Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect, Fake Chrome, and Possibly Related Strange Occurences


  • This topic is locked This topic is locked
17 replies to this topic

#1 Kroto

Kroto

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 23 July 2011 - 06:31 PM

This is on Windows XP Media Center edition.

A few days ago (starting around 20 July 2011) I started noticing that some of my Google results would lead me away from my results to separate advertising websites. At first I didn't think much about it, because I tried again and I was able to get where I needed to go. However, when it started becoming very frequent (several times in a row) I began to suspect that I had become infected with something. I used Google to check why these redirects might be happening and found information about rootkits and things that seemed to match my problem. At first I tried to simply remove it on my own, by using my anti-virus (Norton) and several anti-malware programs (Spybot, Malwarebytes) and an online scan (ESET) and all of these things found some threats (15 or less; mostly tracking cookies). Despite this, I am still experiencing redirects, and so I have come here for more advanced and knowledgeable guidance. I also tried TDSS Killer several times, although that found nothing. I was using Mozilla Firefox (5), but I tried uninstalling Firefox and reinstalling it again and experienced the same redirects in Internet Explorer.

The strangest thing is that during the time I was trying to uninstall it, a Google Chrome icon appeared on my Desktop, although I do not have Chrome or Google products installed on the infected computer. Having some experience with Chrome on other computers, I also thought the icon looked a little strange; it was "Chrome-y," but not an identical match. I did not try opening it, but I saw that it had installed a Start Menu folder under Programs, of which there were only two options: "Google Chrome" or "Uninstall." I admit that I panicked at the time and suspecting the worse I defaulted to that Uninstall, which has removed the suspicious "Chrome" and folder, but may have had other adverse side-effects. I have not made any other changes to my computer since that time.

I have also been experiencing some other strange occurrences in my regular browsing (on Firefox). Firefox occasionally "throws a fit" and reports that a webpage can not be reached because of something along the lines of "proxy server is refusing connection," even though I have a working Internet connection (I have tried releasing and renewing the connection and I continue to receive the same message) and have not messed with the proxy settings in the actual browser, my computer, or my router. Firefox also occasionally crashes for no reason, which is something that started happening at about the same time as everything else. I am not exactly sure if these last few Firefox errors are related, but I am posting them just in case.

Also, as a final note, I have checked to see if other computers connected to the same router are having these issues (to see if it is a router hijack which I read about), but this is the only computer that exhibits these strange functions.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 15:26:17 on 2011-07-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1380 [GMT -5:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
svchost.exe
C:\WINDOWS\system32\jgsh40032.exe
C:\WINDOWS\system32\ativcoxx32.exe
svchost.exe
C:\Program Files\Installed\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\SFT\GuardedID\gidd.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Constant Guard Protection Suite\IDVault.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = about:blank
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.1.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.1.0.29\ips\IPSBHO.DLL
BHO: Constant Guard Protection Suite (COM): {b84cdbe7-1b46-494b-a188-01d4c52deb61} - c:\program files\constant guard protection suite\NativeBHO.dll
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
c:\docume~1\admini~1\locals~1\temp\nse9.tmp\temp00
c:\docume~1\admini~1\locals~1\temp\nse9.tmp\temp00
c:\docume~1\admini~1\locals~1\temp\nse9.tmp\temp00
c:\docume~1\admini~1\locals~1\temp\nse9.tmp\temp00
c:\docume~1\admini~1\locals~1\temp\nse9.tmp\temp00
c:\docume~1\admini~1\locals~1\temp\nse9.tmp\temp00
c:\docume~1\admini~1\locals~1\temp\nse9.tmp\temp00
c:\docume~1\admini~1\locals~1\temp\nse9.tmp\temp00
c:\docume~1\admini~1\locals~1\temp\nse9.tmp\temp00
c:\docume~1\admini~1\locals~1\temp\nse9.tmp\temp00
c:\docume~1\admini~1\locals~1\temp\nse9.tmp\temp00
c:\docume~1\admini~1\locals~1\temp\nse9.tmp\temp00
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\pdanet~1.lnk - c:\program files\pdanet for android\PdaNetPC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\consta~1.lnk - c:\program files\constant guard protection suite\IDVault.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\p9viu6f7.default\
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SMR200;Symantec SMR Utility Service 2.0.0;c:\windows\system32\drivers\SMR200.SYS [2011-7-23 83064]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0501000.01d\symds.sys [2011-7-23 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0501000.01d\symefa.sys [2011-7-23 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20110701.001\BHDrvx86.sys [2011-7-1 810616]
R1 GIDv2;GIDv2;c:\windows\system32\drivers\gidv2.sys [2011-6-11 25232]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys [2011-7-23 136312]
R2 FlashDrv;FlashDrv;c:\progra~1\fujitsu\flashaid\FlashDrv.sys [2005-9-14 7196]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.1.0.29\ccsvchst.exe [2011-7-23 130008]
R2 SENS32;System Event Notification ;c:\windows\system32\jgsh40032.exe [2011-7-19 569344]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-13 105592]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2005-9-14 4864]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20110722.031\IDSXpx86.sys [2011-7-22 355256]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110723.002\NAVENG.SYS [2011-7-23 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20110723.002\NAVEX15.SYS [2011-7-23 1542392]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2011-4-27 9472]
S1 KPSYSDRV;KPSYSDRV;c:\windows\system32\drivers\Kpsysdrv.sys [2010-2-7 17016]
S2 BulkUsb;Genesys Logic USB Controller NT 5.0;c:\windows\system32\drivers\usbprn.sys [2010-2-7 7552]
S2 IDVaultSvc;CGPS Service;c:\program files\constant guard protection suite\IDVaultSvc.exe [2011-7-18 62536]
S3 AVUSBPVR;AVerMedia USB MPEG-2 Capture Device;c:\windows\system32\drivers\avusbpvr.sys [2005-9-14 1945984]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2010-3-27 29184]
S3 pneteth;PdaNet Broadband;c:\windows\system32\drivers\pneteth.sys [2011-3-22 13312]
.
=============== Created Last 30 ================
.
2011-07-23 20:20:46 20 ----a-w- c:\windows\system32\drivers\SMR200.dat
2011-07-23 20:20:29 83064 ----a-w- c:\windows\system32\drivers\SMR200.SYS
2011-07-23 19:59:53 -------- d-----w- c:\documents and settings\administrator\local settings\application data\NPE
2011-07-23 19:38:26 744568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symefa.sys
2011-07-23 19:38:26 369784 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdi.sys
2011-07-23 19:38:26 331384 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symtdiv.sys
2011-07-23 19:38:26 296568 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symnets.sys
2011-07-23 19:38:25 516216 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtsp.sys
2011-07-23 19:38:25 50168 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\srtspx.sys
2011-07-23 19:38:25 340088 ----a-w- c:\windows\system32\drivers\n360\0501000.01d\symds.sys
2011-07-23 19:38:25 136312 ----a-r- c:\windows\system32\drivers\n360\0501000.01d\ironx86.sys
2011-07-23 19:37:39 -------- d-----w- c:\windows\system32\drivers\n360\0501000.01D
2011-07-23 19:28:25 44024 ----a-r- c:\windows\system32\drivers\SymIM.sys
2011-07-22 03:41:07 -------- d-----w- c:\program files\ESET
2011-07-21 00:07:38 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-21 00:07:30 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-21 00:07:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-19 22:21:34 0 ---ha-w- c:\documents and settings\administrator\ukfxdgunaw.tmp
2011-07-19 22:09:26 569344 ----a-w- c:\windows\system32\ativcoxx32.exe
2011-07-19 22:09:24 569344 ----a-w- c:\windows\system32\jgsh40032.exe
2011-07-14 17:12:40 -------- d-----w- c:\documents and settings\all users\application data\Maxtor
2011-07-14 17:06:21 -------- d-----w- c:\documents and settings\administrator\application data\Maxtor Quick Start
2011-07-14 17:06:13 -------- d-----w- c:\program files\Maxtor
2011-07-14 17:05:47 -------- d-----w- c:\windows\Downloaded Installations
2011-07-06 20:35:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-05 15:25:38 66328 ----a-w- c:\windows\system32\SysEventMenu.dll
2011-07-05 15:25:12 53528 ----a-w- c:\windows\system32\GIDLogonXP.dll
2011-07-05 15:24:42 380696 ----a-w- c:\windows\system32\GIDHookLogon.dll
2011-07-05 15:24:32 398608 ----a-w- c:\windows\system32\GIDHook.dll
2011-07-05 15:23:48 102160 ----a-w- c:\windows\system32\GIDBIN3.dll
2011-07-05 15:23:30 173840 ----a-w- c:\windows\system32\GIDBIN1.dll
2011-06-30 12:28:27 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Identities
.
==================== Find3M ====================
.
2011-07-23 19:38:28 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-07-23 19:38:28 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-07-05 15:24:24 25232 ------w- c:\windows\system32\drivers\gidv2.sys
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-29 18:32:52 12 ----a-w- c:\windows\acmmzx.dll
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8AA1B2A8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000008a[0x8AA3A9E8]
5 ACPI[0xB9F48620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Ide\IdeDeviceP0T0L0-4[0x8AA59D98]
kernel: MBR read successfully
_asm { CLI ; XOR AX, AX; MOV DS, AX; MOV ES, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; CLD ; MOV SI, SP; MOV DI, 0x600; MOV CX, 0x100; REP MOVSW ; JMP FAR 0x0:0x61d; }
user != kernel MBR !!!
.
============= FINISH: 15:27:34.23 ===============


I would very much appreciate it if you could lend me some of your time and expertise in order to help me resolve these annoying and persistent issues.

-Kroto

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:03 PM

Posted 24 July 2011 - 03:01 PM

Good evening. :)

Pay a visit to the ESET Online Scanner.

  • Click the ESET Online Scanner button, read the info in the new window, check the appropriate box and click Start.
  • Accept the ActiveX download, and allow it to install.
  • Once this has been completed, you will see the Computer Scan settings page - ensure that you UNCHECK the "Remove found threats" box and then click Start.
  • The virus signature database will now need to be downloaded, so don't forget to instruct your firewall to permit it if it asks.
  • The above will take a little time, so now is a good time to fire up the kettle and open the biccies.
  • Once the scan has completed you will be shown the results - assuming that the scanner has found anything.
  • Click List of found threats and then Export to text file... and save the log somewhere convenient.
  • You can then close out the scanner - don't bother uninstalling it as you may need to use it again.
  • Please post the contents of this file in your next reply, or let me know that nothing was identified.

So long, and thanks for all the fish.

 

 


#3 Kroto

Kroto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 24 July 2011 - 05:19 PM

As requested, here are the results of ESET scan:

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p9viu6f7.default\extensions\{92dd2ac1-2320-4dd4-a5c0-f863d2f15087}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p9viu6f7.default\extensions\{f64a20cd-95ab-442b-ab28-8945b0e04afa}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:03 PM

Posted 24 July 2011 - 05:28 PM

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#5 Kroto

Kroto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 25 July 2011 - 03:56 PM

aswMBR version 0.9.8.977 Copyright© 2011 AVAST Software
Run date: 2011-07-25 13:49:02
-----------------------------
13:49:02.343 OS Version: Windows 5.1.2600 Service Pack 3
13:49:02.343 Number of processors: 1 586 0xD08
13:49:02.343 ComputerName: N6220-W UserName:
13:49:03.015 Initialize success
13:49:08.843 AVAST engine defs: 11072500
13:49:19.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
13:49:19.312 Disk 0 Vendor: Size: 0MB BusType: 0
13:49:19.312 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-17
13:49:19.328 Disk 1 Vendor: Size: 0MB BusType: 0
13:49:19.453 Disk 0 MBR read successfully
13:49:19.453 Disk 0 MBR scan
13:49:19.500 Disk 0 unknown MBR code
13:49:19.500 Disk 0 MBR hidden
13:49:19.687 Disk 0 scanning C:\WINDOWS\system32\drivers
13:50:31.640 Service scanning
13:50:33.156 Modules scanning
13:51:59.296 Disk 0 trace - called modules:
13:51:59.359 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:51:59.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8aa1b2a8]
13:51:59.703 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000008a[0x8aa3a9e8]
13:51:59.703 5 ACPI.sys[b9f48620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x8aa59d98]
13:52:00.328 AVAST engine scan C:\WINDOWS
13:52:58.531 AVAST engine scan C:\WINDOWS\system32
13:53:17.000 File: C:\WINDOWS\system32\ativcoxx32.exe **INFECTED** Win32:Tracur-BV [Trj]
13:55:26.968 File: C:\WINDOWS\system32\jgsh40032.exe **INFECTED** Win32:Tracur-BV [Trj]
13:57:20.906 AVAST engine scan C:\WINDOWS\system32\drivers
13:57:54.953 AVAST engine scan C:\Documents and Settings\Administrator
14:33:44.125 AVAST engine scan C:\Documents and Settings\All Users
14:36:52.781 Scan finished successfully
15:54:37.375 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
15:54:37.390 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:03 PM

Posted 25 July 2011 - 04:14 PM

Good evening. :)

Download OTL by OldTimer from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Quick Scan button and allow it to do it's thing.
  • Once complete, it should open two Notepad Windows - OTL.Txt and Extras.Txt
  • It should also save copies in the same location as OTL.
  • I want you to copy and paste the contents of OTL.txt that should appear into one reply and Extras.Txt into another.
  • The length of the two logs sometimes results in the end being chopped off if you post both in one reply.

So long, and thanks for all the fish.

 

 


#7 Kroto

Kroto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 25 July 2011 - 04:32 PM

OTL logfile created on: 7/25/2011 4:26:38 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.03 Gb Available Physical Memory | 51.39% Memory free
3.35 Gb Paging File | 2.36 Gb Available in Paging File | 70.48% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 51.93 Gb Free Space | 55.75% Space Free | Partition Type: NTFS
Drive E: | 111.79 Gb Total Space | 61.80 Gb Free Space | 55.28% Space Free | Partition Type: NTFS

Computer Name: N6220-W | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/25 16:25:50 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.scr
PRC - [2011/07/19 17:09:15 | 000,569,344 | ---- | M] () -- C:\WINDOWS\system32\jgsh40032.exe
PRC - [2011/07/19 17:09:15 | 000,569,344 | ---- | M] () -- C:\WINDOWS\system32\ativcoxx32.exe
PRC - [2011/07/18 16:58:09 | 003,307,080 | ---- | M] (White Sky, Inc.) -- C:\Program Files\Constant Guard Protection Suite\IDVault.exe
PRC - [2011/07/08 02:16:28 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/07/05 10:24:06 | 000,395,528 | ---- | M] (StrikeForce Technologies Inc.) -- C:\Program Files\SFT\GuardedID\GIDD.exe
PRC - [2011/04/16 19:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccsvchst.exe
PRC - [2008/10/15 20:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\Installed\RealVNC\VNC4\winvnc4.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/04/02 01:15:40 | 000,061,440 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\Shared Files\CTDevSrv.exe
PRC - [2005/08/09 12:53:06 | 000,081,920 | ---- | M] (FUJITSU LIMITED) -- C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
PRC - [2005/06/08 11:20:32 | 000,069,632 | ---- | M] (FUJITSU LIMITED) -- C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
PRC - [2004/06/28 09:56:12 | 000,045,056 | R--- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint2K\Hidfind.exe


========== Modules (SafeList) ==========

MOD - [2011/07/25 16:25:50 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.scr
MOD - [2011/07/05 10:24:32 | 000,398,608 | ---- | M] (StrikeForce Technologies Inc.) -- C:\WINDOWS\system32\GIDHook.dll
MOD - [2011/07/05 10:23:30 | 000,173,840 | ---- | M] (StrikeForce Technologies Inc.) -- C:\WINDOWS\system32\GIDBIN1.dll
MOD - [2011/04/28 19:29:01 | 000,413,112 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\5.1.0.29\asoehook.dll
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009/07/12 03:02:02 | 000,653,120 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Security Suite\Engine\5.1.0.29\microsoft.vc90.crt\msvcr90.dll
MOD - [2009/07/12 03:02:00 | 000,569,664 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Norton Security Suite\Engine\5.1.0.29\microsoft.vc90.crt\msvcp90.dll
MOD - [2009/06/12 15:32:16 | 000,104,456 | ---- | M] () -- C:\WINDOWS\system32\EasyHook32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/07/19 17:09:15 | 000,569,344 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\jgsh40032.exe -- (SENS32)
SRV - [2011/07/18 16:58:13 | 000,062,536 | ---- | M] (White Sky, Inc.) [Auto | Stopped] -- C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe -- (IDVaultSvc)
SRV - [2011/04/16 19:45:11 | 000,130,008 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSvcHst.exe -- (N360)
SRV - [2008/10/15 20:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\Installed\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)
SRV - [2008/05/21 06:42:56 | 000,064,000 | ---- | M] (Creative Technology Ltd) [On_Demand | Stopped] -- C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe -- (CTUPnPSv)
SRV - [2007/04/02 01:15:40 | 000,061,440 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- C:\Program Files\Creative\Shared Files\CTDevSrv.exe -- (CTDevice_Srv)


========== Driver Services (SafeList) ==========

DRV - [2011/07/23 15:20:29 | 000,083,064 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\SMR200.SYS -- (SMR200)
DRV - [2011/07/23 14:38:28 | 000,126,584 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/07/22 04:16:48 | 000,355,256 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20110722.031\IDSXpx86.sys -- (IDSxpx86)
DRV - [2011/07/13 01:00:00 | 001,542,392 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110725.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/07/13 01:00:00 | 000,086,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20110725.002\NAVENG.SYS -- (NAVENG)
DRV - [2011/07/05 10:24:24 | 000,025,232 | ---- | M] (StrikeForce Technologies, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\gidv2.sys -- (GIDv2)
DRV - [2011/07/01 00:11:24 | 000,810,616 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20110701.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2011/05/11 22:34:18 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/05/11 22:34:18 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/03/30 22:04:12 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2011/03/30 22:04:12 | 000,044,024 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2011/03/30 22:00:09 | 000,516,216 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\N360\0501000.01D\SRTSP.SYS -- (SRTSP)
DRV - [2011/03/30 22:00:09 | 000,050,168 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2011/03/21 19:39:49 | 000,369,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\N360\0501000.01D\SYMTDI.SYS -- (SYMTDI)
DRV - [2011/03/14 21:31:23 | 000,744,568 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMEFA.SYS -- (SymEFA)
DRV - [2011/01/27 01:47:10 | 000,340,088 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\SYMDS.SYS -- (SymDS)
DRV - [2010/11/15 20:45:33 | 000,136,312 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\N360\0501000.01D\Ironx86.SYS -- (SymIRON)
DRV - [2010/09/02 17:49:08 | 000,013,312 | ---- | M] (June Fabrics Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pneteth.sys -- (pneteth)
DRV - [2009/07/28 23:46:24 | 000,212,528 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/04/13 13:45:34 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irbus.sys -- (IrBus)
DRV - [2007/02/08 08:45:14 | 000,029,184 | R--- | M] (Thesycon GmbH, Germany) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dsiarhwprog.sys -- (dsiarhwprog)
DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2006/09/28 15:32:14 | 000,009,472 | ---- | M] (June Fabrics Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pnetmdm.sys -- (pnetmdm)
DRV - [2005/09/14 16:13:14 | 001,945,984 | ---- | M] (AVerMedia Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avusbpvr.sys -- (AVUSBPVR)
DRV - [2005/08/15 19:22:40 | 001,094,853 | R--- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/08/03 09:10:18 | 001,273,344 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/07/21 16:56:22 | 000,007,196 | ---- | M] (FUJITSU LIMITED) [Kernel | Auto | Running] -- C:\Program Files\Fujitsu\FlashAid\FlashDrv.sys -- (FlashDrv)
DRV - [2005/07/21 16:20:46 | 000,021,120 | ---- | M] (FUJITSU LIMITED) [Kernel | Auto | Running] -- C:\Program Files\Fujitsu\BtnHnd\BtnHnd.sys -- (BtnHnd)
DRV - [2005/07/13 03:26:52 | 003,851,264 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/05/19 03:56:24 | 000,160,256 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/04/30 02:01:56 | 003,281,408 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel®
DRV - [2005/04/05 02:38:32 | 000,132,352 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k) Broadcom NetLink ™
DRV - [2005/01/07 19:07:16 | 000,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2004/01/17 06:15:20 | 000,004,864 | ---- | M] (FUJITSU LIMITED) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fuj02e3.sys -- (FUJ02E3)
DRV - [2001/12/20 06:32:20 | 000,007,552 | R--- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\usbprn.sys -- (BulkUsb)
DRV - [2001/08/01 07:00:22 | 000,005,248 | ---- | M] (FUJITSU LIMITED) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\fuj02b1.sys -- (FUJ02B1)
DRV - [2001/06/20 12:03:38 | 000,017,016 | ---- | M] (Destiny Technology Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\Kpsysdrv.sys -- (KPSYSDRV)
DRV - [1999/09/10 12:06:00 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (ASPI32)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://192.168.33.1/PCtrl_Login.html
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = E1 79 3E 01 EF 25 24 4A AC D5 7E E1 9D 22 01 FA [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..network.proxy.type: 4

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn\ [2011/07/23 14:52:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn_2011_7_0_8 [2011/07/23 15:18:26 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/07/22 14:35:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/07/22 14:29:24 | 000,000,000 | ---D | M]

[2011/07/22 14:36:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2011/07/22 17:12:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p9viu6f7.default\extensions
[2011/07/23 14:19:16 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p9viu6f7.default\extensions\{92dd2ac1-2320-4dd4-a5c0-f863d2f15087}
[2011/07/22 14:41:31 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p9viu6f7.default\extensions\{f64a20cd-95ab-442b-ab28-8945b0e04afa}
[2011/07/22 14:35:52 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
() (No name found) -- C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\P9VIU6F7.DEFAULT\EXTENSIONS\{D4DD63FA-01E4-46A7-B6B1-EDAB7D6AD389}.XPI
[2011/07/23 15:18:26 | 000,000,000 | ---D | M] (Norton Toolbar) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\COFFPLGN_2011_7_0_8
[2011/07/23 14:52:31 | 000,000,000 | ---D | M] (Symantec IPS) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPLGN
[2011/07/22 15:14:10 | 000,000,000 | ---D | M] (CGPS Extension) -- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WHITE SKY, INC\ID VAULT\XPCOM5
[2010/11/26 04:10:45 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/07/08 02:16:28 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2009/11/20 16:05:31 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2009/11/20 16:05:32 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

Hosts file not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ips\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Constant Guard Protection Suite (COM)) - {B84CDBE7-1B46-494B-A188-01D4C52DEB61} - C:\Program Files\Constant Guard Protection Suite\NativeBHO.dll (WhiteSky)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - No CLSID value found.
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No CLSID value found.
O4 - HKLM..\Run: [DelPnPDirver] c:\Program Files\Installed\panasonic_kxp7100\Delpnpd.exe ()
O4 - HKLM..\Run: [GIDDesktop] C:\Program Files\SFT\GuardedID\gidd.exe (StrikeForce Technologies Inc.)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HdAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe (FUJITSU LIMITED)
O4 - HKLM..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe (FUJITSU LIMITED)
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\PdaNet Desktop.lnk = C:\Program Files\PdaNet for Android\PdaNetPC.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Constant Guard.lnk = C:\Program Files\Constant Guard Protection Suite\IDVault.exe (White Sky, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Installed\MSOffice2003\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Installed\MSOffice2003\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289672509671 (WUWebControl Class)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/DellSystemLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.10.31.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\GIDLogonXP: DllName - GIDLogonXP.dll - C:\WINDOWS\System32\GIDLogonXP.dll (StrikeForce Technologies Inc)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Fujitsu\FMVSaver\CreatedFileByFujitsuScreenSaver.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Fujitsu\FMVSaver\CreatedFileByFujitsuScreenSaver.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/09/14 13:17:58 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{602f8c76-e461-11df-b42c-806d6172696f}\Shell\AutoRun\command - "" = F:\setupSNK.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/25 16:25:48 | 000,579,584 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.scr
[2011/07/25 03:44:57 | 001,915,904 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2011/07/23 15:20:29 | 000,083,064 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SMR200.SYS
[2011/07/23 14:59:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\NPE
[2011/07/23 14:28:25 | 000,044,024 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymIM.sys
[2011/07/22 16:45:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Defense
[2011/07/22 16:41:50 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Administrative Tools
[2011/07/22 15:19:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2011/07/22 12:06:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2011/07/21 22:41:07 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/07/21 22:21:59 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2011/07/21 22:14:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2011/07/20 19:07:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/07/20 19:07:38 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/20 19:07:30 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/20 19:07:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/07/14 12:12:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2011/07/14 12:06:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Maxtor
[2011/07/14 12:06:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Maxtor Quick Start
[2011/07/14 12:06:13 | 000,000,000 | ---D | C] -- C:\Program Files\Maxtor
[2011/07/14 12:05:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\Downloaded Installations
[2011/07/05 10:25:38 | 000,066,328 | ---- | C] (StrikeForce Technologies Inc) -- C:\WINDOWS\System32\SysEventMenu.dll
[2011/07/05 10:25:12 | 000,053,528 | ---- | C] (StrikeForce Technologies Inc) -- C:\WINDOWS\System32\GIDLogonXP.dll
[2011/07/05 10:24:42 | 000,380,696 | ---- | C] (StrikeForce Technologies Inc.) -- C:\WINDOWS\System32\GIDHookLogon.dll
[2011/07/05 10:24:32 | 000,398,608 | ---- | C] (StrikeForce Technologies Inc.) -- C:\WINDOWS\System32\GIDHook.dll
[2011/07/05 10:23:48 | 000,102,160 | ---- | C] (StrikeForce Technologies Inc.) -- C:\WINDOWS\System32\GIDBIN3.dll
[2011/07/05 10:23:30 | 000,173,840 | ---- | C] (StrikeForce Technologies Inc.) -- C:\WINDOWS\System32\GIDBIN1.dll
[2011/06/30 07:28:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities
[2010/02/07 11:36:00 | 000,010,475 | ---- | C] ( ) -- C:\WINDOWS\System32\Kpprtui.dll
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[392 C:\Documents and Settings\Administrator\My Documents\*.tmp files -> C:\Documents and Settings\Administrator\My Documents\*.tmp -> ]
[117 C:\Documents and Settings\Administrator\Desktop\*.tmp files -> C:\Documents and Settings\Administrator\Desktop\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\*.tmp files -> C:\Documents and Settings\Administrator\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/25 16:25:50 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.scr
[2011/07/25 16:08:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3789491063-3404121777-688509740-500UA.job
[2011/07/25 15:54:37 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2011/07/25 03:45:45 | 001,915,904 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2011/07/24 17:08:02 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3789491063-3404121777-688509740-500Core.job
[2011/07/23 15:20:48 | 000,000,020 | ---- | M] () -- C:\WINDOWS\System32\drivers\SMR200.dat
[2011/07/23 15:20:29 | 000,083,064 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SMR200.SYS
[2011/07/23 15:17:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/23 15:16:07 | 000,000,209 | -HS- | M] () -- C:\boot.ini
[2011/07/23 14:44:59 | 000,609,194 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0501000.01D\Cat.DB
[2011/07/23 14:38:28 | 000,126,584 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2011/07/23 14:38:28 | 000,060,872 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2011/07/23 14:38:28 | 000,007,468 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2011/07/23 14:38:28 | 000,000,806 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2011/07/23 14:18:50 | 000,001,940 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2011/07/22 16:40:11 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2011/07/22 14:35:57 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/07/22 14:35:56 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/07/22 12:03:52 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/21 20:42:43 | 000,001,962 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Constant Guard.lnk
[2011/07/21 20:42:42 | 000,001,950 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Constant Guard.lnk
[2011/07/20 21:55:31 | 000,002,827 | ---- | M] () -- C:\Documents and Settings\Administrator\.recently-used.xbel
[2011/07/20 15:07:23 | 000,436,064 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.old
[2011/07/20 12:58:43 | 000,047,616 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/19 17:09:26 | 000,000,064 | ---- | M] () -- C:\WINDOWS\System32\307272428
[2011/07/19 17:09:15 | 000,569,344 | ---- | M] () -- C:\WINDOWS\System32\jgsh40032.exe
[2011/07/19 17:09:15 | 000,569,344 | ---- | M] () -- C:\WINDOWS\System32\ativcoxx32.exe
[2011/07/18 14:32:45 | 000,001,125 | ---- | M] () -- C:\WINDOWS\System32\Kpwsgdi.ini
[2011/07/18 14:32:45 | 000,000,022 | ---- | M] () -- C:\WINDOWS\SUMO.INI
[2011/07/14 03:22:00 | 000,145,216 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/06 19:02:05 | 000,004,828 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\D276.EE1
[2011/07/05 10:25:38 | 000,066,328 | ---- | M] (StrikeForce Technologies Inc) -- C:\WINDOWS\System32\SysEventMenu.dll
[2011/07/05 10:25:12 | 000,053,528 | ---- | M] (StrikeForce Technologies Inc) -- C:\WINDOWS\System32\GIDLogonXP.dll
[2011/07/05 10:24:42 | 000,380,696 | ---- | M] (StrikeForce Technologies Inc.) -- C:\WINDOWS\System32\GIDHookLogon.dll
[2011/07/05 10:24:32 | 000,398,608 | ---- | M] (StrikeForce Technologies Inc.) -- C:\WINDOWS\System32\GIDHook.dll
[2011/07/05 10:24:24 | 000,025,232 | ---- | M] (StrikeForce Technologies, Inc.) -- C:\WINDOWS\System32\drivers\gidv2.sys
[2011/07/05 10:23:48 | 000,102,160 | ---- | M] (StrikeForce Technologies Inc.) -- C:\WINDOWS\System32\GIDBIN3.dll
[2011/07/05 10:23:30 | 000,173,840 | ---- | M] (StrikeForce Technologies Inc.) -- C:\WINDOWS\System32\GIDBIN1.dll
[7 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[392 C:\Documents and Settings\Administrator\My Documents\*.tmp files -> C:\Documents and Settings\Administrator\My Documents\*.tmp -> ]
[117 C:\Documents and Settings\Administrator\Desktop\*.tmp files -> C:\Documents and Settings\Administrator\Desktop\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\Documents and Settings\Administrator\*.tmp files -> C:\Documents and Settings\Administrator\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/25 15:54:37 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2011/07/23 15:20:46 | 000,000,020 | ---- | C] () -- C:\WINDOWS\System32\drivers\SMR200.dat
[2011/07/22 16:40:11 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\defogger_reenable
[2011/07/22 14:35:56 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2011/07/22 14:35:56 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2011/07/20 21:55:31 | 000,002,827 | ---- | C] () -- C:\Documents and Settings\Administrator\.recently-used.xbel
[2011/07/19 17:09:26 | 000,569,344 | ---- | C] () -- C:\WINDOWS\System32\ativcoxx32.exe
[2011/07/19 17:09:24 | 000,569,344 | ---- | C] () -- C:\WINDOWS\System32\jgsh40032.exe
[2011/07/19 17:09:24 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\307272428
[2011/07/06 11:52:40 | 000,004,828 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\D276.EE1
[2011/06/17 03:21:26 | 000,235,208 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2011/05/29 13:32:52 | 000,000,012 | ---- | C] () -- C:\WINDOWS\acmmzx.dll
[2011/05/19 14:14:13 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini
[2010/11/26 14:12:57 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\nvRegDev.dll
[2010/04/11 16:46:46 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/18 19:08:50 | 000,000,034 | -H-- | C] () -- C:\WINDOWS\System32\Converter_sysquict.dat
[2010/02/17 20:55:39 | 000,047,616 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/16 19:28:30 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/02/07 21:47:06 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2010/02/07 11:46:00 | 000,000,022 | ---- | C] () -- C:\WINDOWS\SUMO.INI
[2010/02/07 11:36:19 | 000,000,000 | ---- | C] () -- C:\Program Files\gditst
[2010/02/07 11:36:01 | 000,000,045 | ---- | C] () -- C:\WINDOWS\Kxp7100w.ini
[2010/02/07 11:36:00 | 000,031,428 | ---- | C] () -- C:\WINDOWS\System32\Kpprtmon.dll
[2010/02/07 11:36:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\Usb2pvm.dll
[2010/02/07 11:34:24 | 000,001,125 | ---- | C] () -- C:\WINDOWS\System32\Kpwsgdi.ini
[2010/02/07 11:34:22 | 000,024,576 | R--- | C] () -- C:\WINDOWS\P7100AP.exe
[2010/02/07 11:34:21 | 000,007,552 | R--- | C] () -- C:\WINDOWS\System32\drivers\usbprn.sys
[2009/06/12 15:32:16 | 000,104,456 | ---- | C] () -- C:\WINDOWS\System32\EasyHook32.dll
[2005/09/14 17:56:55 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/09/14 16:31:02 | 000,000,059 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2005/09/14 15:59:51 | 000,000,008 | R--- | C] () -- C:\WINDOWS\System32\drivers\RtkHDAud.dat
[2005/09/14 15:59:46 | 000,040,960 | R--- | C] () -- C:\WINDOWS\System32\ChCfg.exe
[2005/09/14 15:54:16 | 000,095,617 | R--- | C] () -- C:\WINDOWS\System32\atiicdxx.dat
[2005/09/14 15:22:22 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2005/09/14 13:30:40 | 000,001,514 | ---- | C] () -- C:\WINDOWS\System32\FJSaver.ini
[2005/09/14 13:21:51 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2005/09/14 13:13:02 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2005/09/14 13:10:33 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/09/14 12:58:03 | 000,000,505 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2005/09/14 12:48:06 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2005/09/14 12:47:13 | 000,446,360 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2005/09/14 12:47:13 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2005/09/14 12:47:13 | 000,073,400 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2005/09/14 12:47:13 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2005/09/14 12:46:57 | 000,004,588 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2005/09/14 12:46:39 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/09/14 12:46:13 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/09/14 12:44:44 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2005/09/14 12:44:41 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2005/09/14 12:41:51 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2005/09/14 12:39:53 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2005/09/14 06:05:26 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2005/09/14 06:04:20 | 000,145,216 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2005/08/24 03:57:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/08/05 16:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/01/13 05:46:34 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2011/04/12 19:32:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\.minecraft
[2011/06/01 12:15:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\advantage
[2010/02/18 19:27:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\AnvSoft
[2011/06/01 12:49:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FontCreator
[2010/12/11 15:28:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FreeFLVConverter
[2011/06/25 00:41:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\gtk-2.0
[2011/06/17 11:32:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ID Vault
[2011/07/14 12:06:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Maxtor Quick Start
[2010/08/08 22:16:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\NCH Swift Sound
[2010/09/28 17:53:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Pokemon Lab
[2010/11/23 23:34:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Tific
[2010/02/16 19:08:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Trillian
[2011/07/22 16:57:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2010/08/10 00:48:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\zenses
[2011/06/11 13:27:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IsolatedStorage
[2011/07/14 12:12:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2011/04/05 20:02:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MediaMonkey
[2010/08/08 19:44:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
[2011/06/11 13:25:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\White Sky, Inc
[2010/02/17 16:43:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{26D901A1-2540-4430-81DC-0317F01BD7BE}
[2010/02/17 16:50:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{47B5977E-772D-4BBA-AAA4-4C8FF0532136}
[2010/02/17 16:42:51 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{931A06E7-990D-42F4-AE94-8316414DCC1E}

========== Purity Check ==========



< End of report >

OTL Extras logfile created on: 7/25/2011 4:26:38 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.03 Gb Available Physical Memory | 51.39% Memory free
3.35 Gb Paging File | 2.36 Gb Available in Paging File | 70.48% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 51.93 Gb Free Space | 55.75% Space Free | Partition Type: NTFS
Drive E: | 111.79 Gb Total Space | 61.80 Gb Free Space | 55.28% Space Free | Partition Type: NTFS

Computer Name: N6220-W | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Installed\MSOffice2003\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Installed\MSOffice2003\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- Reg Error: Key error.
https [open] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "F:\VLCPortable\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1"
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [MediaMonkey.1Play] -- "C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\PROGRA~1\MEDIAM~1\MEDIAM~2.EXE" /ADD "%1" (Ventis Media Inc.)
Directory [PlayWithVLC] -- "F:\VLCPortable\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1"
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{04ECD699-9F3A-4F9C-A476-EEAA4E172079}" = Fujitsu System Extension Utility
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{24CDEFB8-A60B-4C93-A97A-0CFC7E1C26F1}" = LifeBook Application Panel
"{2C08D7E7-9EE1-4A08-AFE0-745F02DCD6A4}_is1" = Pokemon Online 1.0.21
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C3758FA-C2DF-4E10-9D29-0CC28DA9214A}" = FlashAid
"{4442AB48-DEC4-4B39-B067-1F75BF8017E7}" = Creative Centrale
"{4817189D-1785-4627-A33C-39FD90919300}" = The Sims 2 Pets
"{5023A77D-D7B2-40D3-A74D-016469B2AB81}" = ATI Catalyst Control Center
"{60451544-C17E-4057-9273-5F10176472BD}" = Creative ZEN X-Fi Video Converter
"{64963F0E-03F2-4B59-8D1B-1806545E7092}" = NVIDIA DDS Utilities
"{669A032D-4E28-3D11-BB26-8AD5D51EFE87}" = Google Talk Plugin
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = CyberLink Codec
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}" = The Sims 2 Open For Business
"{805BDB3F-6803-45F7-B959-4FE5B921BC55}" = Fujitsu Hotkey Utility
"{86604C06-DA30-425E-AECE-47304FE81C45}" = Creative Software Update
"{87F6C83D-F949-4d14-B5CB-DC8C75F8932D}" = The Sims™ 2 FreeTime
"{8AB8D458-939E-403F-0097-9BA1C1F013D5}" = The Sims 2
"{8FD3F4BA-A4A6-4380-00A6-CC6853AB2DC2}" = The Sims 2 University
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9191979D-821C-4EA8-B021-2DA1D859A7C5}" = GuardedID
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AA48BD14-62E8-457C-B2DA-9A1C7B4A40F5}" = TIxx21
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.5
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6F5B704-06D3-4687-90F3-6195304AD755}" = The Sims™ 2 Apartment Life
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D8D06241-617C-42AB-B9C7-D9BA5A377D10}" = NVIDIA Texture Tools 2
"{DFEF49D9-FC95-4301-99B9-2FB91C6ABA06}" = The Sims™ 2 Seasons
"{E0FAA0BA-874E-47C8-9ECA-BB333006CF16}" = Fujitsu Driver Update V1.1L46
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F248ADFA-64E0-4b03-8A83-059078BED6A0}" = The Sims™ 2 Bon Voyage
"{F4764FAC-C2DA-4CF8-BCDC-2353DDA229DB}" = Maxtor Quick Start
"{F7529650-B9DB-481B-0089-A2AC3C2821C1}" = The Sims 2 Nightlife
"Action Replay DSi Code Manager_is1" = Action Replay DSi Code Manager
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"All ATI Software" = ATI - Software Uninstall Utility
"Any Video Converter_is1" = Any Video Converter 3.0.3
"ATI Display Driver" = ATI Display Driver
"Audacity_is1" = Audacity 1.2.6
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"Creative Centrale" = Creative Centrale
"Creative ZEN X-Fi Video Converter" = Creative ZEN X-Fi Video Converter
"E882UninstallerSetup" = AVerMedia E882 Driver Uninstaller
"ESET Online Scanner" = ESET Online Scanner v3
"ExtractNow_is1" = ExtractNow
"Free FLV Converter_is1" = Free FLV Converter V 6.93.0
"ID Vault" = Constant Guard Protection Suite
"ie8" = Windows Internet Explorer 8
"InstallShield_{AA48BD14-62E8-457C-B2DA-9A1C7B4A40F5}" = Texas Instruments PCIxx21/x515 drivers.
"InstallShield_{F4764FAC-C2DA-4CF8-BCDC-2353DDA229DB}" = Maxtor Quick Start
"JAIELangPack" = Japanese Language Support
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.1.1800
"MediaMonkey_is1" = MediaMonkey 3.2
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 5.0.1 (x86 en-US)" = Mozilla Firefox 5.0.1 (x86 en-US)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"N360" = Norton Security Suite
"Panasonic KX-P7100" = Panasonic KX-P7100
"PdaNet_is1" = PdaNet for Android 2.42
"RealVNC_is1" = VNC Free Edition 4.1.3
"Sims 2 Wardrobe Wrangler v1.1" = Sims 2 Wardrobe Wrangler v1.1
"Sims2Pack Clean Installer" = Sims2Pack Clean Installer
"Steam App 400" = Portal
"Trillian" = Trillian
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.1.10
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinGimp-2.0_is1" = GIMP 2.6.8
"winusb0100" = Microsoft WinUsb 1.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Zenses2" = Zenses2 Beta2

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/17/2011 11:35:00 AM | Computer Name = N6220-W | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/21/2011 12:50:33 AM | Computer Name = N6220-W | Source = Application Error | ID = 1000
Description = Faulting application wordconv.exe, version 12.0.6500.5000, faulting
module unknown, version 0.0.0.0, fault address 0x3136a2e0.

Error - 7/22/2011 3:27:49 PM | Computer Name = N6220-W | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/22/2011 3:28:32 PM | Computer Name = N6220-W | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/23/2011 3:26:45 PM | Computer Name = N6220-W | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: The data is invalid.

Error - 7/23/2011 3:32:38 PM | Computer Name = N6220-W | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 5.0.1.4205, faulting module
msvcr90.dll, version 9.0.21022.8, fault address 0x0006c955.

Error - 7/23/2011 3:48:40 PM | Computer Name = N6220-W | Source = IDVault | ID = 0
Description = IsStrikeForceAlreadyRunning MainModule.FileName; failed Only part
of a ReadProcessMemory or WriteProcessMemory request was completed at System.Diagnostics.NtProcessManager.GetModuleInfos(Int32
processId, Boolean firstModuleOnly) at System.Diagnostics.NtProcessManager.GetFirstModuleInfo(Int32
processId) at System.Diagnostics.Process.get_MainModule() at (Object ) at
? .? . ()

Error - 7/23/2011 3:48:42 PM | Computer Name = N6220-W | Source = IDVault | ID = 0
Description = IsStrikeForceAlreadyRunning failed Cannot process request because
the process (3960) has exited. at System.Diagnostics.Process.GetProcessHandle(Int32
access, Boolean throwIfExited) at System.Diagnostics.Process.OpenProcessHandle()

at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value) at (Object
, Boolean ) at ? .? . ()

Error - 7/23/2011 4:01:14 PM | Computer Name = N6220-W | Source = IDVault | ID = 0
Description = IsStrikeForceAlreadyRunning MainModule.FileName; failed Only part
of a ReadProcessMemory or WriteProcessMemory request was completed at System.Diagnostics.NtProcessManager.GetModuleInfos(Int32
processId, Boolean firstModuleOnly) at System.Diagnostics.NtProcessManager.GetFirstModuleInfo(Int32
processId) at System.Diagnostics.Process.get_MainModule() at (Object ) at
? .? . ()

Error - 7/23/2011 4:01:15 PM | Computer Name = N6220-W | Source = IDVault | ID = 0
Description = IsStrikeForceAlreadyRunning failed Cannot process request because
the process (3760) has exited. at System.Diagnostics.Process.GetProcessHandle(Int32
access, Boolean throwIfExited) at System.Diagnostics.Process.OpenProcessHandle()

at System.Diagnostics.Process.set_EnableRaisingEvents(Boolean value) at (Object
, Boolean ) at ? .? . ()

[ System Events ]
Error - 7/23/2011 4:04:20 PM | Computer Name = N6220-W | Source = Service Control Manager | ID = 7000
Description = The CGPS Service service failed to start due to the following error:
%%1053

Error - 7/23/2011 4:04:20 PM | Computer Name = N6220-W | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde

Error - 7/23/2011 4:18:56 PM | Computer Name = N6220-W | Source = Service Control Manager | ID = 7000
Description = The Genesys Logic USB Controller NT 5.0 service failed to start due
to the following error: %%1058

Error - 7/23/2011 4:19:03 PM | Computer Name = N6220-W | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the CGPS Service service
to connect.

Error - 7/23/2011 4:19:03 PM | Computer Name = N6220-W | Source = Service Control Manager | ID = 7000
Description = The CGPS Service service failed to start due to the following error:
%%1053

Error - 7/23/2011 4:19:03 PM | Computer Name = N6220-W | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde

Error - 7/23/2011 4:29:19 PM | Computer Name = N6220-W | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 7/24/2011 12:57:56 PM | Computer Name = N6220-W | Source = Dhcp | ID = 1002
Description = The IP address lease 10.10.31.4 for the Network Card with network
address 000B5DC6AC1D has been denied by the DHCP server 10.10.31.1 (The DHCP Server
sent a DHCPNACK message).

Error - 7/24/2011 3:43:03 PM | Computer Name = N6220-W | Source = MRxSmb | ID = 8003
Description = The master browser has received a server announcement from the computer
HP_DV4 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{CBF1E6C6-2B52-4FAF-99.
The
master browser is stopping or an election is being forced.

Error - 7/25/2011 4:44:08 AM | Computer Name = N6220-W | Source = Dhcp | ID = 1002
Description = The IP address lease 10.10.31.9 for the Network Card with network
address 000B5DC6AC1D has been denied by the DHCP server 10.10.31.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:03 PM

Posted 25 July 2011 - 04:57 PM

Run OTL.exe.
  • Copy and paste the following into the Custom Scans/Fixes box at the bottom:

    :processes
    killallprocesses

    :OTL
    SRV - [2011/07/19 17:09:15 | 000,569,344 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\jgsh40032.exe -- (SENS32)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No CLSID value found.
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

    :Files
    ipconfig /flushdns /c
    C:\WINDOWS\System32\ativcoxx32.exe
    C:\WINDOWS\System32\307272428
    C:\WINDOWS\acmmzx.dll

    :Commands
    [resethosts]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Click the Run Fix button at the top.
  • Let the program run until it has completed and then reboot the PC when it is done.
Please let me have a copy of the log that appears once OTL has completed it's run.

So long, and thanks for all the fish.

 

 


#9 Kroto

Kroto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 25 July 2011 - 05:11 PM

After the reboot, there are many faded "~WRLxxx.tmp" icons (where the "x"s are digits) on my desktop, which when I have seen before were temporary files created by Microsoft Word. I do not know if this was an intended or expected result, but I am reporting it just in case.

========== PROCESSES ==========
All processes killed
========== OTL ==========
Service SENS32 stopped successfully!
Service SENS32 deleted successfully!
C:\WINDOWS\system32\jgsh40032.exe moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDF3E430-B101-42AD-A544-FADC6B084872}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5BED3930-2E9E-76D8-BACC-80DF2188D455} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BED3930-2E9E-76D8-BACC-80DF2188D455}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Administrator\Desktop\Defense\cmd.bat deleted successfully.
C:\Documents and Settings\Administrator\Desktop\Defense\cmd.txt deleted successfully.
C:\WINDOWS\System32\ativcoxx32.exe moved successfully.
C:\WINDOWS\System32\307272428 moved successfully.
C:\WINDOWS\acmmzx.dll moved successfully.
========== COMMANDS ==========
HOSTS file reset successfully

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 2105 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.26.1 log created on 07252011_170119

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:03 PM

Posted 26 July 2011 - 02:41 PM

Good evening. :)

I do not know if this was an intended or expected result

Unexpected actually. Take the PC for a run out and tell me how it's behaving. Also, stick all the .tmp icons in a folder and stick it somewhere safe for now - I don't think it will matter if you just delete them, but we'll worry about them once the PC is behaving itself.

So long, and thanks for all the fish.

 

 


#11 Kroto

Kroto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 26 July 2011 - 03:09 PM

Greetings.

I am not sure how or why, but the .tmp files disappeared on their own after I closed the computer (laptop) and opened it again at a later time last night. No one else has been using this computer in the last few days, so they were not manually deleted. I am not very worried about those.

I have not had any crashes with Firefox or proxy errors, but I just received a redirect on my first Google search. If it helps any, I went ahead and copied the address that the redirect sends me to, which is 63.209.69.107 (or sometimes, "find.fast.answers").

Edited by Kroto, 26 July 2011 - 03:10 PM.


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:03 PM

Posted 26 July 2011 - 03:54 PM

Download GooredFix by jpshortstuff from here and save it to your Desktop.
  • Double click the file to run it.
  • Enter 1 to select that option and hit <ENTER>.
  • A text file, Gooredlog.txt will open, and when you close it, it will be saved to your Desktop.
  • Copy the contents into your next reply.
  • Running Option 2 may or may not be advised, so post the log from option 1 first!

So long, and thanks for all the fish.

 

 


#13 Kroto

Kroto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 26 July 2011 - 04:01 PM

I did not get options for "1" or "2," the program simply ran automatically and created the log. I ran it twice just in case I'd missed the "1/2" prompt, but still none.

EDIT: Sorry, this should have been common sense, but I have attached logs from both runs of GoodredFix.

GooredFix by jpshortstuff (03.07.10.1)
Log created at 15:58 on 26/07/2011 (Administrator)
Firefox version 5.0.1 (en-US)

========== GooredScan ==========

Deleting "C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p9viu6f7.default\extensions\{92dd2ac1-2320-4dd4-a5c0-f863d2f15087}" -> Success!
Deleting "C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p9viu6f7.default\extensions\{f64a20cd-95ab-442b-ab28-8945b0e04afa}" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:35 22/07/2011]

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p9viu6f7.default\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{BBDA0591-3099-440a-AA10-41764D9DB4DB}"="C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn\" [19:31 23/07/2011]
"{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}"="C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn_2011_7_0_8" [22:04 25/07/2011]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [17:08 24/11/2010]

-=E.O.F=-

GooredFix by jpshortstuff (03.07.10.1)
Log created at 15:59 on 26/07/2011 (Administrator)
Firefox version 5.0.1 (en-US)

========== GooredScan ==========

(none)

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:35 22/07/2011]

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p9viu6f7.default\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{BBDA0591-3099-440a-AA10-41764D9DB4DB}"="C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\IPSFFPlgn\" [19:31 23/07/2011]
"{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}"="C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\coFFPlgn_2011_7_0_8" [22:04 25/07/2011]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [17:08 24/11/2010]

---------- Old Logs ----------
GooredFix[20.58.54_26-07-2011].txt

-=E.O.F=-

Edited by Kroto, 26 July 2011 - 04:09 PM.


#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:03:03 PM

Posted 26 July 2011 - 05:38 PM

My bad, the tool has probably been updated since I last played with it. How's the PC behaving now?

So long, and thanks for all the fish.

 

 


#15 Kroto

Kroto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 27 July 2011 - 10:25 AM

Novicate,

I have been using it for the last day and I have not had a redirect yet (I have been using Google "more than usual" to try to bait it out). Thank you very much for donating some of your time to help me fix my computer, I owe you the deepest of appreciations. Is there anything else that you need me to check or do?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users