Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirect Infection


  • This topic is locked This topic is locked
19 replies to this topic

#1 countpc

countpc

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 22 April 2011 - 11:23 PM

Hello,

I've been eyeing ComboFix, and it says I should get help from a site such as this, so here I am. I currently have the dreaded search redirect infection, and just like many people who've come through here, I've tried various other methods to fix the issue with no luck.

I'm hoping I can get help here so I look forward to hearing from you guys.

Best Regards,

CPC

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Then post your DDS and GMER logs as a reply to this topic. Once you have done that I will remove my reply and consolidate the posts so that you retain your correct place in the queue.

If you can produce at least some of the logs, then please explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.


Hithere,

Sorry for the delay. Below is the DDS log as requested, which actually generated two seperate reports. The GMER scan ran for about four hours before freezing up so I wasn't able to obtain a log from that, unfortunately.

Thanks for taking the time out to help and I look forward to the next step.

Best,

CPC

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/5/2008 2:00:08 PM
System Uptime: 4/25/2011 9:38:59 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0KD882
Processor: Genuine Intel® CPU T2050 @ 1.60GHz | Microprocessor | 1596/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 73 GiB total, 9.179 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP215: 1/25/2011 5:19:37 PM - System Checkpoint
RP216: 1/27/2011 5:43:26 PM - System Checkpoint
RP217: 1/28/2011 6:17:05 PM - System Checkpoint
RP218: 1/31/2011 1:44:08 AM - System Checkpoint
RP219: 2/1/2011 4:15:02 PM - System Checkpoint
RP220: 2/3/2011 4:44:21 PM - Software Distribution Service 3.0
RP221: 2/3/2011 4:48:58 PM - Installed Zune 4.7
RP222: 2/3/2011 5:07:04 PM - Installed Windows XP Wudf01009.
RP223: 2/3/2011 5:11:53 PM - Installed Windows XP winusb0100.
RP224: 2/4/2011 10:31:08 PM - Removed Microsoft Works
RP225: 2/4/2011 10:41:04 PM - Removed Java™ 6 Update 4
RP226: 2/8/2011 4:48:08 PM - System Checkpoint
RP227: 2/9/2011 5:24:41 PM - System Checkpoint
RP228: 2/10/2011 1:16:02 PM - Software Distribution Service 3.0
RP229: 2/11/2011 5:17:18 PM - System Checkpoint
RP230: 2/11/2011 9:54:58 PM - Installed Microsoft Fix it 50581
RP231: 2/11/2011 9:56:37 PM - Installed Microsoft Fix it 50581
RP232: 2/11/2011 10:04:37 PM - Installed Windows XP winusb0100.
RP233: 2/14/2011 4:18:43 PM - System Checkpoint
RP234: 2/16/2011 4:38:23 PM - System Checkpoint
RP235: 2/17/2011 5:08:24 PM - System Checkpoint
RP236: 2/18/2011 6:08:20 PM - System Checkpoint
RP237: 2/19/2011 9:18:41 PM - System Checkpoint
RP238: 2/21/2011 4:34:23 PM - System Checkpoint
RP239: 2/22/2011 12:15:05 AM - Installed AVG 2011
RP240: 2/22/2011 12:16:21 AM - Installed AVG 2011
RP241: 2/23/2011 10:03:46 PM - System Checkpoint
RP242: 2/24/2011 11:15:25 PM - System Checkpoint
RP243: 2/26/2011 1:20:32 AM - System Checkpoint
RP244: 3/5/2011 12:00:20 AM - System Checkpoint
RP245: 3/6/2011 7:56:42 PM - System Checkpoint
RP246: 3/7/2011 10:51:34 PM - System Checkpoint
RP247: 3/9/2011 1:29:33 PM - Software Distribution Service 3.0
RP248: 3/10/2011 4:24:58 PM - System Checkpoint
RP249: 3/11/2011 5:23:49 PM - System Checkpoint
RP250: 3/13/2011 11:02:57 PM - System Checkpoint
RP251: 3/15/2011 3:36:59 PM - System Checkpoint
RP252: 3/15/2011 5:26:39 PM - Software Distribution Service 3.0
RP253: 3/16/2011 5:36:59 PM - System Checkpoint
RP254: 3/18/2011 3:42:50 PM - System Checkpoint
RP255: 3/20/2011 6:50:02 PM - System Checkpoint
RP256: 3/21/2011 7:46:01 PM - System Checkpoint
RP257: 3/23/2011 12:15:49 AM - System Checkpoint
RP258: 3/24/2011 3:00:29 AM - Software Distribution Service 3.0
RP259: 3/25/2011 4:31:24 PM - System Checkpoint
RP260: 3/27/2011 11:41:08 PM - System Checkpoint
RP261: 3/29/2011 6:48:44 PM - System Checkpoint
RP262: 3/31/2011 4:17:01 PM - System Checkpoint
RP263: 4/1/2011 4:50:06 PM - System Checkpoint
RP264: 4/2/2011 6:28:51 PM - System Checkpoint
RP265: 4/3/2011 11:27:39 PM - System Checkpoint
RP266: 4/5/2011 3:45:36 PM - System Checkpoint
RP267: 4/6/2011 4:17:13 PM - System Checkpoint
RP268: 4/7/2011 4:56:16 PM - System Checkpoint
RP269: 4/8/2011 5:58:07 PM - System Checkpoint
RP270: 4/9/2011 6:29:28 PM - System Checkpoint
RP271: 4/11/2011 6:32:01 PM - System Checkpoint
RP272: 4/12/2011 11:46:45 PM - System Checkpoint
RP273: 4/14/2011 4:14:02 PM - System Checkpoint
RP274: 4/15/2011 3:01:08 AM - Software Distribution Service 3.0
RP275: 4/16/2011 1:10:21 PM - Software Distribution Service 3.0
RP276: 4/22/2011 9:12:01 PM - Removed AVG 2011
RP277: 4/22/2011 9:14:13 PM - Removed AVG 2011
RP278: 4/24/2011 7:34:45 PM - System Checkpoint
.
==== Installed Programs ======================
.
.
7-Zip 4.65
Adobe Acrobat 5.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
ATT-PRT22
BitTorrent
Blue Squirrel ClickBook 9.0
Bonjour
Broadcom 440x 10/100 Integrated Controller
Canon Easy-WebPrint EX
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 3.0
Canon MP640 series MP Drivers
Canon MP640 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Choice Guard
Cinergy Script Editor
CloneDVD2
Cobian Backup 10
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Download Updater (AOL LLC)
EPSON Printer Software
Final Draft 7
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format 11 SDK (KB973442)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless Software
iTunes
Java 2 Runtime Environment, SE v1.4.2_10
Java™ 6 Update 5
KONICA MINOLTA magicolor 2500W
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft Speech Recognition Engine 4.0 (English)
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Web Publishing Wizard 1.52
mIWA
mLogView
mMHouse
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.5.17)
mPfMgr
mPfWiz
mProSafe
mSCfg
MSN
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mWMI
mZConfig
neroxml
oDesk MiniCam 2.0.73
oDesk ScreenSnap 2.0.113
oDesk Share 2.0.69
oDesk Team 2.0.140
OGA Notifier 2.0.0048.0
PGP Desktop
PowerDVD
PrimoPDF -- brought to you by Nitro PDF Software
QuickSet
QuickTime
RegCure 1.5.0.0
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office Groove 2007 (KB2494047)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2464594)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SigmaTel Audio
Sonic DLA
Sonic RecordNow!
Sony USB Driver
Synaptics Pointing Device Driver
Ulead PhotoImpact X3
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2522999)
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.0.0
vShare Plugin
WebFldrs XP
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows PowerShell™ 1.0
Windows Presentation Foundation
Windows XP Service Pack 3
WordPerfect Office 12
XML Paper Specification Shared Components Pack 1.0
Yahoo! Install Manager
Zune Language Pack (PTG)
.
==== Event Viewer Messages From Past Week ========
.
4/21/2011 1:56:39 PM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
4/21/2011 1:46:08 PM, error: Service Control Manager [7000] - The Zune Bus Enumerator Driver service failed to start due to the following error: The system cannot find the file specified.
4/21/2011 1:46:08 PM, error: Service Control Manager [7000] - The Machnm32 Driver service failed to start due to the following error: The system cannot find the file specified.
4/20/2011 4:34:53 AM, error: Print [19] - Sharing printer failed + 1722, Printer Acrobat Distiller share name Printer9.
4/20/2011 2:03:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/20/2011 1:57:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/20/2011 1:54:41 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Avgldx86 Avgmfx86 Fips intelppm
.
==== End Of File ===========================

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Lisa at 21:51:09.48 on Mon 04/25/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.282 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\windows\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\windows\system32\PGPserv.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\wuauclt.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\windows\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\Lisa\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig?hl=en
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [KONICA MINOLTA magicolor 2500W STD] c:\windows\system32\MSTMON02.EXE STARTUP
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
StartupFolder: c:\docume~1\lisa\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{6798f012-57c5-49ad-9a9d-4097616f4e1b}\Icon6560581611.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\PGPlsp.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5672/mcfscan.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\PGPmapih.dll PGPmapih.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\lisa\applic~1\mozilla\firefox\profiles\zvvkrigw.default\
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {C7295176-C684-4B56-B73E-9957D73B7647} - c:\documents and settings\windowsxp\local settings\application data\{C7295176-C684-4B56-B73E-9957D73B7647}
.
============= SERVICES / DRIVERS ===============
.
R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2009-3-4 135736]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-4-25 67584]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-11-30 136176]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2008-4-5 20160]
.
=============== File Associations ===============
.
.txt=e-NoteTaker.Document
.
=============== Created Last 30 ================
.
2011-04-25 21:37:26 -------- d-----w- c:\docume~1\lisa\locals~1\applic~1\Safe mirror
2011-04-25 21:35:33 -------- d-----w- c:\program files\Cobian Backup 10
2011-04-24 20:23:42 1073228 ----a-w- c:\windows\system32\null0.3072407143806358.exe
2011-04-23 01:20:47 98816 ----a-w- c:\windows\sed.exe
2011-04-23 01:20:47 89088 ----a-w- c:\windows\MBR.exe
2011-04-23 01:20:47 256512 ----a-w- c:\windows\PEV.exe
2011-04-23 01:20:47 161792 ----a-w- c:\windows\SWREG.exe
2011-04-19 06:18:11 -------- dc----w- C:\$AVG
2011-04-18 18:29:17 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-04-18 18:19:46 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-18 18:19:43 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-18 18:18:08 -------- dc----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-17 22:34:26 0 ----a-w- c:\windows\Wgodadazad.bin
2011-04-15 00:18:22 45568 -c----w- c:\windows\system32\dllcache\dnsrslvr.dll
.
==================== Find3M ====================
.
2011-04-20 18:01:57 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-04-20 18:01:57 152 --sh--r- c:\windows\system32\30B6BFF0E4.sys
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 23:03:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS541080G9SA00 rev.MB4OC60R -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x870E14F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x870e77d0]; MOV EAX, [0x870e784c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8713FAB8]
3 CLASSPNP[0xF75DDFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000071[0x871D0260]
5 ACPI[0xF7454620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x871CFD98]
\Driver\atapi[0x8715E030] -> IRP_MJ_CREATE -> 0x870E14F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x870E133B
user & kernel MBR OK
copy of MBR has been found in sector 153340425
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:55:54.31 ===============

EDIT: Posts merged ~Budapest

Edited by Budapest, 26 April 2011 - 03:29 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:54 PM

Posted 01 May 2011 - 08:33 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.
If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.


Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    wininit.exe
    hlp.dat
    /md5stop
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 countpc

countpc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 01 May 2011 - 01:19 PM

Hi,

I understand you guys are overwhelmed and appreciate the time you are taking out of your schedule to assist. It appears as if I have a search/browser redirect infection of some sort. When clicking on search results, I'm often taken to different destinations, some of which look pretty dangerous. My browser will sometimes pull up web pages on its own if I'm sitting idle long enough.

So far I've run the DDS and GMER tools. The DDS tool ran successfully and I posted the log with my last post. Unfortunately, the GMER tool froze during the scan process so I was unable to post the log. Per your request, I also ran the OTL tool, and the results of that action are posted below in the form of two logs.

Thank you for your time and I look forward to moving on to the next step.

Best,

CPC

OTL logfile created on: 5/1/2011 1:34:02 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Lisa\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 488.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 73.12 Gb Total Space | 9.36 Gb Free Space | 12.81% Space Free | Partition Type: NTFS

Computer Name: WINDOWSX-253476 | User Name: Lisa | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/01 13:32:09 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lisa\Desktop\OTL.exe
PRC - [2010/09/23 09:49:08 | 000,067,584 | ---- | M] (CobianSoft, Luis Cobian) -- C:\Program Files\Cobian Backup 10\cbVSCService.exe
PRC - [2009/07/26 14:10:00 | 001,983,816 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2009/05/19 18:39:44 | 000,136,544 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
PRC - [2009/03/04 19:19:14 | 000,102,968 | ---- | M] (PGP Corporation) -- C:\WINDOWS\system32\PGPserv.exe
PRC - [2008/09/01 03:24:13 | 000,185,896 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/22 04:25:21 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
PRC - [2008/02/22 04:25:20 | 000,329,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
PRC - [2007/08/02 21:08:00 | 000,095,504 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
PRC - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () -- C:\WINDOWS\system32\PSIService.exe
PRC - [2007/05/28 12:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
PRC - [2006/04/18 03:00:00 | 000,102,400 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE


========== Modules (SafeList) ==========

MOD - [2011/05/01 13:32:09 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lisa\Desktop\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009/03/04 19:19:18 | 000,064,056 | ---- | M] (PGP Corporation) -- C:\WINDOWS\system32\PGPmapih.dll
MOD - [2007/03/30 20:59:08 | 000,102,400 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hccutils.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2010/09/23 09:49:08 | 000,067,584 | ---- | M] (CobianSoft, Luis Cobian) [Auto | Running] -- C:\Program Files\Cobian Backup 10\cbVSCService.exe -- (cbVSCService)
SRV - [2009/03/04 19:19:14 | 000,102,968 | ---- | M] (PGP Corporation) [Auto | Running] -- C:\WINDOWS\system32\PGPserv.exe -- (PGPserv)
SRV - [2007/10/08 15:15:50 | 000,356,352 | ---- | M] (Intel Corporation) [Disabled | Stopped] -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- (WLANKEEPER) Intel®
SRV - [2007/06/05 13:20:32 | 000,177,704 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\PSIService.exe -- (ProtexisLicensing)
SRV - [2007/05/28 12:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2006/04/18 03:00:00 | 000,102,400 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE -- (EPSON_PM_RPCV4_01) EPSON V3 Service4(01)


========== Driver Services (SafeList) ==========

DRV - [2010/01/02 18:31:32 | 000,685,816 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/08/14 09:45:24 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/08/14 09:45:24 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2009/03/04 19:19:20 | 000,246,328 | ---- | M] (PGP Corporation) [Kernel | Auto | Running] -- C:\windows\System32\drivers\PGPdisk.sys -- (PGPdisk)
DRV - [2009/03/04 19:19:20 | 000,040,504 | ---- | M] (PGP Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\PGPsdk.sys -- (PGPsdkDriver)
DRV - [2009/03/04 19:19:14 | 000,213,048 | ---- | M] (PGP Corporation) [Kernel | Boot | Running] -- C:\windows\System32\drivers\PGPwded.sys -- (PGPwded)
DRV - [2009/03/04 19:19:14 | 000,135,736 | ---- | M] (PGP Corporation) [File_System | Boot | Running] -- C:\windows\System32\Drivers\PGPfsfd.sys -- (pgpfs)
DRV - [2007/09/26 07:01:32 | 002,236,032 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/08/27 12:10:36 | 000,012,288 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/05/10 11:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2006/11/21 05:25:44 | 000,045,568 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2006/11/15 01:16:24 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/14 20:42:46 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/14 18:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2005/08/12 18:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\windows\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/03/21 12:17:07 | 000,017,024 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AnyDVD.sys -- (AnyDVD)
DRV - [2004/01/27 15:13:45 | 000,003,840 | ---- | M] (Elaborate Bytes) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay)
DRV - [2002/10/15 22:41:06 | 000,102,220 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sonypvs1.sys -- (sonypvs1)
DRV - [2001/08/17 13:11:18 | 000,020,160 | ---- | M] (ADMtek Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ADM8511.SYS -- (ADM8511)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Search Bar = http://search.msn.com/spbasic.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1644491937-515967899-839522115-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en
IE - HKU\S-1-5-21-1644491937-515967899-839522115-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {C7295176-C684-4B56-B73E-9957D73B7647}:1.9.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord
FF - HKLM\software\mozilla\Firefox\Extensions\\{C7295176-C684-4B56-B73E-9957D73B7647}: C:\Documents and Settings\WindowsXP\Local Settings\Application Data\{C7295176-C684-4B56-B73E-9957D73B7647}\ [2011/04/17 18:34:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.17\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/22 21:36:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.17\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/18 18:41:34 | 000,000,000 | ---D | M]

[2008/09/21 14:24:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lisa\Application Data\Mozilla\Extensions
[2010/01/01 09:26:35 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\zvvkrigw.default\extensions
[2010/01/01 09:26:35 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Lisa\Application Data\Mozilla\Firefox\Profiles\zvvkrigw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/04/17 18:38:35 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/17 18:34:25 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\WINDOWSXP\LOCAL SETTINGS\APPLICATION DATA\{C7295176-C684-4B56-B73E-9957D73B7647}
[2005/12/05 22:31:00 | 000,114,688 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npmozax.dll

Hosts file not found
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKU\S-1-5-21-1644491937-515967899-839522115-1006\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [KONICA MINOLTA magicolor 2500W STD] C:\windows\System32\MSTMON02.EXE (KONICA MINOLTA BUSINESS TECHNOLOGIES, INC.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe (Ulead Systems, Inc.)
O4 - HKU\S-1-5-21-1644491937-515967899-839522115-1006..\RunOnce: [FlashPlayerUpdate] C:\windows\System32\Macromed\Flash\FlashUtil10l_ActiveX.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PGPtray.exe.lnk = C:\WINDOWS\Installer\{6798F012-57C5-49AD-9A9D-4097616F4E1B}\Icon6560581611.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1644491937-515967899-839522115-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1644491937-515967899-839522115-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1644491937-515967899-839522115-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1644491937-515967899-839522115-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\windows\System32\PGPlsp.dll (PGP Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\windows\System32\PGPlsp.dll (PGP Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx (get_atlcom Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} http://support.microsoft.com/mats/DiagWebControl.cab (Diagnostics ActiveX WebControl)
O16 - DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab (Java Plug-in 1.4.2_10)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5672/mcfscan.cab (McFreeScan Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\vsharechrome {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - Reg Error: Key error. File not found
O20 - AppInit_DLLs: (C:\WINDOWS\system32\PGPmapih.dll) - C:\WINDOWS\system32\PGPmapih.dll (PGP Corporation)
O20 - AppInit_DLLs: (PGPmapih.dll) - C:\windows\System32\PGPmapih.dll (PGP Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Lisa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/04/05 13:56:39 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig - Services: "WLANKEEPER"
MsConfig - Services: "S24EventMonitor"
MsConfig - Services: "RegSrvc"
MsConfig - Services: "EvtEng"
MsConfig - Services: "TapiSrv"
MsConfig - Services: "Apple Mobile Device"
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe - (Adobe Systems Inc.)
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk - - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk - - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ONE Launcher.lnk - Reg Error: Value error. - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^WindowsXP^Start Menu^Programs^Startup^Antimalware Doctor.lnk - Reg Error: Value error. - File not found
MsConfig - StartUpFolder: C:^Documents and Settings^WindowsXP^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE - (Microsoft Corporation)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: AnyDVD - hkey= - key= - C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe (SlySoft, Inc.)
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= - File not found
MsConfig - StartUpReg: Dell QuickSet - hkey= - key= - C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
MsConfig - StartUpReg: dla - hkey= - key= - File not found
MsConfig - StartUpReg: GrooveMonitor - hkey= - key= - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
MsConfig - StartUpReg: IntelWireless - hkey= - key= - C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
MsConfig - StartUpReg: IntelZeroConfig - hkey= - key= - C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
MsConfig - StartUpReg: ISUSPM Startup - hkey= - key= - C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe (InstallShield Software Corporation)
MsConfig - StartUpReg: ISUSScheduler - hkey= - key= - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
MsConfig - StartUpReg: MSMSGS - hkey= - key= - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: SynTPEnh - hkey= - key= - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
MsConfig - StartUpReg: TkBellExe - hkey= - key= - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 2
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error.
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2F6EFCE6-10DF-49F9-9E64-9AE3775B2588} - Microsoft .NET Framework 1.1 Security Update (KB2416447)
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error.
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error.
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA851-CC51-11CF-AAFA-00AA00B6015C} - rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\windows\system32\Rundll32.exe c:\windows\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {ECD292A0-0347-4244-8C24-5DBCE990FB40} - Hotfix for Microsoft .NET Framework 3.0 (KB932471)
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\windows\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\windows\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\windows\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\windows\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\windows\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\windows\System32\ir50_32.dll (Intel Corporation)

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2011/05/01 13:32:06 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lisa\Desktop\OTL.exe
[2011/04/25 22:10:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lisa\Desktop\gmer
[2011/04/25 17:37:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lisa\Local Settings\Application Data\Safe mirror
[2011/04/25 17:37:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Cobian Backup 10
[2011/04/25 17:35:33 | 000,000,000 | ---D | C] -- C:\Program Files\Cobian Backup 10
[2011/04/25 17:33:32 | 015,492,608 | ---- | C] (Luis Cobian, CobianSoft) -- C:\Documents and Settings\Lisa\Desktop\cbSetup.exe
[2011/04/25 01:05:24 | 001,028,096 | ---- | C] (Defender Software) -- C:\Documents and Settings\LocalService\Application Data\defender.exe
[2011/04/24 16:23:42 | 001,073,228 | ---- | C] (fghuy6754456y7u ) -- C:\windows\System32\null0.3072407143806358.exe
[2011/04/24 16:23:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/04/24 03:14:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lisa\Application Data\dvdcss
[2011/04/22 21:20:47 | 000,212,480 | ---- | C] (SteelWerX) -- C:\windows\SWXCACLS.exe
[2011/04/22 21:20:47 | 000,161,792 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2011/04/22 21:20:47 | 000,136,704 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2011/04/22 21:20:47 | 000,031,232 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2011/04/22 21:12:21 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2011/04/22 20:47:52 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
[2011/04/22 20:40:32 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/22 20:06:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/04/19 02:18:11 | 000,000,000 | ---D | C] -- C:\$AVG
[2011/04/18 14:29:17 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\windows\System32\bootdelete.exe
[2011/04/18 14:19:43 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2011/04/18 14:18:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2011/04/17 19:51:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/04/17 19:51:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/04/17 19:09:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/04/17 19:09:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/04/14 20:18:22 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\dllcache\dnsrslvr.dll
[4 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/01 13:35:52 | 000,001,324 | ---- | M] () -- C:\windows\System32\d3d9caps.dat
[2011/05/01 13:35:00 | 000,000,430 | -H-- | M] () -- C:\windows\tasks\User_Feed_Synchronization-{11505FE9-9052-4AA0-9039-A5E39BC2C2C7}.job
[2011/05/01 13:34:00 | 000,000,892 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/01 13:32:09 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lisa\Desktop\OTL.exe
[2011/05/01 13:25:10 | 000,002,295 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PGPtray.exe.lnk
[2011/05/01 13:25:07 | 000,002,206 | ---- | M] () -- C:\windows\System32\wpa.dbl
[2011/05/01 13:25:06 | 000,000,888 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/01 13:24:34 | 000,002,048 | --S- | M] () -- C:\windows\bootstat.dat
[2011/04/25 21:59:13 | 000,293,019 | ---- | M] () -- C:\Documents and Settings\Lisa\Desktop\gmer.zip
[2011/04/25 21:50:16 | 000,625,664 | ---- | M] () -- C:\Documents and Settings\Lisa\Desktop\dds.scr
[2011/04/25 18:37:37 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/25 17:33:32 | 015,492,608 | ---- | M] (Luis Cobian, CobianSoft) -- C:\Documents and Settings\Lisa\Desktop\cbSetup.exe
[2011/04/24 18:48:47 | 000,012,288 | ---- | M] () -- C:\Documents and Settings\Lisa\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/24 18:22:45 | 000,000,787 | ---- | M] () -- C:\windows\cdplayer.ini
[2011/04/24 16:24:04 | 001,073,228 | ---- | M] (fghuy6754456y7u ) -- C:\windows\System32\null0.3072407143806358.exe
[2011/04/22 21:08:08 | 004,327,458 | R--- | M] () -- C:\Documents and Settings\Lisa\Desktop\ComboFix.exe
[2011/04/22 20:04:16 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Lisa\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2011/04/20 14:01:57 | 000,006,580 | -HS- | M] () -- C:\windows\System32\KGyGaAvL.sys
[2011/04/20 14:01:57 | 000,000,152 | RHS- | M] () -- C:\windows\System32\30B6BFF0E4.sys
[2011/04/18 15:43:59 | 000,000,129 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\Shortcut to CD Drive.lnk
[2011/04/18 14:42:18 | 000,016,968 | ---- | M] () -- C:\windows\System32\drivers\hitmanpro35.sys
[2011/04/18 14:29:17 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\windows\System32\bootdelete.exe
[2011/04/17 18:34:26 | 000,000,120 | ---- | M] () -- C:\windows\Ffodonafazeqeq.dat
[2011/04/17 18:34:26 | 000,000,000 | ---- | M] () -- C:\windows\Wgodadazad.bin
[2011/04/16 13:28:02 | 000,444,800 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2011/04/16 13:28:02 | 000,072,510 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2011/04/16 13:20:46 | 000,001,374 | ---- | M] () -- C:\windows\imsins.BAK
[2011/04/15 12:01:08 | 000,419,040 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[4 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]
[1 C:\windows\System32\*.tmp files -> C:\windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/25 21:59:07 | 000,293,019 | ---- | C] () -- C:\Documents and Settings\Lisa\Desktop\gmer.zip
[2011/04/25 21:50:13 | 000,625,664 | ---- | C] () -- C:\Documents and Settings\Lisa\Desktop\dds.scr
[2011/04/24 02:58:21 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\Lisa\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/22 21:20:47 | 000,256,512 | ---- | C] () -- C:\windows\PEV.exe
[2011/04/22 21:20:47 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2011/04/22 21:20:47 | 000,089,088 | ---- | C] () -- C:\windows\MBR.exe
[2011/04/22 21:20:47 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2011/04/22 21:20:47 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2011/04/22 21:07:48 | 004,327,458 | R--- | C] () -- C:\Documents and Settings\Lisa\Desktop\ComboFix.exe
[2011/04/18 15:43:59 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\Shortcut to CD Drive.lnk
[2011/04/18 14:19:46 | 000,016,968 | ---- | C] () -- C:\windows\System32\drivers\hitmanpro35.sys
[2011/04/17 18:46:20 | 000,001,324 | ---- | C] () -- C:\windows\System32\d3d9caps.dat
[2011/04/17 18:34:26 | 000,000,120 | ---- | C] () -- C:\windows\Ffodonafazeqeq.dat
[2011/04/17 18:34:26 | 000,000,000 | ---- | C] () -- C:\windows\Wgodadazad.bin
[2011/01/04 17:42:48 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/11/27 22:04:51 | 000,176,235 | ---- | C] () -- C:\windows\System32\Primomonnt.dll
[2010/11/27 20:17:12 | 000,034,308 | ---- | C] () -- C:\windows\System32\BASSMOD.dll
[2010/02/19 00:37:21 | 000,000,026 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\.119889580931711767808769176
[2010/02/19 00:09:36 | 000,000,021 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\.24554863501262644635642126105
[2009/12/20 21:42:18 | 000,000,314 | ---- | C] () -- C:\windows\primopdf.ini
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\windows\System32\OGAEXEC.exe
[2009/06/28 13:50:53 | 000,003,654 | ---- | C] () -- C:\windows\System32\drivers\Sonyhcp.dll
[2009/03/04 19:19:14 | 000,000,280 | ---- | C] () -- C:\windows\System32\PGPsdk.dll.sig
[2008/08/12 14:34:29 | 000,210,944 | ---- | C] () -- C:\windows\System32\Msvcrt10.dll
[2008/08/12 14:34:24 | 000,065,536 | ---- | C] () -- C:\windows\System32\adistres.dll
[2008/08/01 21:02:15 | 000,005,632 | ---- | C] () -- C:\windows\System32\CNMVS45.DLL
[2008/07/24 23:48:05 | 000,000,030 | ---- | C] () -- C:\windows\Iedit_.INI
[2008/07/22 15:08:50 | 000,000,056 | -H-- | C] () -- C:\windows\System32\ezsidmv.dat
[2008/07/12 14:11:56 | 000,000,498 | ---- | C] () -- C:\windows\eZip.INI
[2008/07/05 15:50:13 | 000,684,032 | ---- | C] () -- C:\windows\System32\ltmm_n.dll
[2008/07/04 16:18:41 | 000,000,138 | ---- | C] () -- C:\windows\wininit.ini
[2008/06/13 17:43:34 | 000,001,203 | ---- | C] () -- C:\windows\mozver.dat
[2008/06/09 16:31:37 | 000,000,000 | ---- | C] () -- C:\windows\nsreg.dat
[2008/06/09 11:56:22 | 000,000,787 | ---- | C] () -- C:\windows\cdplayer.ini
[2008/05/11 20:59:58 | 000,000,125 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\.zreglib
[2008/04/19 12:25:29 | 000,061,678 | ---- | C] () -- C:\Documents and Settings\Lisa\Application Data\PFP120JPR.{PB
[2008/04/19 12:25:29 | 000,012,358 | ---- | C] () -- C:\Documents and Settings\Lisa\Application Data\PFP120JCM.{PB
[2008/04/08 20:06:17 | 000,006,580 | -HS- | C] () -- C:\windows\System32\KGyGaAvL.sys
[2008/04/08 20:06:17 | 000,000,152 | RHS- | C] () -- C:\windows\System32\30B6BFF0E4.sys
[2008/04/08 03:11:09 | 000,000,000 | ---- | C] () -- C:\windows\RussSqr.INI
[2008/04/07 18:19:31 | 000,000,097 | ---- | C] () -- C:\windows\System32\PICSDK.ini
[2008/04/07 18:19:30 | 000,073,220 | ---- | C] () -- C:\windows\System32\EPPICPrinterDB.dat
[2008/04/07 18:19:30 | 000,031,053 | ---- | C] () -- C:\windows\System32\EPPICPattern131.dat
[2008/04/07 18:19:30 | 000,029,114 | ---- | C] () -- C:\windows\System32\EPPICPattern1.dat
[2008/04/07 18:19:30 | 000,027,417 | ---- | C] () -- C:\windows\System32\EPPICPattern121.dat
[2008/04/07 18:19:30 | 000,021,021 | ---- | C] () -- C:\windows\System32\EPPICPattern3.dat
[2008/04/07 18:19:30 | 000,015,670 | ---- | C] () -- C:\windows\System32\EPPICPattern5.dat
[2008/04/07 18:19:30 | 000,013,280 | ---- | C] () -- C:\windows\System32\EPPICPattern2.dat
[2008/04/07 18:19:30 | 000,010,673 | ---- | C] () -- C:\windows\System32\EPPICPattern4.dat
[2008/04/07 18:19:30 | 000,004,943 | ---- | C] () -- C:\windows\System32\EPPICPattern6.dat
[2008/04/07 18:19:30 | 000,001,140 | ---- | C] () -- C:\windows\System32\EPPICPresetData_PT.dat
[2008/04/07 18:19:30 | 000,001,140 | ---- | C] () -- C:\windows\System32\EPPICPresetData_BP.dat
[2008/04/07 18:19:30 | 000,001,137 | ---- | C] () -- C:\windows\System32\EPPICPresetData_ES.dat
[2008/04/07 18:19:30 | 000,001,130 | ---- | C] () -- C:\windows\System32\EPPICPresetData_FR.dat
[2008/04/07 18:19:30 | 000,001,130 | ---- | C] () -- C:\windows\System32\EPPICPresetData_CF.dat
[2008/04/07 18:19:30 | 000,001,104 | ---- | C] () -- C:\windows\System32\EPPICPresetData_EN.dat
[2008/04/07 18:17:48 | 000,000,083 | ---- | C] () -- C:\windows\EPSPR260.ini
[2008/04/07 17:12:25 | 000,061,440 | R--- | C] () -- C:\windows\System32\MCOINS02.DLL
[2008/04/07 16:48:34 | 000,011,079 | -H-- | C] () -- C:\Program Files\folder.htt
[2008/04/07 12:03:48 | 000,000,116 | ---- | C] () -- C:\windows\NeroDigital.ini
[2008/04/06 18:02:34 | 000,001,677 | ---- | C] () -- C:\windows\Clikbook.ini
[2008/04/05 14:00:15 | 000,002,048 | --S- | C] () -- C:\windows\bootstat.dat
[2008/04/05 13:52:46 | 000,021,640 | ---- | C] () -- C:\windows\System32\emptyregdb.dat
[2008/04/05 13:42:03 | 000,204,800 | ---- | C] () -- C:\windows\System32\igfxCoIn_v4814.dll
[2008/04/05 13:40:20 | 000,376,832 | ---- | C] () -- C:\windows\System32\AegisI5Installer.exe
[2008/04/05 13:22:12 | 000,016,480 | ---- | C] () -- C:\windows\System32\rixdicon.dll
[2008/04/05 08:45:56 | 000,004,161 | ---- | C] () -- C:\windows\ODBCINST.INI
[2008/04/05 08:44:21 | 000,419,040 | ---- | C] () -- C:\windows\System32\FNTCACHE.DAT
[2007/06/05 13:20:32 | 000,177,704 | ---- | C] () -- C:\windows\System32\PSIService.exe
[2006/03/23 05:30:04 | 000,022,045 | ---- | C] () -- C:\windows\MSTMON02.INI
[2006/03/07 04:14:58 | 000,019,284 | ---- | C] () -- C:\windows\MSUMLT02.INI
[2004/08/04 01:07:22 | 000,001,804 | ---- | C] () -- C:\windows\System32\dcache.bin
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\windows\System32\secupd.dat
[2004/03/26 18:59:22 | 000,000,000 | ---- | C] () -- C:\windows\System32\px.ini
[2002/03/16 20:00:00 | 000,007,420 | ---- | C] () -- C:\windows\UA000091.DLL
[2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\windows\System32\oembios.bin
[2001/08/23 08:00:00 | 000,673,088 | ---- | C] () -- C:\windows\System32\mlang.dat
[2001/08/23 08:00:00 | 000,444,800 | ---- | C] () -- C:\windows\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,272,128 | ---- | C] () -- C:\windows\System32\perfi009.dat
[2001/08/23 08:00:00 | 000,218,003 | ---- | C] () -- C:\windows\System32\dssec.dat
[2001/08/23 08:00:00 | 000,072,510 | ---- | C] () -- C:\windows\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,046,258 | ---- | C] () -- C:\windows\System32\mib.bin
[2001/08/23 08:00:00 | 000,028,626 | ---- | C] () -- C:\windows\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,004,463 | ---- | C] () -- C:\windows\System32\oembios.dat
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\windows\System32\noise.dat
[1999/01/12 11:40:22 | 000,029,184 | ---- | C] () -- C:\windows\rmud.exe

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ERDNT\cache\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2007/06/13 07:26:03 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=7712DF0CDDE3A5AC89843E61CD5B3658 -- C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
[2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) MD5=97BD6515465659FF8F3B7BE375B2EA87 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
[2004/08/04 00:56:50 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
[2011/05/01 13:45:01 | 000,235,008 | ---- | M] () MD5=D4DFBF58EA7D1F5CF9D271ABF76B7745 -- C:\WINDOWS\Temp\explorer.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 00:56:58 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ERDNT\cache\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< >

< End of report >

OTL Extras logfile created on: 5/1/2011 1:34:02 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Lisa\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 488.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 73.12 Gb Total Space | 9.36 Gb Free Space | 12.81% Space Free | Partition Type: NTFS

Computer Name: WINDOWSX-253476 | User Name: Lisa | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5191:TCP" = 5191:TCP:*:Enabled:The Browser Highlighter XCOM
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP640_series" = Canon MP640 series MP Drivers
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{15803703-25FA-4C01-A062-3F4A59937E87}" = Ulead PhotoImpact X3
"{162B71B8-8464-4680-A086-601D555B331D}" = Apple Mobile Device Support
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{5C93E291-A1CC-4E51-85C6-E194209FCDB4}" = Zune Language Pack (PTG)
"{612B9183-67A9-4B44-9877-2F059E35B86A}" = Broadcom 440x 10/100 Integrated Controller
"{63DB9CCD-2B56-4217-9A3D-507AC78320CA}" = mWMI
"{6798F012-57C5-49AD-9A9D-4097616F4E1B}" = PGP Desktop
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7148F0A8-6813-11D6-A77B-00B0D0142100}" = Java 2 Runtime Environment, SE v1.4.2_10
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78D62D17-D970-42DA-B8CF-5E5576293B33}" = Final Draft 7
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C26B06A9-27BB-45B0-9873-9C623EC2BA38}" = iTunes
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"4569969E1360D2854474C661EF9B4D54F143EB16" = Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
"7-Zip" = 7-Zip 4.65
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"ATT-PRT22" = ATT-PRT22
"BitTorrent" = BitTorrent
"Canon MP640 series User Registration" = Canon MP640 series User Registration
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"CanonMyPrinter" = Canon Utilities My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"Cinergy Script Editor" = Cinergy Script Editor
"ClickBook_is1" = Blue Squirrel ClickBook 9.0
"CloneDVD2" = CloneDVD2
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"CobBackup10" = Cobian Backup 10
"Easy-PhotoPrint EX" = Canon Utilities Easy-PhotoPrint EX
"Easy-WebPrint EX" = Canon Easy-WebPrint EX
"ENTERPRISE" = Microsoft Office Enterprise 2007
"EPSON Printer and Utilities" = EPSON Printer Software
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{15803703-25FA-4C01-A062-3F4A59937E87}" = Ulead PhotoImpact X3
"KONICA MINOLTA magicolor 2500W" = KONICA MINOLTA magicolor 2500W
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.17)" = Mozilla Firefox (3.5.17)
"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSCSR" = Microsoft Speech Recognition Engine 4.0 (English)
"MSNINST" = MSN
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"oDMCam" = oDesk MiniCam 2.0.73
"oDShare" = oDesk Share 2.0.69
"oDSSnap" = oDesk ScreenSnap 2.0.113
"oDVT" = oDesk Team 2.0.140
"PrimoPDF" = PrimoPDF -- brought to you by Nitro PDF Software
"ProInst" = Intel® PROSet/Wireless Software
"RegCure" = RegCure 1.5.0.0
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VLC media player" = VLC media player 1.0.0
"vShare" = vShare Plugin
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WebPost" = Microsoft Web Publishing Wizard 1.52
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01009" = Microsoft User-Mode Driver Framework Feature Pack 1.9
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"YInstHelper" = Yahoo! Install Manager

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1644491937-515967899-839522115-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/29/2011 9:02:19 PM | Computer Name = WINDOWSX-253476 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 4/29/2011 9:02:19 PM | Computer Name = WINDOWSX-253476 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 4/29/2011 9:24:09 PM | Computer Name = WINDOWSX-253476 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 5/1/2011 1:25:13 PM | Computer Name = WINDOWSX-253476 | Source = Application Error | ID = 1000
Description = Faulting application pgptray.exe, version 9.10.0.500, faulting module
pgpwd.dll, version 9.10.0.500, fault address 0x00006bb0.

Error - 5/1/2011 1:27:43 PM | Computer Name = WINDOWSX-253476 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 5/1/2011 1:27:47 PM | Computer Name = WINDOWSX-253476 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 5/1/2011 1:39:12 PM | Computer Name = WINDOWSX-253476 | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x7c922235.

Error - 5/1/2011 1:39:19 PM | Computer Name = WINDOWSX-253476 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 5/1/2011 1:43:41 PM | Computer Name = WINDOWSX-253476 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 5/1/2011 1:43:42 PM | Computer Name = WINDOWSX-253476 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ Cobian Backup Boletus VSC Service Events ]
Error - 4/25/2011 6:11:57 PM | Computer Name = WINDOWSX-253476 | Source = Cobian Backup Boletus VSC Service | ID = 0
Description = The provider returned an unexpected error code.

Error - 4/25/2011 6:12:58 PM | Computer Name = WINDOWSX-253476 | Source = Cobian Backup Boletus VSC Service | ID = 0
Description = The operation has timed out.

Error - 4/25/2011 6:52:56 PM | Computer Name = WINDOWSX-253476 | Source = Cobian Backup Boletus VSC Service | ID = 0
Description = Object reference not set to an instance of an object.

[ OSession Events ]
Error - 6/16/2009 3:21:29 PM | Computer Name = WINDOWSX-253476 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6504.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 5
seconds with 0 seconds of active time. This session ended with a crash.

Error - 2/19/2010 12:53:41 AM | Computer Name = WINDOWSX-253476 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 303
seconds with 180 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 5/1/2011 1:44:33 PM | Computer Name = WINDOWSX-253476 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 5/1/2011 1:44:33 PM | Computer Name = WINDOWSX-253476 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 5/1/2011 1:44:41 PM | Computer Name = WINDOWSX-253476 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 5/1/2011 1:44:44 PM | Computer Name = WINDOWSX-253476 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 5/1/2011 1:45:05 PM | Computer Name = WINDOWSX-253476 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 5/1/2011 1:45:15 PM | Computer Name = WINDOWSX-253476 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 5/1/2011 1:45:15 PM | Computer Name = WINDOWSX-253476 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 5/1/2011 1:45:36 PM | Computer Name = WINDOWSX-253476 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 5/1/2011 1:48:12 PM | Computer Name = WINDOWSX-253476 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058

Error - 5/1/2011 1:48:12 PM | Computer Name = WINDOWSX-253476 | Source = Service Control Manager | ID = 7001
Description = The Remote Access Connection Manager service depends on the Telephony
service which failed to start because of the following error: %%1058


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:54 PM

Posted 01 May 2011 - 05:12 PM

Hi,

it looks as if you already ran ComboFix, if so could you please post the log for me in your next reply?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 countpc

countpc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 01 May 2011 - 07:49 PM

Busted. Here's the log from ComboFix.

Best,

CPC


ComboFix 11-04-22.01 - Lisa 04/22/2011 21:26:39.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.547 [GMT -4:00]
Running from: c:\documents and settings\Lisa\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Lisa\Application Data\ezLife
c:\documents and settings\Lisa\Application Data\ezLife\ezLife\log.xml
c:\documents and settings\Lisa\Application Data\Smart-Ads-Solutions
c:\documents and settings\Lisa\GoToAssistDownloadHelper.exe
c:\documents and settings\WindowsXP\g2mdlhlpx.exe
c:\documents and settings\WindowsXP\GoToAssistDownloadHelper.exe
c:\documents and settings\WindowsXP\WINDOWS
c:\program files\Mozilla Firefox\components\nsFFxSHot.xpt
c:\windows\Web\default.htt
.
.
((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))
.
.
2011-04-19 06:18 . 2011-04-19 06:18 -------- dc----w- C:\$AVG
2011-04-18 18:29 . 2011-04-18 18:29 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-04-18 18:19 . 2011-04-18 18:42 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-18 18:19 . 2011-04-18 18:19 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-04-18 18:18 . 2011-04-18 18:29 -------- dc----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-17 22:34 . 2011-04-17 22:34 0 ----a-w- c:\windows\Wgodadazad.bin
2011-04-15 00:18 . 2009-04-20 17:17 45568 -c----w- c:\windows\system32\dllcache\dnsrslvr.dll
2011-03-26 13:44 . 2011-03-26 13:45 -------- d-----w- c:\documents and settings\Lisa\Local Settings\Application Data\Google
2011-03-26 13:44 . 2011-03-26 13:44 -------- d-----w- c:\documents and settings\Lisa\Application Data\Canon Easy-WebPrint EX
2011-03-26 13:43 . 2011-03-26 13:43 -------- d-----w- c:\documents and settings\Lisa\Application Data\vShare
2011-03-26 13:43 . 2011-03-26 13:43 -------- d-----w- c:\documents and settings\Lisa\Application Data\AVG10
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2008-04-05 17:53 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 04:56 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 03:17 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 04:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2004-08-04 04:56 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 04:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 11:41 . 2004-08-04 02:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 03:15 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 03:14 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-16 21:10 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 04:56 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 04:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 04:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 23:03 . 2004-08-04 04:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-08 13:33 . 2004-08-04 04:56 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-02 07:58 . 2008-04-05 17:51 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2008-04-05 17:51 677888 ----a-w- c:\windows\system32\mstsc.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]
@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"
[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]
2009-03-04 23:19 612920 ----a-w- c:\windows\system32\PGPfsshl.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2007-08-03 95504]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"KONICA MINOLTA magicolor 2500W STD"="c:\windows\system32\MSTMON02.EXE" [2006-03-09 192512]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-01 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-26 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
.
c:\documents and settings\Lisa\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
PGPtray.exe.lnk - c:\windows\Installer\{6798F012-57C5-49AD-9A9D-4097616F4E1B}\Icon6560581611.exe [2009-7-26 55296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\PGPmapih.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ONE Launcher.lnk]
backup=c:\windows\pss\ONE Launcher.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^WindowsXP^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
backup=c:\windows\pss\Antimalware Doctor.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^WindowsXP^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
2004-03-21 16:20 186880 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2007-05-14 19:23 1191936 ----a-w- c:\program files\Dell\QuickSet\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 05:04 122933 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-10-08 19:13 1101824 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-10-08 19:18 995328 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 14:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 14:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 00:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 16:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-09-01 07:24 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLANKEEPER"=2 (0x2)
"S24EventMonitor"=2 (0x2)
"RegSrvc"=2 (0x2)
"EvtEng"=2 (0x2)
"TapiSrv"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5191:TCP"= 5191:TCP:The Browser Highlighter XCOM
.
R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [3/4/2009 7:19 PM 135736]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/30/2010 10:28 PM 136176]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [4/5/2008 2:06 PM 20160]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/2/2010 6:31 PM 685816]
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-01 02:27]
.
2011-04-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-01 02:27]
.
2011-04-23 c:\windows\Tasks\User_Feed_Synchronization-{11505FE9-9052-4AA0-9039-A5E39BC2C2C7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
LSP: c:\windows\system32\PGPlsp.dll
FF - ProfilePath - c:\documents and settings\Lisa\Application Data\Mozilla\Firefox\Profiles\zvvkrigw.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {C7295176-C684-4B56-B73E-9957D73B7647} - c:\documents and settings\WindowsXP\Local Settings\Application Data\{C7295176-C684-4B56-B73E-9957D73B7647}
.
.
------- File Associations -------
.
.txt=e-NoteTaker.Document
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
HKLM_ActiveSetup-{73C6B7FE-894A-44EA-9914-E60290F3294F} - c:\documents and settings\WindowsXP\Application Data\Sun\eidbkzw.dll
AddRemove-AnyDVD - c:\program files\SlySoft\AnyDVD\AnyDVD-uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-22 21:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS541080G9SA00 rev.MB4OC60R -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x870E533B
user & kernel MBR OK
copy of MBR has been found in sector 153340425
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\WININET.dll
c:\windows\system32\netprovcredman.dll
c:\windows\system32\PGPpwflt.dll
c:\windows\system32\PGPwd.dll
c:\windows\system32\PGPsdk.dll
.
- - - - - - - > 'lsass.exe'(944)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(676)
c:\windows\system32\WININET.dll
c:\windows\system32\PGPlsp.dll
c:\program files\Microsoft Office\Office12\GrooveShellExtensions.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\PGPfsshl.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\PGPserv.exe
c:\windows\system32\PSIService.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-04-22 21:49:35 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-23 01:49
.
Pre-Run: 5,956,800,512 bytes free
Post-Run: 9,691,574,272 bytes free
.
- - End Of File - - 1F5E7CC018286F1807C86148D3BFE111

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:54 PM

Posted 02 May 2011 - 05:49 AM

Hi,

please run a scan with aswMBR next:
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 countpc

countpc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 02 May 2011 - 01:57 PM

Hello,

Here is the log as requested.

Best,

CPC



aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software
Run date: 2011-05-02 14:55:03
-----------------------------
14:55:03.531 OS Version: Windows 5.1.2600 Service Pack 3
14:55:03.531 Number of processors: 2 586 0xE08
14:55:03.531 ComputerName: WINDOWSX-253476 UserName: Lisa
14:55:05.062 Initialize success
14:55:22.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:55:22.640 Disk 0 Vendor: Hitachi_HTS541080G9SA00 MB4OC60R Size: 74881MB BusType: 3
14:55:22.640 Device \Driver\atapi -> DriverStartIo 870df33b
14:55:24.640 Disk 0 MBR read successfully
14:55:24.640 Disk 0 MBR scan
14:55:24.640 Disk 0 TDL4@MBR code has been found
14:55:24.640 Disk 0 Windows XP default MBR code found via API
14:55:24.640 Disk 0 MBR hidden
14:55:24.640 Disk 0 MBR [TDL4] **ROOTKIT**
14:55:24.640 Disk 0 trace - called modules:
14:55:24.640 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x870df4f0]<<
14:55:24.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8715cab8]
14:55:24.640 3 CLASSPNP.SYS[f75ddfd7] -> nt!IofCallDriver -> \Device\00000071[0x87112f18]
14:55:24.656 5 ACPI.sys[f7454620] -> nt!IofCallDriver -> [0x8716dd98]
14:55:24.671 \Driver\atapi[0x87140f38] -> IRP_MJ_CREATE -> 0x870df4f0
14:55:24.671 Scan finished successfully
14:55:59.703 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Lisa\Desktop\MBR.dat"
14:55:59.703 The log file has been saved successfully to "C:\Documents and Settings\Lisa\Desktop\aswMBR.txt"

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:54 PM

Posted 02 May 2011 - 04:10 PM

Hi,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you choose to clean please run aswMBR again:

Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIX button,
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 countpc

countpc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 02 May 2011 - 06:01 PM

Hi,

I went with the clean option. Okay, I actually have two logs for you. This is because when I first ran the scan and hit fix, my PC completely froze and I had to manually restart. Seems like everything is okay, but who knows. Anyhoo, here are the logs. One is after the scan that froze, and the other is after the fix.

Best,

CPC



aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software
Run date: 2011-05-02 18:50:38
-----------------------------
18:50:38.015 OS Version: Windows 5.1.2600 Service Pack 3
18:50:38.015 Number of processors: 2 586 0xE08
18:50:38.015 ComputerName: WINDOWSX-253476 UserName: Lisa
18:50:38.890 Initialize success
18:50:44.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:50:44.093 Disk 0 Vendor: Hitachi_HTS541080G9SA00 MB4OC60R Size: 74881MB BusType: 3
18:50:46.234 Disk 0 MBR read successfully
18:50:46.250 Disk 0 MBR scan
18:50:46.250 Disk 0 Windows XP default MBR code
18:50:48.250 Disk 0 scanning sectors +153340425
18:50:48.281 Disk 0 malicious Win32:MBRoot code @ sector 153340428 !
18:50:48.296 Disk 0 PE file @ sector 153340450 !
18:50:48.296 Disk 0 scanning C:\windows\system32\drivers
18:50:56.687 Service scanning
18:50:58.937 Disk 0 trace - called modules:
18:50:58.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
18:50:58.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87143ab8]
18:50:58.984 3 CLASSPNP.SYS[f75ddfd7] -> nt!IofCallDriver -> \Device\00000071[0x8711b510]
18:50:59.015 5 ACPI.sys[f7454620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87146940]
18:50:59.015 Scan finished successfully
18:51:37.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Lisa\Desktop\MBR.dat"
18:51:37.203 The log file has been saved successfully to "C:\Documents and Settings\Lisa\Desktop\aswMBR2.txt"


aswMBR version 0.9.5.247 Copyright© 2011 AVAST Software
Run date: 2011-05-02 18:50:38
-----------------------------
18:50:38.015 OS Version: Windows 5.1.2600 Service Pack 3
18:50:38.015 Number of processors: 2 586 0xE08
18:50:38.015 ComputerName: WINDOWSX-253476 UserName: Lisa
18:50:38.890 Initialize success
18:50:44.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:50:44.093 Disk 0 Vendor: Hitachi_HTS541080G9SA00 MB4OC60R Size: 74881MB BusType: 3
18:50:46.234 Disk 0 MBR read successfully
18:50:46.250 Disk 0 MBR scan
18:50:46.250 Disk 0 Windows XP default MBR code
18:50:48.250 Disk 0 scanning sectors +153340425
18:50:48.281 Disk 0 malicious Win32:MBRoot code @ sector 153340428 !
18:50:48.296 Disk 0 PE file @ sector 153340450 !
18:50:48.296 Disk 0 scanning C:\windows\system32\drivers
18:50:56.687 Service scanning
18:50:58.937 Disk 0 trace - called modules:
18:50:58.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
18:50:58.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87143ab8]
18:50:58.984 3 CLASSPNP.SYS[f75ddfd7] -> nt!IofCallDriver -> \Device\00000071[0x8711b510]
18:50:59.015 5 ACPI.sys[f7454620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x87146940]
18:50:59.015 Scan finished successfully
18:51:37.203 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Lisa\Desktop\MBR.dat"
18:51:37.203 The log file has been saved successfully to "C:\Documents and Settings\Lisa\Desktop\aswMBR2.txt"
18:51:49.015 Disk 0 scanning sectors +153340425
18:51:49.046 Disk 0 malicious Win32:MBRoot code @ sector 153340428 !
18:51:49.046 Disk 0 PE file @ sector 153340450 !
18:51:49.062 Disk 0 sector 153340428 cleaned
18:51:49.062 Disk 0 sector 153340450 cleaned
18:51:49.062 Verifying disinfection
18:52:03.125 Infection fixed successfully - please reboot ASAP
18:52:11.859 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Lisa\Desktop\MBR.dat"
18:52:11.890 The log file has been saved successfully to "C:\Documents and Settings\Lisa\Desktop\aswMBR3.txt"

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:54 PM

Posted 03 May 2011 - 09:58 AM

Hi,

the log is looking good. Could you please confirm that the google redirects are/remain gone?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 countpc

countpc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 03 May 2011 - 01:20 PM

Hi,

All appears well. No redirects.

Thank you for all your help. I really appreciate it.

Best,

CPC

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:54 PM

Posted 03 May 2011 - 04:37 PM

Happy to hear that! :)

Please run a scan with Eset to check for leftovers:
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 countpc

countpc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 03 May 2011 - 08:07 PM

Hi,

Here is the log from the online scan.

Best,

CPC

C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\4\436f3604-3dbad67f multiple threats
C:\Documents and Settings\WindowsXP\Application Data\C7BF4A9B0722967E9F7655835FDDA866\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Documents and Settings\WindowsXP\Local Settings\Temporary Internet Files\Content.IE5\E4JYZI30\m57ns8yz[1].htm HTML/ScrInject.B.Gen virus
C:\Documents and Settings\WindowsXP\My Documents\Downloads\Final Draft v7.1.1.19\Patch.exe a variant of Win32/HackTool.Patcher.A application
C:\Program Files\Final Draft 7\Patch.exe a variant of Win32/HackTool.Patcher.A application
C:\System Volume Information\_restore{6FBA9E8E-4A64-48BC-A6D3-DA8571D16837}\RP275\A0201103.exe Win32/TrojanDropper.Agent.PEY trojan
C:\System Volume Information\_restore{6FBA9E8E-4A64-48BC-A6D3-DA8571D16837}\RP275\A0201104.exe Win32/TrojanDropper.Agent.PEY trojan
C:\System Volume Information\_restore{6FBA9E8E-4A64-48BC-A6D3-DA8571D16837}\RP275\A0201105.exe probably a variant of Win32/Adware.Agent.GXIGJWO application
C:\WINDOWS\system32\null0.3072407143806358.exe a variant of Win32/Kryptik.NBI trojan
C:\WINDOWS\Temp\jar_cache47933.tmp a variant of Win32/Kryptik.NBI trojan

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:54 PM

Posted 04 May 2011 - 02:47 AM

Hi,

please run this fix to remove the items that are left:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :files
    C:\Documents and Settings\WindowsXP\Application Data\C7BF4A9B0722967E9F7655835FDDA866
    C:\WINDOWS\system32\null0.3072407143806358.exe 
    C:\Windows\tasks\at*.job
  • Then click the Run Fix button at the top
  • Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"
  • Please post that log in your next reply.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
    If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

regards myrti

Edited by myrti, 04 May 2011 - 02:47 AM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 countpc

countpc
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:54 PM

Posted 04 May 2011 - 01:34 PM

Hi,

Here is the OTL logged as requested.

Best,

CPC


========== FILES ==========
C:\Documents and Settings\WindowsXP\Application Data\C7BF4A9B0722967E9F7655835FDDA866 folder moved successfully.
C:\WINDOWS\system32\null0.3072407143806358.exe moved successfully.
C:\Windows\tasks\At1.job moved successfully.
C:\Windows\tasks\At10.job moved successfully.
C:\Windows\tasks\At11.job moved successfully.
C:\Windows\tasks\At12.job moved successfully.
C:\Windows\tasks\At13.job moved successfully.
C:\Windows\tasks\At14.job moved successfully.
C:\Windows\tasks\At15.job moved successfully.
C:\Windows\tasks\At16.job moved successfully.
C:\Windows\tasks\At17.job moved successfully.
C:\Windows\tasks\At18.job moved successfully.
C:\Windows\tasks\At19.job moved successfully.
C:\Windows\tasks\At2.job moved successfully.
C:\Windows\tasks\At20.job moved successfully.
C:\Windows\tasks\At21.job moved successfully.
C:\Windows\tasks\At22.job moved successfully.
C:\Windows\tasks\At23.job moved successfully.
C:\Windows\tasks\At24.job moved successfully.
C:\Windows\tasks\At3.job moved successfully.
C:\Windows\tasks\At4.job moved successfully.
C:\Windows\tasks\At5.job moved successfully.
C:\Windows\tasks\At6.job moved successfully.
C:\Windows\tasks\At7.job moved successfully.
C:\Windows\tasks\At8.job moved successfully.
C:\Windows\tasks\At9.job moved successfully.

OTL by OldTimer - Version 3.2.22.3 log created on 05042011_142845




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users