Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some problems continuing after Malware found and moved to chest


  • This topic is locked This topic is locked
26 replies to this topic

#1 ElianaR

ElianaR

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 29 June 2012 - 02:08 PM

original problem:

Computer was running slowly and crashing frequently (more frequently if more than one program was running, or if I tried to do anything else while a large Word doc was saving) [Crash= screen going blank & monitor blinking that it wasn't getting any signal from the computer. Other forms also happened occasionally (freezing, blue screen (didn't save the messages, sorry!), etc, but going blank was the regular version)]

Ghost tray often popped up an error message during this time and said it had to stop.

CPU usage was very high during this time also - even when very little was running.

Virus scans came back negative until 6/17 when an Avast "quick scan" identified Win32:Malware-gen in a file. We chose "delete". No difference was noticed in the computer's functioning.


Except: Word stopped working. When I open a Word file, the Word screen opens, but no content & it is listed as "not responding".


An Avast "boot scan" on 6/18 turned up nothing

An Avast "boot scan" that covered more (it ran all night) identified a Win32: Malware-gen in the same file. We chose "move to chest" and the crashing stopped.

Over those few days, and since, I have uninstalled & reinstalled Word multiple times - several of them from fresh downloads. [Word = Microsoft Word Home & Student 2007] ..but I still cannot open a Word doc - either new or existing.

I will attach the dds logs, but I could not get a successful gmer scan to run. I tried 3 times:

1) After a few minutes I got a pop-up error message "gmer.exec has encountered a problem and needs to close"

2) computer crashed with a blue screen. Message: "bad_pool_caller" Stop 0X00000002 (and more # sets in parentheses)

3) When I tried to run the program a pop-up warning said it was blocked by the firewall. I told it to make an exception for this. After ~5-7 minutes of scan the blue-screen crash reoccurred (same message). Fwiw, when it crashed it was scanning Software/Microsoft/???


I would be very grateful for any guidance or suggestions you might have!

Eliana

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by eliana at 10:00:32 on 2012-06-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.343 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
F:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
F:\cygwin\usr\sbin\cygserver.exe
F:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
F:\cygwin\usr\sbin\sshd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Documents and Settings\eliana\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\eliana\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\mshearts.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.efn.org/~eliana/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local;127.0.0.1:9421;
uInternet Settings,ProxyServer = http=127.0.0.1:6522
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\documents and settings\all users\application data\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
uRun: [Akamai NetSession Interface] "c:\documents and settings\eliana\local settings\application data\akamai\netsession_win.exe"
uRun: [Google Update] "c:\documents and settings\eliana\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Norton Ghost 9.0] c:\program files\symantec\norton ghost\agent\GhostTray.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [1A:Stardock TrayMonitor]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRunServices: [1A:Stardock TrayMonitor]
StartupFolder: c:\docume~1\eliana\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} - hxxp://cdn2.zone.msn.com/Bingame/BRDG/dataFiles/heartbeat.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D042B98B-A65F-4F68-AF3A-326CADDAE856} : DhcpNameServer = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
Hosts: 64.81.167.122 cg.mel fgn.mel westlake2
Hosts: 10.40.2.22 rigel rigel.oregon.summit
Hosts: 10.6.221.145 merlin
Hosts: 10.40.2.25 sl-clearcase_2 sl-clearcase_2.oregon.summit
Hosts: 10.6.222.240 summit11 summit11.corvallis.summit
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\eliana\application data\mozilla\firefox\profiles\u2699b4u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.efn.org/~eliana
FF - plugin: c:\documents and settings\eliana\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\eliana\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\eliana\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-26 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-26 337880]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-26 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-26 44768]
R2 sshd;CYGWIN sshd;f:\cygwin\bin\cygrunsrv.exe [2008-8-17 68096]
S2 JoinMEPlayUI Assistant Service;JoinMEPlayUI Assistant Service;c:\program files\joinme drivers\JoinMEPlayAssistantServices.exe [2012-6-10 242176]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2009-2-1 4736]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2012-6-10 9216]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2009-2-1 8960]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [2012-6-10 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [2012-6-10 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [2012-6-10 106752]
.
=============== Created Last 30 ================
.
2012-06-21 04:15:40 30512 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2012-06-21 04:15:40 30512 ----a-w- c:\windows\system32\mdimon.dll
2012-06-20 03:33:31 -------- d-sh--w- c:\documents and settings\eliana\IECompatCache
2012-06-20 03:33:02 -------- d-sh--w- c:\documents and settings\eliana\PrivacIE
2012-06-19 19:13:48 -------- d-sh--w- c:\documents and settings\eliana\IETldCache
2012-06-19 17:56:40 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-19 17:45:56 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-06-19 17:43:14 -------- d-----w- c:\windows\ie8updates
2012-06-19 17:40:59 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-06-19 17:40:51 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-06-19 17:40:45 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-06-19 17:36:05 -------- dc-h--w- c:\windows\ie8
2012-06-18 03:01:05 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-06-18 03:01:02 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-06-18 03:01:02 3072 ------w- c:\windows\system32\iacenc.dll
2012-06-10 18:48:38 106752 ----a-w- c:\windows\system32\drivers\zgwhsnmea.sys
2012-06-10 18:48:38 106752 ----a-w- c:\windows\system32\drivers\zgwhsmdm.sys
2012-06-10 18:48:37 9216 ----a-w- c:\windows\system32\drivers\massfilter_hs.sys
2012-06-10 18:48:37 106752 ----a-w- c:\windows\system32\drivers\zgwhsdiag.sys
2012-06-10 18:48:25 -------- d-----w- c:\windows\system32\SupportAppCB
2012-06-10 18:48:14 -------- d-----w- c:\program files\JoinME Drivers
2012-06-10 18:47:38 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll
2012-06-10 18:47:38 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe
2012-06-10 18:47:38 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll
2012-06-10 18:47:38 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll
2012-06-10 18:47:37 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll
2012-06-10 18:47:34 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll
2012-06-10 18:47:32 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll
2012-06-06 15:35:12 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-06 15:35:12 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-06-03 16:55:50 -------- d-----w- c:\program files\FoundationStone 4.0
2012-05-31 13:22:09 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2012-06-11 01:35:51 90112 ----a-w- c:\windows\DUMP14ea.tmp
2012-06-02 22:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 14:46:47 78336 ------w- c:\windows\system32\ieencode.dll
2012-04-09 20:18:37 90112 ----a-w- c:\windows\DUMP0b07.tmp
.
============= FINISH: 10:04:21.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:57 AM

Posted 04 July 2012 - 02:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/458779 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:57 AM

Posted 04 July 2012 - 06:33 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#4 ElianaR

ElianaR
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 04 July 2012 - 09:02 PM

1. Description of problem above

2a. DDS logs below
b. I tried running the gmer scan again, but the computer crashed again a few minutes into the scan (crashed = screen went black This time it would start again for a few hours afterwards)

I have Windows XP, 32-bit. I could find the version, but it I don't know it off hand.

3. Yes. I have my Windows cd available

Thank you so much - having experienced folk to walk me through this is an enormous comfort! Before I found this forum I was starting to panic and fear that I would never be able to finish the project I was working on (in a Word doc...)!

Eliana


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by eliana at 13:14:53 on 2012-07-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.390 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
F:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\JoinME Drivers\JoinMEPlayAssistantServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
F:\cygwin\usr\sbin\cygserver.exe
F:\cygwin\bin\cygrunsrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
F:\cygwin\usr\sbin\sshd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Documents and Settings\eliana\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Documents and Settings\eliana\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.efn.org/~eliana/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local;127.0.0.1:9421;
uInternet Settings,ProxyServer = http=127.0.0.1:6522
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\documents and settings\all users\application data\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
uRun: [Akamai NetSession Interface] "c:\documents and settings\eliana\local settings\application data\akamai\netsession_win.exe"
uRun: [Google Update] "c:\documents and settings\eliana\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Norton Ghost 9.0] c:\program files\symantec\norton ghost\agent\GhostTray.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [1A:Stardock TrayMonitor]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRunServices: [1A:Stardock TrayMonitor]
StartupFolder: c:\docume~1\eliana\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} - hxxp://cdn2.zone.msn.com/Bingame/BRDG/dataFiles/heartbeat.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D042B98B-A65F-4F68-AF3A-326CADDAE856} : DhcpNameServer = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
Hosts: 64.81.167.122 cg.mel fgn.mel westlake2
Hosts: 10.40.2.22 rigel rigel.oregon.summit
Hosts: 10.6.221.145 merlin
Hosts: 10.40.2.25 sl-clearcase_2 sl-clearcase_2.oregon.summit
Hosts: 10.6.222.240 summit11 summit11.corvallis.summit
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\eliana\application data\mozilla\firefox\profiles\u2699b4u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.efn.org/~eliana
FF - plugin: c:\documents and settings\eliana\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\eliana\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\eliana\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-7-29 138780]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-26 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-26 337880]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-7-29 46779]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-26 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-26 44768]
R2 JoinMEPlayUI Assistant Service;JoinMEPlayUI Assistant Service;c:\program files\joinme drivers\JoinMEPlayAssistantServices.exe [2012-6-10 242176]
R2 sshd;CYGWIN sshd;f:\cygwin\bin\cygrunsrv.exe [2008-8-17 68096]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2009-2-1 4736]
S3 massfilter_hs;ZTE HandSet Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter_hs.sys [2012-6-10 9216]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2009-2-1 8960]
S3 zgwhsdiag;ZTE WCDMA Handset Diagnostic Port;c:\windows\system32\drivers\zgwhsdiag.sys [2012-6-10 106752]
S3 zgwhsmdm;ZTE WCDMA Handset USB Modem;c:\windows\system32\drivers\zgwhsmdm.sys [2012-6-10 106752]
S3 zgwhsnmea;WCDMA Handset NMEA Port;c:\windows\system32\drivers\zgwhsnmea.sys [2012-6-10 106752]
.
=============== Created Last 30 ================
.
2012-06-21 04:15:40 30512 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2012-06-21 04:15:40 30512 ----a-w- c:\windows\system32\mdimon.dll
2012-06-20 03:33:31 -------- d-sh--w- c:\documents and settings\eliana\IECompatCache
2012-06-20 03:33:02 -------- d-sh--w- c:\documents and settings\eliana\PrivacIE
2012-06-19 19:13:48 -------- d-sh--w- c:\documents and settings\eliana\IETldCache
2012-06-19 17:56:40 521728 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2012-06-19 17:45:56 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-06-19 17:43:14 -------- d-----w- c:\windows\ie8updates
2012-06-19 17:40:59 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-06-19 17:40:51 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-06-19 17:40:45 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2012-06-19 17:36:05 -------- dc-h--w- c:\windows\ie8
2012-06-18 03:01:05 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2012-06-18 03:01:02 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-06-18 03:01:02 3072 ------w- c:\windows\system32\iacenc.dll
2012-06-10 18:48:38 106752 ----a-w- c:\windows\system32\drivers\zgwhsnmea.sys
2012-06-10 18:48:38 106752 ----a-w- c:\windows\system32\drivers\zgwhsmdm.sys
2012-06-10 18:48:37 9216 ----a-w- c:\windows\system32\drivers\massfilter_hs.sys
2012-06-10 18:48:37 106752 ----a-w- c:\windows\system32\drivers\zgwhsdiag.sys
2012-06-10 18:48:25 -------- d-----w- c:\windows\system32\SupportAppCB
2012-06-10 18:48:14 -------- d-----w- c:\program files\JoinME Drivers
2012-06-10 18:47:38 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\ctor.dll
2012-06-10 18:47:38 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\DotNetInstaller.exe
2012-06-10 18:47:38 274432 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iscript.dll
2012-06-10 18:47:38 204800 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iuser.dll
2012-06-10 18:47:37 757760 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iKernel.dll
2012-06-10 18:47:34 200836 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\iGdi.dll
2012-06-10 18:47:32 331908 ----a-w- c:\program files\common files\installshield\professional\runtime\11\50\intel32\setup.dll
2012-06-06 15:35:12 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-06-06 15:35:12 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
.
==================== Find3M ====================
.
2012-06-11 01:35:51 90112 ----a-w- c:\windows\DUMP14ea.tmp
2012-06-02 22:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
2012-05-04 13:12:30 2192640 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32:19 2069120 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 14:46:47 78336 ------w- c:\windows\system32\ieencode.dll
2012-04-09 20:18:37 90112 ----a-w- c:\windows\DUMP0b07.tmp
.
============= FINISH: 13:16:47.95 ===============

Attached Files



#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:57 AM

Posted 05 July 2012 - 05:27 PM

I can see some malicious entries in the log but they have been stopped so we're halfway home already.

Please run aswMBR to check for rootkits

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#6 ElianaR

ElianaR
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 06 July 2012 - 12:58 AM

Halfway home sounds encouraging!

I'll paste the log below.

First: the computer crashed during the first scan I tried to run (not right away, but after a significant amount of time)
I looked around on this site a little & saw a recommendation to rename the exe file if that happened.

The 2nd time it froze about 35 minutes into the scan.

Both times it was past the 3 "Avast Engine scan"s of C:\Windows\...
The second time it was scanning \Documents and Settings\...\...\Adobe Acrobat\...

Here's the log: (and *thank you*!!)

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-05 20:33:01
-----------------------------
20:33:01.328 OS Version: Windows 5.1.2600 Service Pack 3
20:33:01.328 Number of processors: 1 586 0x2F00
20:33:01.328 ComputerName: CONSTANTINE UserName: eliana
20:33:15.125 Initialize success
20:33:15.421 AVAST engine defs: 12070501
20:33:23.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
20:33:23.687 Disk 0 Vendor: SAMSUNG_SP1614C SW100-34 Size: 152627MB BusType: 3
20:33:23.703 Disk 0 MBR read successfully
20:33:23.703 Disk 0 MBR scan
20:33:23.703 Disk 0 Windows XP default MBR code
20:33:23.703 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 99998 MB offset 63
20:33:23.734 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 52626 MB offset 204796620
20:33:23.734 Disk 0 scanning sectors +312576705
20:33:23.859 Disk 0 scanning C:\WINDOWS\system32\drivers
20:33:49.500 Service scanning
20:34:19.640 Modules scanning
20:34:32.093 Disk 0 trace - called modules:
20:34:32.109 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
20:34:32.109 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87381ab8]
20:34:32.421 3 CLASSPNP.SYS[f769cfd7] -> nt!IofCallDriver -> \Device\00000061[0x8734df18]
20:34:32.421 5 ACPI.sys[f7533620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-5[0x87373940]
20:34:34.781 AVAST engine scan C:\WINDOWS
20:34:59.312 AVAST engine scan C:\WINDOWS\system32
20:39:11.218 AVAST engine scan C:\WINDOWS\system32\drivers
20:39:35.078 AVAST engine scan C:\Documents and Settings\eliana
22:05:13.546 AVAST engine scan C:\Documents and Settings\All Users
22:10:52.921 Scan finished successfully
22:48:39.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\eliana\Desktop\MBR.dat"
22:48:39.140 The log file has been saved successfully to "C:\Documents and Settings\eliana\Desktop\aswMBR.txt"

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:57 AM

Posted 06 July 2012 - 06:10 PM

Okay, let's manually remove the entries. Please run the OTL scanner

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Posted Image
m0le is a proud member of UNITE

#8 ElianaR

ElianaR
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 06 July 2012 - 07:14 PM

Hurrah! It just took one scan - no crashes!

I'll be off line for Shabbos, but will check back in Saturday night (my time) to see what I should do next.

Thank you!

Here are the logs:

OTL logfile created on: 7/6/2012 4:46:32 PM - Run 1
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Documents and Settings\eliana\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.23 Mb Total Physical Memory | 341.28 Mb Available Physical Memory | 33.35% Memory free
2.90 Gb Paging File | 2.36 Gb Available in Paging File | 81.35% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.65 Gb Total Space | 11.23 Gb Free Space | 11.50% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive F: | 51.39 Gb Total Space | 1.32 Gb Free Space | 2.58% Space Free | Partition Type: NTFS

Computer Name: CONSTANTINE | User Name: eliana | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/06 16:45:37 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\eliana\Desktop\OTL.exe
PRC - [2012/06/17 09:27:19 | 000,913,888 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2012/05/26 06:32:24 | 004,327,744 | ---- | M] (Akamai Technologies, Inc) -- C:\Documents and Settings\eliana\Local Settings\Application Data\Akamai\netsession_win.exe
PRC - [2012/03/06 16:15:17 | 004,241,512 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/03/06 16:15:14 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2010/10/28 19:07:12 | 000,242,176 | ---- | M] () -- C:\Program Files\JoinME Drivers\JoinMEPlayAssistantServices.exe
PRC - [2010/09/03 01:44:38 | 000,388,110 | ---- | M] () -- F:\cygwin\usr\sbin\sshd.exe
PRC - [2010/08/31 01:01:28 | 000,150,542 | ---- | M] () -- F:\cygwin\usr\sbin\cygserver.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/18 03:28:46 | 000,068,096 | ---- | M] () -- F:\cygwin\bin\cygrunsrv.exe
PRC - [2007/07/12 12:43:50 | 000,226,904 | ---- | M] (Macrovision Corporation) -- C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
PRC - [2006/10/11 12:45:12 | 000,075,304 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
PRC - [2006/09/20 08:35:26 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
PRC - [2006/09/19 16:05:32 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
PRC - [2005/09/22 01:42:24 | 000,090,112 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe
PRC - [2004/07/29 05:41:08 | 001,122,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
PRC - [2004/07/29 05:02:34 | 001,269,760 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
PRC - [2004/07/29 03:53:58 | 000,053,248 | ---- | M] (GEAR Software) -- C:\WINDOWS\system32\gearsec.exe


========== Modules (No Company Name) ==========

MOD - [2012/07/06 10:55:26 | 001,781,248 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12070601\algo.dll
MOD - [2012/06/17 09:27:15 | 002,042,848 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/11/24 21:56:11 | 008,527,008 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
MOD - [2011/09/27 08:23:00 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/09/27 08:22:40 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/11/16 11:38:50 | 001,174,542 | ---- | M] () -- F:\cygwin\bin\cygcrypto-0.9.8.dll
MOD - [2010/10/28 19:07:12 | 000,242,176 | ---- | M] () -- C:\Program Files\JoinME Drivers\JoinMEPlayAssistantServices.exe
MOD - [2010/09/03 01:44:38 | 000,388,110 | ---- | M] () -- F:\cygwin\usr\sbin\sshd.exe
MOD - [2010/08/31 01:01:28 | 000,150,542 | ---- | M] () -- F:\cygwin\usr\sbin\cygserver.exe
MOD - [2010/08/14 17:54:51 | 000,010,766 | ---- | M] () -- F:\cygwin\bin\cygssp-0.dll
MOD - [2010/08/14 17:54:30 | 000,046,094 | ---- | M] () -- F:\cygwin\bin\cyggcc_s-1.dll
MOD - [2010/08/01 14:04:19 | 000,077,838 | ---- | M] () -- F:\cygwin\bin\cygz.dll
MOD - [2010/03/28 02:02:33 | 000,028,174 | ---- | M] () -- F:\cygwin\bin\cygwrap-0.dll
MOD - [2008/03/18 03:28:46 | 000,068,096 | ---- | M] () -- F:\cygwin\bin\cygrunsrv.exe
MOD - [2006/09/20 08:35:26 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
MOD - [2006/09/19 16:05:32 | 000,024,576 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
MOD - [2003/10/19 02:12:30 | 000,006,656 | ---- | M] () -- F:\cygwin\bin\cygcrypt-0.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Prime95\prime95.exe -- (Prime95 Service)
SRV - [2012/06/17 09:27:16 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/03/06 16:15:14 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/10/28 19:07:12 | 000,242,176 | ---- | M] () [Auto | Running] -- C:\Program Files\JoinME Drivers\JoinMEPlayAssistantServices.exe -- (JoinMEPlayUI Assistant Service)
SRV - [2008/03/18 03:28:46 | 000,068,096 | ---- | M] () [Auto | Running] -- F:\cygwin\bin\cygrunsrv.exe -- (sshd)
SRV - [2008/03/18 03:28:46 | 000,068,096 | ---- | M] () [Auto | Running] -- F:\cygwin\bin\cygrunsrv.exe -- (cygserver)
SRV - [2007/07/11 18:25:20 | 000,025,640 | R--- | M] (Amazon.com) [On_Demand | Stopped] -- C:\Program Files\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe -- (ADVService)
SRV - [2004/07/29 05:02:34 | 001,269,760 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe -- (Norton Ghost)
SRV - [2004/07/29 03:53:58 | 000,053,248 | ---- | M] (GEAR Software) [Auto | Running] -- C:\WINDOWS\system32\gearsec.exe -- (GEARSecurity)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/03/06 16:03:51 | 000,612,184 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/03/06 16:03:38 | 000,337,880 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/03/06 16:02:00 | 000,035,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2012/03/06 16:01:53 | 000,053,848 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/03/06 16:01:39 | 000,095,704 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/03/06 16:01:30 | 000,020,696 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/03/06 15:58:29 | 000,024,920 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2011/03/14 11:03:02 | 000,106,752 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zgwhsnmea.sys -- (zgwhsnmea)
DRV - [2011/03/14 11:03:02 | 000,106,752 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zgwhsmdm.sys -- (zgwhsmdm)
DRV - [2011/03/14 11:03:02 | 000,106,752 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\zgwhsdiag.sys -- (zgwhsdiag)
DRV - [2011/03/14 11:03:02 | 000,009,216 | ---- | M] (HandSet Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\massfilter_hs.sys -- (massfilter_hs)
DRV - [2008/04/13 11:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2007/09/29 03:06:00 | 002,456,064 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/09/22 01:34:18 | 003,727,680 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/08/03 16:59:38 | 000,008,960 | R--- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbbc2.sys -- (PLUsbbc2)
DRV - [2005/08/03 16:59:36 | 000,004,736 | R--- | M] (Laplink Software, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\llusbflt.sys -- (LLUSBFLT)
DRV - [2005/07/29 02:11:04 | 000,012,928 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/07/29 02:11:02 | 000,034,048 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/07/26 23:44:46 | 000,098,176 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\nvatabus.sys -- (nvatabus)
DRV - [2004/12/23 01:52:56 | 001,903,370 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelS51.sys -- (IntelS51) Intel®
DRV - [2004/07/29 05:13:28 | 000,046,779 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\PQIMount.sys -- (PQIMount)
DRV - [2004/07/29 04:33:08 | 000,138,780 | ---- | M] (StorageCraft) [File_System | Boot | Running] -- C:\WINDOWS\System32\drivers\PQV2i.sys -- (PQV2i)
DRV - [2001/08/17 07:00:04 | 000,002,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msmpu401.sys -- (ms_mpu401)
DRV - [2001/08/17 06:51:32 | 000,018,688 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\irsir.sys -- (irsir)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1606980848-1482476501-839522115-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.efn.org/~eliana/
IE - HKU\S-1-5-21-1606980848-1482476501-839522115-1005\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1606980848-1482476501-839522115-1005\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1606980848-1482476501-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1606980848-1482476501-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local;127.0.0.1:9421;
IE - HKU\S-1-5-21-1606980848-1482476501-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "Swag Bucks Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "http://www.efn.org/~eliana"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {c45c406e-ab73-11d8-be73-000a95be3b12}:1.1.9
FF - prefs.js..extensions.enabledItems: firebug@software.joehewitt.com:1.7.3


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc;version=0.8.6e: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN Team)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\eliana\Application Data\Facebook\npfbplugin_1_0_3.dll File not found
FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: C:\Documents and Settings\eliana\Application Data\nprhapengine.dll File not found
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\eliana\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\eliana\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\eliana\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\eliana\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/03/23 10:29:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/17 09:27:20 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/06/27 21:06:26 | 000,000,000 | ---D | M]

[2010/03/27 20:16:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\eliana\Application Data\Mozilla\Extensions
[2012/05/18 09:13:08 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\eliana\Application Data\Mozilla\Firefox\Profiles\u2699b4u.default\extensions
[2011/11/12 18:42:33 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\eliana\Application Data\Mozilla\Firefox\Profiles\u2699b4u.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/05/18 09:13:08 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\eliana\Application Data\Mozilla\Firefox\Profiles\u2699b4u.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/11/12 18:42:33 | 000,000,000 | ---D | M] (Web Developer) -- C:\Documents and Settings\eliana\Application Data\Mozilla\Firefox\Profiles\u2699b4u.default\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
[2011/02/22 18:41:02 | 000,000,923 | ---- | M] () -- C:\Documents and Settings\eliana\Application Data\Mozilla\Firefox\Profiles\u2699b4u.default\searchplugins\conduit.xml
[2012/07/05 20:05:51 | 000,005,216 | ---- | M] () -- C:\Documents and Settings\eliana\Application Data\Mozilla\Firefox\Profiles\u2699b4u.default\searchplugins\linkedin.xml
[2012/07/05 20:05:51 | 000,005,231 | ---- | M] () -- C:\Documents and Settings\eliana\Application Data\Mozilla\Firefox\Profiles\u2699b4u.default\searchplugins\linkedinjobs.xml
[2012/06/17 08:56:47 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/06/17 09:27:19 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2008/12/23 16:14:53 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2005/05/19 17:18:18 | 000,520,192 | ---- | M] (Lizardtech Software) -- C:\Program Files\mozilla firefox\plugins\npexview.dll
[2007/03/06 17:11:21 | 000,319,488 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npsnapfish.dll
[2012/02/29 22:40:12 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/02/29 22:40:12 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - default_search_provider: Google ()
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - Extension: AdBlock = C:\Documents and Settings\eliana\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\1.4.32\

O1 HOSTS File: ([2007/12/03 00:12:39 | 000,002,125 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 64.81.167.122 cg.mel fgn.mel westlake2
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 10.40.2.22 rigel rigel.oregon.summit
O1 - Hosts: 10.6.221.145 merlin
O1 - Hosts: 10.40.2.25 sl-clearcase_2 sl-clearcase_2.oregon.summit
O1 - Hosts: 10.6.222.240 summit11 summit11.corvallis.summit
O1 - Hosts: 10.6.221.144 summit14 summit14.corvallis.summit intranet
O1 - Hosts: 10.6.221.102 summit16 summit16.corvallis.summit
O1 - Hosts: 10.6.221.201 summit18 summit18.corvallis.summit
O1 - Hosts: 10.6.221.203 summit18ctrx summit18ctrx.corvallis.summit
O1 - Hosts: 10.6.221.202 summit19 summit19.corvallis.summit
O1 - Hosts: 10.6.221.206 summit20 summit20.corvallis.summit
O1 - Hosts: 10.40.2.21 summit21 summit21.oregon.summit
O1 - Hosts: 10.6.221.99 summit30 summit30.corvallis.summit
O1 - Hosts: 10.6.1.213 summit46 summit46.corvallis.summit
O1 - Hosts: 10.40.2.20 salem salem.oregon.summit
O1 - Hosts: 10.40.2.31 bsi-cc bsi-cc.oregon.summit
O1 - Hosts: 10.40.2.45 bsi-ts bsi-ts.oregon.summit
O1 - Hosts: 10.6.221.151 franz # Development AS, Pathways, Oracle and STL Server.
O1 - Hosts: 10.6.221.51 bisley # QA Account Services Server
O1 - Hosts: 10.40.2.49 hans # Development UC4 Server
O1 - Hosts: 10.6.223.12 hp918 # HP3000 QA Testing Box
O1 - Hosts: 10.40.2.47 hp957 # HP3000 QA Testing Box
O1 - Hosts: 10.6.223.3 hp969 # HP3000 Development Box
O1 - Hosts: 10.6.223.63 Itanium # Potential A400 Development Box
O1 - Hosts: 2 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [1A:Stardock TrayMonitor] File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe (Symantec Corporation)
O4 - HKLM..\Run: [OpwareSE4] C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found
O4 - HKLM..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe ()
O4 - HKU\S-1-5-21-1606980848-1482476501-839522115-1005..\Run: [Akamai NetSession Interface] C:\Documents and Settings\eliana\Local Settings\Application Data\Akamai\netsession_win.exe (Akamai Technologies, Inc)
O4 - HKU\S-1-5-21-1606980848-1482476501-839522115-1005..\Run: [ISUSPM] C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe (Macrovision Corporation)
O4 - HKLM..\RunServices: [1A:Stardock TrayMonitor] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\eliana\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1606980848-1482476501-839522115-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKU\S-1-5-21-1606980848-1482476501-839522115-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: _NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 File not found
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_23.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} http://cdn2.zone.msn.com/Bingame/BRDG/dataFiles/heartbeat.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D042B98B-A65F-4F68-AF3A-326CADDAE856}: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\eliana\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\eliana\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/02/13 17:45:44 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKU\S-1-5-21-1606980848-1482476501-839522115-1005..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/06 16:45:39 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\eliana\Desktop\OTL.exe
[2012/07/05 17:35:09 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\eliana\Desktop\iexplore.exe
[2012/06/29 09:56:55 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\eliana\Desktop\dds.scr
[2012/06/28 16:11:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\eliana\Desktop\Echinuch
[2012/06/20 21:15:40 | 000,030,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mdimon.dll
[2012/06/19 20:33:31 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\eliana\IECompatCache
[2012/06/19 20:33:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\eliana\PrivacIE
[2012/06/19 12:13:48 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\eliana\IETldCache
[2012/06/19 10:56:40 | 000,521,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\jsdbgui.dll
[2012/06/19 10:43:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2012/06/19 10:40:45 | 000,743,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iedvtool.dll
[2012/06/19 10:36:05 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2012/06/17 20:01:05 | 000,010,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndistapi.sys
[2012/06/17 14:16:20 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/06/10 11:48:38 | 000,106,752 | ---- | C] (ZTE Incorporated) -- C:\WINDOWS\System32\drivers\zgwhsnmea.sys
[2012/06/10 11:48:38 | 000,106,752 | ---- | C] (ZTE Incorporated) -- C:\WINDOWS\System32\drivers\zgwhsmdm.sys
[2012/06/10 11:48:37 | 000,106,752 | ---- | C] (ZTE Incorporated) -- C:\WINDOWS\System32\drivers\zgwhsdiag.sys
[2012/06/10 11:48:37 | 000,009,216 | ---- | C] (HandSet Incorporated) -- C:\WINDOWS\System32\drivers\massfilter_hs.sys
[2012/06/10 11:48:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\JoinME Drivers
[2012/06/10 11:48:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SupportAppCB
[2012/06/10 11:48:14 | 000,000,000 | ---D | C] -- C:\Program Files\JoinME Drivers
[28 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/06 17:07:02 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1482476501-839522115-1005UA.job
[2012/07/06 16:45:37 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\eliana\Desktop\OTL.exe
[2012/07/06 15:47:12 | 000,054,913 | ---- | M] () -- C:\Documents and Settings\eliana\Desktop\581322_384209171626306_55116282_n.jpg
[2012/07/06 13:02:36 | 000,023,854 | ---- | M] () -- C:\Documents and Settings\eliana\Desktop\image3547.jpg
[2012/07/06 13:02:29 | 000,033,141 | ---- | M] () -- C:\Documents and Settings\eliana\Desktop\image1535.jpg
[2012/07/06 07:40:10 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/05 22:48:39 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\eliana\Desktop\MBR.dat
[2012/07/05 19:07:08 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-1482476501-839522115-1005Core.job
[2012/07/05 17:36:11 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\eliana\Desktop\iexplore.exe
[2012/06/29 10:17:54 | 000,255,064 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/06/29 09:59:00 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\eliana\defogger_reenable
[2012/06/29 09:56:53 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\eliana\Desktop\dds.scr
[2012/06/29 09:01:50 | 003,539,685 | ---- | M] () -- C:\Documents and Settings\eliana\Desktop\Tribune-Layout-Sivan-5772-May-June-2012.pdf
[2012/06/19 20:36:54 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/06/19 12:01:36 | 000,472,436 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/06/19 12:01:36 | 000,084,056 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[28 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/06 15:47:12 | 000,054,913 | ---- | C] () -- C:\Documents and Settings\eliana\Desktop\581322_384209171626306_55116282_n.jpg
[2012/07/06 13:02:36 | 000,023,854 | ---- | C] () -- C:\Documents and Settings\eliana\Desktop\image3547.jpg
[2012/07/06 13:02:27 | 000,033,141 | ---- | C] () -- C:\Documents and Settings\eliana\Desktop\image1535.jpg
[2012/07/05 22:48:39 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\eliana\Desktop\MBR.dat
[2012/06/29 09:59:00 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\eliana\defogger_reenable
[2012/06/29 09:01:42 | 003,539,685 | ---- | C] () -- C:\Documents and Settings\eliana\Desktop\Tribune-Layout-Sivan-5772-May-June-2012.pdf
[2012/06/17 20:01:02 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/06/17 20:01:02 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2011/05/01 10:16:45 | 000,013,162 | -HS- | C] () -- C:\Documents and Settings\eliana\Local Settings\Application Data\n8c7doyeb3gnc0s7668val88vask
[2011/05/01 10:16:45 | 000,013,162 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\n8c7doyeb3gnc0s7668val88vask
[2008/09/15 12:09:16 | 001,538,639 | ---- | C] () -- C:\Documents and Settings\eliana\Registration ID and Logging into System 2008-2009.pdf
[2008/09/15 12:09:13 | 000,308,524 | ---- | C] () -- C:\Documents and Settings\eliana\Setting Up Your Student's Account.pdf
[2008/09/15 11:02:49 | 000,161,818 | ---- | C] () -- C:\Documents and Settings\eliana\WAVA HS Student Start-Up Schedule Fall 2008-09.pdf
[2008/07/10 22:23:12 | 000,020,992 | ---- | C] () -- C:\Documents and Settings\eliana\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/06/07 19:51:19 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\eliana\track_set.pl
[2007/06/05 12:50:19 | 000,001,337 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/12/09 23:10:44 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\eliana\Local Settings\Application Data\fusioncache.dat
[2006/10/05 18:12:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\eliana\LOG
[2006/08/01 14:45:09 | 000,003,181 | ---- | C] () -- C:\Documents and Settings\eliana\.vclass.props
[2006/02/20 20:12:38 | 000,005,720 | ---- | C] () -- C:\Documents and Settings\eliana\.bash_history

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A6C094A7
@Alternate Data Stream - 172 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F00E008B
@Alternate Data Stream - 172 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B623B5B8
@Alternate Data Stream - 154 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1AE68282
@Alternate Data Stream - 153 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DCAF903C
@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FF9F3ACA
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:370EF5E8
@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C841C093
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DB365884
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B34A7CD6
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3741C791
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9AB56A06
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:213583D4
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3DA64F2C
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3E7393FC
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2430E4FC
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E50BC565
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:45E9EFF4
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38020A20
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:15111B33
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:288A91F8
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2F0D660C
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:918DBCA9
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E71141D2
@Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B203B914
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3B68494D

< End of report >

OTL Extras logfile created on: 7/6/2012 4:46:32 PM - Run 1
OTL by OldTimer - Version 3.2.53.1 Folder = C:\Documents and Settings\eliana\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.23 Mb Total Physical Memory | 341.28 Mb Available Physical Memory | 33.35% Memory free
2.90 Gb Paging File | 2.36 Gb Available in Paging File | 81.35% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.65 Gb Total Space | 11.23 Gb Free Space | 11.50% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive F: | 51.39 Gb Total Space | 1.32 Gb Free Space | 2.58% Space Free | Partition Type: NTFS

Computer Name: CONSTANTINE | User Name: eliana | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\WINWORD.EXE" /n /dde
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"22:TCP" = 22:TCP:*:Enabled:ssh
"22:UDP" = 22:UDP:*:Enabled:ssh udp

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\msnmsgr.exe" = C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:MSN Messenger 7.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\cygwin\home\sthoenna\bleadperl\p\perl.exe" = C:\cygwin\home\sthoenna\bleadperl\p\perl.exe:*:Enabled:perl
"C:\cygwin\bin\perl.exe" = C:\cygwin\bin\perl.exe:*:Enabled:perl
"C:\cygwin\bin\rsync.exe" = C:\cygwin\bin\rsync.exe:*:Enabled:rsync
"C:\cygwin\home\sthoenna\bleadperl\pp\perl.exe" = C:\cygwin\home\sthoenna\bleadperl\pp\perl.exe:*:Enabled:perl
"C:\cygwin\home\sthoenna\bleadperl\mp\perl.exe" = C:\cygwin\home\sthoenna\bleadperl\mp\perl.exe:*:Enabled:perl
"C:\cygwin\home\sthoenna\dl\tmp\perl-5.8.8\perl.exe" = C:\cygwin\home\sthoenna\dl\tmp\perl-5.8.8\perl.exe:*:Enabled:perl
"C:\cygwin\home\sthoenna\cygperl\gerrit\perl-5.8.8-1\buildperl\perl.exe" = C:\cygwin\home\sthoenna\cygperl\gerrit\perl-5.8.8-1\buildperl\perl.exe:*:Enabled:perl
"C:\cygwin\perl\perl-5.8.7-5\buildperl\perl.exe" = C:\cygwin\perl\perl-5.8.7-5\buildperl\perl.exe:*:Enabled:perl
"C:\cygwin\perl\perl-5.8.8-1\buildperl\perl.exe" = C:\cygwin\perl\perl-5.8.8-1\buildperl\perl.exe:*:Enabled:perl
"C:\cygwin\perl\perl-5.8.8\buildperl\perl.exe" = C:\cygwin\perl\perl-5.8.8\buildperl\perl.exe:*:Enabled:perl
"C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe" = C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe:*:Disabled:SR_GUI
"C:\cygwin\usr\sbin\sshd.exe" = C:\cygwin\usr\sbin\sshd.exe:*:Enabled:sshd.exe
"C:\Program Files\Laplink\PCmover\PCmover.exe" = C:\Program Files\Laplink\PCmover\PCmover.exe:*:Enabled:PCmover
"F:\cygwin\bin\perl.exe" = F:\cygwin\bin\perl.exe:*:Enabled:perl -- ()
"C:\Program Files\Mozilla Firefox\firefox.exe" = C:\Program Files\Mozilla Firefox\firefox.exe:*:Disabled:Firefox -- (Mozilla Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Disabled:iTunes
"C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe" = C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe:*:Disabled:Java™ 2 Platform Standard Edition binary
"C:\Program Files\Java\jdk1.5.0_06\jre\bin\java.exe" = C:\Program Files\Java\jdk1.5.0_06\jre\bin\java.exe:*:Disabled:Java™ 2 Platform Standard Edition binary
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Disabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe" = C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe:*:Disabled:Java™ Platform SE binary
"C:\Program Files\Java\jre1.6.0_01\bin\javaw.exe" = C:\Program Files\Java\jre1.6.0_01\bin\javaw.exe:*:Disabled:Java™ Platform SE binary
"C:\cygwin\bin\ncftp.exe" = C:\cygwin\bin\ncftp.exe:*:Disabled:ncftp
"C:\Documents and Settings\eliana\Local Settings\Application Data\Akamai\netsession_win.exe" = C:\Documents and Settings\eliana\Local Settings\Application Data\Akamai\netsession_win.exe:*:Enabled:Akamai NetSession Client -- (Akamai Technologies, Inc)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0EBD67C1-5E72-498E-964F-02F5181E156C}" = calibre
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{24aab420-4e30-4496-9739-3e216f3de6ae}" = Python 2.6.2
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 23
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{3215EBED-1D06-42fb-A05C-A752A46FB24C}" = Canon MP530
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3C759736-8347-4031-BB9C-D75ADFE6B101}" = Norton Ghost 9.0
"{4656215C-5CF4-4772-8D9B-D531D9780057}" = Install Drivers
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F8D44E7-3F47-4002-AE6A-BCB6A46A1788}" = Lizardtech Express View Browser Plug-in
"{54A4839E-87F8-4BD1-9682-A349E9943F0A}" = Amazon Unbox Video
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7EE9DE0D-9228-4C33-B80E-FDD1773600DF}" = Microsoft Works Suite Add-in for Microsoft Word
"{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111412653}" = Mah Jong Tiles Deluxe
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11273313}" = Mystery of Shark Island
"{975C3A93-2491-3D44-A071-F6CBF153E46D}" = Google Talk Plugin
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-A70500000002}" = Adobe Reader 7.0.8
"{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1E693A4-B1D5-4DCD-B68D-2087835B7184}" = ScanSoft OmniPage SE 4.0
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}" = Presto! PageManager 7.15.14
"{D64DCF1C-7A95-49A4-BAFA-C42B5CF6B8B6}" = Works Suite OS Pack
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.10
"ATI Display Driver" = ATI Display Driver
"avast" = avast! Free Antivirus
"Canon MP530 User Registration" = Canon MP530 User Registration
"Collectorz.com Book Collector" = Collectorz.com Book Collector
"Collectorz.com Movie Collector" = Collectorz.com Movie Collector
"Collectorz.com Music Collector" = Collectorz.com Music Collector
"Digital Editions" = Adobe Digital Editions
"EZ Vinyl/Tape Converter by MixMeister_is1" = EZ Vinyl/Tape Converter 4.1 by MixMeister
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{54A4839E-87F8-4BD1-9682-A349E9943F0A}" = Amazon Unbox Video
"Intel® 536EP Modem" = Intel® 536EP Modem
"InterActual Player" = InterActual Player
"KeyFinder_is1" = Magical Jelly Bean KeyFinder
"MDL ISIS Draw 2.5 Standalone" = MDL ISIS Draw 2.5 Standalone
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MP Navigator 2.2" = Canon MP Navigator 2.2
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"pycrypto-py2.6" = Python 2.6 pycrypto-2.1.0
"SolSuite_is1" = SolSuite 2008 v8.2
"VLC media player" = VideoLAN VLC media player 0.8.6e
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2003Setup" = Microsoft Works 2003 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1606980848-1482476501-839522115-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Akamai" = Akamai NetSession Interface
"Energy Skate Park" = Energy Skate Park
"Energy Skate Park- Basics" = Energy Skate Park- Basics
"The Moving Man" = The Moving Man
"The Ramp" = The Ramp

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 6/20/2012 10:59:38 AM | Computer Name = CONSTANTINE | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6514.5001, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/20/2012 2:14:14 PM | Computer Name = CONSTANTINE | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6514.5001, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/21/2012 12:28:47 AM | Computer Name = CONSTANTINE | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6514.5001, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/27/2012 11:47:50 PM | Computer Name = CONSTANTINE | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6514.5001, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/27/2012 11:55:35 PM | Computer Name = CONSTANTINE | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6514.5001, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/27/2012 11:55:35 PM | Computer Name = CONSTANTINE | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 12.0.6514.5001, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/29/2012 1:13:59 AM | Computer Name = CONSTANTINE | Source = Application Error | ID = 1000
Description = Faulting application acrord32.exe, version 7.0.8.218, faulting module
acrord32.dll, version 7.0.8.218, fault address 0x000c882d.

Error - 6/29/2012 12:01:21 PM | Computer Name = CONSTANTINE | Source = Application Error | ID = 1000
Description = Faulting application acrord32.exe, version 7.0.8.218, faulting module
acrord32.dll, version 7.0.8.218, fault address 0x000c882d.

Error - 6/29/2012 1:09:41 PM | Computer Name = CONSTANTINE | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15641, faulting module
gmer.exe, version 1.0.15.15641, fault address 0x0000c676.

Error - 6/29/2012 1:11:17 PM | Computer Name = CONSTANTINE | Source = Application Error | ID = 1001
Description = Fault bucket -1759734912.

[ OSession Events ]
Error - 3/19/2011 11:45:57 PM | Computer Name = CONSTANTINE | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

Error - 8/5/2011 8:52:03 PM | Computer Name = CONSTANTINE | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

Error - 8/5/2011 8:54:34 PM | Computer Name = CONSTANTINE | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

Error - 8/5/2011 9:11:46 PM | Computer Name = CONSTANTINE | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

Error - 8/7/2011 11:11:52 AM | Computer Name = CONSTANTINE | Source = Microsoft Office 12 Sessions | ID = 7001
Description =

[ System Events ]
Error - 7/5/2012 10:14:20 PM | Computer Name = CONSTANTINE | Source = Service Control Manager | ID = 7000
Description = The Prime95 Service service failed to start due to the following error:
%%2

Error - 7/5/2012 11:03:49 PM | Computer Name = CONSTANTINE | Source = System Error | ID = 1003
Description = Error code 100000d1, parameter1 0000000c, parameter2 00000007, parameter3
00000001, parameter4 f74c75f7.

Error - 7/5/2012 11:15:49 PM | Computer Name = CONSTANTINE | Source = Service Control Manager | ID = 7000
Description = The Prime95 Service service failed to start due to the following error:
%%2

Error - 7/5/2012 11:16:01 PM | Computer Name = CONSTANTINE | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 7/5/2012 11:30:23 PM | Computer Name = CONSTANTINE | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 7/5/2012 11:30:31 PM | Computer Name = CONSTANTINE | Source = Service Control Manager | ID = 7000
Description = The Prime95 Service service failed to start due to the following error:
%%2

Error - 7/6/2012 10:38:15 AM | Computer Name = CONSTANTINE | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 7/6/2012 10:39:48 AM | Computer Name = CONSTANTINE | Source = Service Control Manager | ID = 7000
Description = The Prime95 Service service failed to start due to the following error:
%%2

Error - 7/6/2012 10:40:37 AM | Computer Name = CONSTANTINE | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 7/6/2012 10:42:59 AM | Computer Name = CONSTANTINE | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.


< End of report >

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:57 AM

Posted 06 July 2012 - 07:45 PM

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :OTL
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
    DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
    DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
    DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
    IE - HKU\S-1-5-21-1606980848-1482476501-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>;*.local;127.0.0.1:9421;
    IE - HKU\S-1-5-21-1606980848-1482476501-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
    O4 - HKLM..\Run: [1A:Stardock TrayMonitor] File not found
    O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" File not found
    O4 - HKLM..\RunServices: [1A:Stardock TrayMonitor] File not found
    O4 - Startup: C:\Documents and Settings\eliana\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk = File not found
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 File not found
    O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\System32\ZWebAuth.dll ()
    @Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A6C094A7
    @Alternate Data Stream - 172 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F00E008B
    @Alternate Data Stream - 172 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B623B5B8
    @Alternate Data Stream - 154 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1AE68282
    @Alternate Data Stream - 153 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DCAF903C
    @Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FF9F3ACA
    @Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:370EF5E8
    @Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C841C093
    @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DB365884
    @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B34A7CD6
    @Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3741C791
    @Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9AB56A06
    @Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:213583D4
    @Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3DA64F2C
    @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3E7393FC
    @Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2430E4FC
    @Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E50BC565
    @Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:45E9EFF4
    @Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:38020A20
    @Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:15111B33
    @Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:288A91F8
    @Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2F0D660C
    @Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:918DBCA9
    @Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E71141D2
    @Alternate Data Stream - 102 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B203B914
    @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3B68494D
    :Commands
    [EmptyTemp]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.

Now visit ESET and use their online scanner

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.

If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
Posted Image
m0le is a proud member of UNITE

#10 ElianaR

ElianaR
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 08 July 2012 - 12:50 AM

OTL results below

Quick question: After running the OTL & rebooting, ~50 files appeared on the desktop, each starting with ~$

It's very odd - do you know what might be going on?



All processes killed
========== OTL ==========
Service WDICA stopped successfully!
Service WDICA deleted successfully!
Service PDRFRAME stopped successfully!
Service PDRFRAME deleted successfully!
Service PDRELI stopped successfully!
Service PDRELI deleted successfully!
Service PDFRAME stopped successfully!
Service PDFRAME deleted successfully!
Service PDCOMP stopped successfully!
Service PDCOMP deleted successfully!
Service PCIDump stopped successfully!
Service PCIDump deleted successfully!
Service lbrtfdc stopped successfully!
Service lbrtfdc deleted successfully!
Service i2omgmt stopped successfully!
Service i2omgmt deleted successfully!
Service Changer stopped successfully!
Service Changer deleted successfully!
HKU\S-1-5-21-1606980848-1482476501-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-21-1606980848-1482476501-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\1A:Stardock TrayMonitor deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\\1A:Stardock TrayMonitor deleted successfully.
C:\Documents and Settings\eliana\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk moved successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders:zwebauth.dll deleted successfully.
C:\WINDOWS\system32\ZWebAuth.dll moved successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:A6C094A7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:F00E008B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B623B5B8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1AE68282 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DCAF903C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:FF9F3ACA deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:370EF5E8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C841C093 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DB365884 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B34A7CD6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3741C791 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:9AB56A06 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:213583D4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3DA64F2C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3E7393FC deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2430E4FC deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E50BC565 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:45E9EFF4 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:38020A20 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:15111B33 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:288A91F8 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2F0D660C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:918DBCA9 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:E71141D2 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B203B914 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3B68494D deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: eliana
->Temp folder emptied: 4619019543 bytes
->Temporary Internet Files folder emptied: 5354410170 bytes
->Java cache emptied: 133051132 bytes
->FireFox cache emptied: 165866386 bytes
->Google Chrome cache emptied: 33801720 bytes
->Flash cache emptied: 2568647 bytes

User: LocalService
->Temp folder emptied: 66284 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 216366371 bytes

User: sthoenna
->Temp folder emptied: 60756981 bytes
->Temporary Internet Files folder emptied: 205012739 bytes
->Java cache emptied: 4232919 bytes
->FireFox cache emptied: 2292594 bytes
->Flash cache emptied: 862 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 3323962 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 124971194 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 120849002 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 10,535.00 mb


OTL by OldTimer - Version 3.2.53.1 log created on 07072012_221745

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\_avast_\Webshlock.txt not found!

PendingFileRenameOperations files...
File C:\WINDOWS\temp\_avast_\Webshlock.txt not found!

Registry entries deleted on Reboot...

#11 ElianaR

ElianaR
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 08 July 2012 - 10:06 AM

...and here's the log from the ESET scan:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=3669b0248ba805438152bc4d18d09eb6
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-07-08 10:53:01
# local_time=2012-07-08 03:53:01 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=389923
# found=3
# cleaned=3
# scan_time=18128
C:\Documents and Settings\eliana\Desktop\Misc\KeyFinderInstaller.exe Win32/OpenCandy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\eliana\Local Settings\Application Data\Downloaded Installations\{8A989D9B-5EE7-41B5-80C5-94C8775B626D}\PCmover.msi a variant of Win32/PSWTool.PWDump.A application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\eliana\Local Settings\Application Data\Downloaded Installations\{E25D138A-8FDD-4DB9-A78C-384F9E96A6F7}\PCmover.msi a variant of Win32/PSWTool.PWDump.A application (deleted - quarantined) 00000000000000000000000000000000 C

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:57 AM

Posted 08 July 2012 - 05:29 PM

The "~$" files are owner files and are temporary files.

Take a look here under Owner File (Same Directory as Source File)


The ESET log doesn't show a great deal of problems. How is the machine running?
Posted Image
m0le is a proud member of UNITE

#13 ElianaR

ElianaR
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 08 July 2012 - 08:36 PM

The "~$" files are owner files and are temporary files.

Take a look here under Owner File (Same Directory as Source File)


Sorry, that was a poorly phrased question... my confusion was at their sudden appearance on the desktop... I haven't seen temporary files appear there, especially when none of those documents were open or being used in any way

The ESET log doesn't show a great deal of problems. How is the machine running?


Things are intermittently running slowly - the task manager at those times shows CPU usage at 100%, but some of the times that happens I'm not doing anything memory/processing intensive.

It made sense when I was installing Word that I couldn't do anything else b/c things were so sluggish and tied up, but other times haven't made sense. (But it isn't constant)

I reinstalled Word (from a fresh download (directly from Microsoft, I bought it online and don't have a backup disk, just a digital backup service that I bought with the software), and now Word files will open (hurrah!), but after ~10 minutes Word freezes and another ~10 minutes after that says it has encountered a problem and needs to close. It wouldn't let me copy and paste the error report it wanted to send, so I typed up some of it:
(Are there other bits that would be more useful?)

Error Signature
AppName: winword.exe AppVer: 12.0.6514.5001 AppStamp:4a8e09fd
ModName: kernel32.dll ModVer: 5.1.2600.5781 Mod Stamp: 49c4f482

Exception Information
Code: 0xe06d7363
Flags: 0xooooooo1
Record: 0x0000000000000000
Address:0x000000007c812afb

When I tried to report this most recent error, the computer all but froze (the delay, frex between typing one letter and having it appear on the screen). After ~5-10 minutes, I cancelled it, but it took another ~5 minutes for it to go away, and more time beyond that for the frozen Word files to go away.

During that time the following processes were listed in the task manager:

DW20.exe
OFFDIAG.exe
OFFLB.exe

I assume they are normal parts of the process

(Though I am confused as to why

AppleMobileDeviceService.exe

JoinMEPLayAssistantServices.exe

are always listed in the process list - and when I try to end them, they restart within a few minutes (I know these are probably also perfectly normal, and that something malicious would probably be invisible to someone as ill informed as I am... but I thought I'd ask...)


I can cope with sluggishness, but I really, really, really want to be able to use Word again! ...and not just because I was in the middle of a project before all of this!


Can you tell where this came from? In other words, what I can do to prevent this in the future? Not only is it stressful and inconvenient, but I hate using up your time!

Thank you!

Eliana

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:57 AM

Posted 09 July 2012 - 02:00 PM

Eliana,

You seem to be describing a corrupt file and the error code does bear that out. It isn't malware that is causing these problems and they all seem to be wrapped up with Word. It seems that reinstalling Word doesn't halt the problem so I think a repair of your system files should be our next port of call.

As this is no longer malware-related I may have to refer you away from this thread and start a new topic. I'd rather not so I will see how we go.

We need to run a system file check.

Go to the Run box on the Start Menu and type in:

sfc /scannow

Press Enter

More info on this process can be found here.

Test Word and then please post back to let me know how it's going.
Posted Image
m0le is a proud member of UNITE

#15 ElianaR

ElianaR
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 10 July 2012 - 01:33 AM

Eliana,

You seem to be describing a corrupt file and the error code does bear that out. It isn't malware that is causing these problems and they all seem to be wrapped up with Word. It seems that reinstalling Word doesn't halt the problem so I think a repair of your system files should be our next port of call.

As this is no longer malware-related I may have to refer you away from this thread and start a new topic. I'd rather not so I will see how we go.

We need to run a system file check.

Go to the Run box on the Start Menu and type in:

sfc /scannow

Press Enter

More info on this process can be found here.

Test Word and then please post back to let me know how it's going.


I didn't see a log generated, but there weren't any error messages or sign that it didn't finish (after the initial prompt for my original CDs - thank you for that link, btw, I would not have navigated the process well w/out it!)

I don't know how to evaluate the issues I'm still having, pr how/if they interrelate:

1) I get periods when the computer is running very, very slowly - webpages take minutes to load, file manager takes minutes to show the contents of a file, etc. This happens whether or not Word is open (including times when Word had not been opened since the computer had been turned on)

2) Word freezing & then closing - this happened once since I ran the scan. It didn't happen as quickly; this time it coincided with a running slowly period - and the file I was working with is very large and image intensive.

3) Avast opened itself, announced an update, and started trying to install Chrome - without any authorization from me. ...and I couldn't force it to close. I switched off the modem, and, eventually, it allowed me to forcibly close it. Perhaps it was a regularly scheduled update? ...but I haven't seen it do something like that before.

I am bewildered, and feeling very overwhelmed... and outgunned!

I'm not sure what to do now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users