

In your reply, please copy in the contents of the MBAM report.
Shannon

#11 Nicholas334

Nicholas334
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 03 April 2011 - 10:29 PM

The MBAM logs show all clear, but I am still getting some popups in a new window sometimes when I am on the internet. ANy suggestions or additional scans? I redid the Java as instructed, although my Java did say that it was JRE 6-24.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6264

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/3/2011 11:25:49 PM
mbam-log-2011-04-03 (23-25-49).txt

Scan type: Quick scan
Objects scanned: 222274
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 Nicholas334

Nicholas334
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 04 April 2011 - 07:21 AM

This file was found to be malicious by Norton this morning as was removed:

c:\documents and settings\networkservice.nt authority\application data\sun\java\deployment\cache\6.0\30\3218df9e-4dbfa266
____________________________
____________________________
On computer as of
2/7/2011 at 7:31:37 AM
Last Used:
4/4/2011 at 7:12:35 AM
Startup Item: No
Launched: No
____________________________
____________________________
Very Few Users
Fewer than 10 users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________
Origin

Downloaded from Not Available
____________________________
URL Not Available
UNTESTED

Source
3218df9e-4dbfa266
____________________________
File Actions
Infected file: c:\documents and settings\networkservice.nt authority\application data\sun\java\deployment\cache\6.0\30\3218df9e-4dbfa266
Removed
____________________________
File Thumbprint:
Not Available
____________________________

#13 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:20 AM

Posted 04 April 2011 - 11:24 AM

Hi-

Java runtimes 24 - sorrry - I had looked at an earlier scan which showed an earlier version.

What kind of popups are you getting? Are you just getting Java script errors?

Next, we need to run an OTL Fix.
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
:OTL
FF - HKLM\software\mozilla\Firefox\extensions\\offerboxffx@offerbox.com: C:\Program Files\OfferBox\offerboxffx@offerbox.com
[2011/03/16 14:45:19 | 000,001,919 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
[2011/03/24 16:15:27 | 000,000,000 | ---D | C] -- C:\AntiVirus AntiSpyware 2011
[2011/03/25 13:28:08 | 000,001,935 | ---- | M] () -- C:\AntiVirus AntiSpyware 2011.lnk
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} Reg Error: Key error. (Invoke Solutions Participant Control(MR))
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Value error. File not found
:commands
[emptytemp]
[resethosts]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If you have to reboot, once back up, open the C:\_OTL\MovedFiles folder and copy the newest log into your next reply.

Shannon

#14 Nicholas334

Nicholas334
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 05 April 2011 - 06:01 PM

I had gotten a separate window popup one time. I got this stop script message when I tried to access an email. It's weird because it is usually the same few senders whose emails pop this script up: Script: chrome://ciff/content/core/overlay/OverlayManager.js:49

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\offerboxffx@offerbox.com deleted successfully.
File C:\Program Files\OfferBox\offerboxffx@offerbox.com not found.
C:\Program Files\Mozilla Firefox\searchplugins\bing-zugo.xml moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
C:\AntiVirus AntiSpyware 2011 folder moved successfully.
C:\AntiVirus AntiSpyware 2011.lnk moved successfully.
Starting removal of ActiveX control {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D8AA889B-2C65-47C3-8C16-3DCD4EF76A47}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINXP\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-itss\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A9007C0-4076-11D3-8789-0000F8105754}\ deleted successfully.
File {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Value error. File not found not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Administrator.EDWARD-9A2E13D7
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: All Users.WINXP

User: Compaq_Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User.WINXP
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: Edward Pena
->Temp folder emptied: 159712 bytes
->Temporary Internet Files folder emptied: 13911264 bytes
->Java cache emptied: 7819828 bytes
->FireFox cache emptied: 104504689 bytes
->Google Chrome cache emptied: 557424 bytes
->Flash cache emptied: 161403 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 324877 bytes
->Flash cache emptied: 213093 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 5667840 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 16525088 bytes

Total Files Cleaned = 143.00 mb

C:\WINXP\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.22.3 log created on 04052011_002639

#15 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:20 AM

Posted 06 April 2011 - 06:25 AM

Hi-

Which email service are you using and what browser are you using to access it?
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users