thingameejig Posted March 1, 2010 Posted March 1, 2010 Hello, I would be grateful for any help and advise. I run a pc and two lap tops, i am currently using my main lap top. Last week our on line bank accounts were hacked and monies sent from them to spurious accounts, we stopped this in time. I have been advised that I may have a key logger. Having googled this problem I have down loaded Hijackthis (as it seems to be a popular solution). here are the log results... do they mean anything to you? Can you offer a solution? Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 00:51:16, on 01/03/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Kontiki\KService.exe C:\WINDOWS\system32\nvsvc32.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Genesys PC Camera Device\GenePccMon.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\My Book\WD Backup\uBBMonitor.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, Messenger, Unterhaltung, Nachrichten, Sport, Jobs, Immobilien und mehr bei MSN AT R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, Messenger, Unterhaltung, Nachrichten, Sport, Jobs, Immobilien und mehr bei MSN AT R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [GenePccMon.exe] C:\Program Files\Genesys PC Camera Device\GenePccMon.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKLM\..\Run: [identityPatrol] C:\Program Files\IdentityPatrol\IdentityPatrol.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.pitchero.com/profile/ImageUploader5.cab O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Update Service (gupdate1c98cfde1ebe9de) (gupdate1c98cfde1ebe9de) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- End of file - 12987 bytes Quote
ExTS Admin Starbuck Posted March 1, 2010 ExTS Admin Posted March 1, 2010 Hi thingameejig and welcome to Free Pc Help, Unfortunately Hjt isn't as good now as it once was, we need to get a lot more information. Step 1 Please download DeFogger to your desktop. Double click DeFogger to run the tool. The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OK IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop. Do not re-enable these drivers until otherwise instructed. Step 2 Please download GMER from one of the following locations and save it to your desktop:Main Mirror This version will download a randomly named file (Recommended) Zipped Mirror This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Disconnect from the Internet and close all running programs. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe. http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress) If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO. Now click the Scan button. If you see a rootkit warning window, click OK. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log. Click the Copy button and paste the results into your next reply. Exit GMER and re-enable all active protection when done. -- If you encounter any problems, try running GMER in Safe Mode. Step 3 Download OTL to your desktop. if you have problems, try this download link: OTL Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. When the window appears, underneath Output at the top change it to Minimal Output. Check the boxes beside LOP Check and Purity Check. . http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png Now copy the lines in the codebox below. netsvcs msconfig %SYSTEMDRIVE%\*.exe /md5start eventlog.dll scecli.dll netlogon.dll cngaudit.dll sceclt.dll ntelogon.dll logevent.dll iaStor.sys nvstor.sys atapi.sys IdeChnDr.sys viasraid.sys AGP440.sys vaxscsi.sys nvatabus.sys viamraid.sys nvata.sys nvgts.sys iastorv.sys ViPrt.sys eNetHook.dll ahcix86.sys KR10N.sys nvstor32.sys ahcix86s.sys nvrd32.sys symmpi.sys adp3132.sys /md5stop %systemroot%\*. /mp /s %systemroot%\system32\*.dll /lockedfiles %systemroot%\Tasks\*.job /lockedfiles %systemroot%\system32\drivers\*.sys /lockedfiles CREATERESTOREPOINT right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png . Click the Run Scan button. http://img.photobucket.com/albums/v708/starbuck50/runscan.png Do not change any settings unless otherwise told to do so. The scan wont take long. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply. In your next reply, please submit: Gmer.Log Both reports from OTL Thanks Quote Member of:UNITE
thingameejig Posted March 1, 2010 Author Posted March 1, 2010 gmer results gmer results GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover Rootkit scan 2010-03-01 13:27:50 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\Stuart\LOCALS~1\Temp\ugliafog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6DA26B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB6DA2574] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB6DA2A52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6DA214C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB6DA264E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB6DA208C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6DA20F0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6DA276E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6DA272E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6DA28AE] ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB95B0360, 0x3061D7, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1012] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\WINDOWS\system32\SearchIndexer.exe[3192] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[936] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00600002 IAT C:\WINDOWS\system32\services.exe[936] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00600000 ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060d01536 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060d01536@001fe43369ac 0x95 0xCF 0x25 0xEF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001060d16239 Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060d01536 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060d01536@001fe43369ac 0x95 0xCF 0x25 0xEF ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001060d16239 (not active ControlSet) ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 01: copy of MBR Disk \Device\Harddisk0\DR0 sector 02: copy of MBR Disk \Device\Harddisk0\DR0 sector 03: copy of MBR Disk \Device\Harddisk0\DR0 sector 04: copy of MBR Disk \Device\Harddisk0\DR0 sector 05: copy of MBR Disk \Device\Harddisk0\DR0 sector 06: copy of MBR Disk \Device\Harddisk0\DR0 sector 07: copy of MBR Disk \Device\Harddisk0\DR0 sector 08: copy of MBR Disk \Device\Harddisk0\DR0 sector 09: copy of MBR Disk \Device\Harddisk0\DR0 sector 10: copy of MBR Disk \Device\Harddisk0\DR0 sector 11: copy of MBR Disk \Device\Harddisk0\DR0 sector 12: copy of MBR Disk \Device\Harddisk0\DR0 sector 13: copy of MBR Disk \Device\Harddisk0\DR0 sector 14: copy of MBR Disk \Device\Harddisk0\DR0 sector 15: copy of MBR Disk \Device\Harddisk0\DR0 sector 16: copy of MBR Disk \Device\Harddisk0\DR0 sector 17: copy of MBR Disk \Device\Harddisk0\DR0 sector 18: copy of MBR Disk \Device\Harddisk0\DR0 sector 19: copy of MBR Disk \Device\Harddisk0\DR0 sector 20: copy of MBR Disk \Device\Harddisk0\DR0 sector 21: copy of MBR Disk \Device\Harddisk0\DR0 sector 22: copy of MBR Disk \Device\Harddisk0\DR0 sector 23: copy of MBR Disk \Device\Harddisk0\DR0 sector 24: copy of MBR Disk \Device\Harddisk0\DR0 sector 25: copy of MBR Disk \Device\Harddisk0\DR0 sector 26: copy of MBR Disk \Device\Harddisk0\DR0 sector 27: copy of MBR Disk \Device\Harddisk0\DR0 sector 28: copy of MBR Disk \Device\Harddisk0\DR0 sector 29: copy of MBR Disk \Device\Harddisk0\DR0 sector 30: copy of MBR Disk \Device\Harddisk0\DR0 sector 31: copy of MBR Disk \Device\Harddisk0\DR0 sector 32: copy of MBR Disk \Device\Harddisk0\DR0 sector 33: copy of MBR Disk \Device\Harddisk0\DR0 sector 34: copy of MBR Disk \Device\Harddisk0\DR0 sector 35: copy of MBR Disk \Device\Harddisk0\DR0 sector 36: copy of MBR Disk \Device\Harddisk0\DR0 sector 37: copy of MBR Disk \Device\Harddisk0\DR0 sector 38: copy of MBR Disk \Device\Harddisk0\DR0 sector 39: copy of MBR Disk \Device\Harddisk0\DR0 sector 40: copy of MBR Disk \Device\Harddisk0\DR0 sector 41: copy of MBR Disk \Device\Harddisk0\DR0 sector 42: copy of MBR Disk \Device\Harddisk0\DR0 sector 43: copy of MBR Disk \Device\Harddisk0\DR0 sector 44: copy of MBR Disk \Device\Harddisk0\DR0 sector 45: copy of MBR Disk \Device\Harddisk0\DR0 sector 46: copy of MBR Disk \Device\Harddisk0\DR0 sector 47: copy of MBR Disk \Device\Harddisk0\DR0 sector 48: copy of MBR Disk \Device\Harddisk0\DR0 sector 49: copy of MBR Disk \Device\Harddisk0\DR0 sector 50: copy of MBR Disk \Device\Harddisk0\DR0 sector 51: copy of MBR Disk \Device\Harddisk0\DR0 sector 52: copy of MBR Disk \Device\Harddisk0\DR0 sector 53: copy of MBR Disk \Device\Harddisk0\DR0 sector 54: copy of MBR Disk \Device\Harddisk0\DR0 sector 55: copy of MBR Disk \Device\Harddisk0\DR0 sector 56: copy of MBR Disk \Device\Harddisk0\DR0 sector 57: copy of MBR Disk \Device\Harddisk0\DR0 sector 58: copy of MBR Disk \Device\Harddisk0\DR0 sector 59: copy of MBR Disk \Device\Harddisk0\DR0 sector 60: copy of MBR Disk \Device\Harddisk0\DR0 sector 61: copy of MBR Disk \Device\Harddisk0\DR0 sector 62: copy of MBR Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR ---- EOF - GMER 1.0.15 ---- Quote
thingameejig Posted March 1, 2010 Author Posted March 1, 2010 OTL report OTL logfile created on: 01/03/2010 14:26:36 - Run 1 OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Stuart\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free 5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 232.88 Gb Total Space | 164.54 Gb Free Space | 70.66% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: EXTREMEPAD Current User Name: Stuart Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Stuart\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software) PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software) PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software) PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software) PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software) PRC - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom) PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft) PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft) PRC - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation) PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation) PRC - c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation) PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.) PRC - C:\Program Files\Kontiki\KService.exe (Kontiki Inc.) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation) PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE (HP) PRC - C:\Program Files\Genesys PC Camera Device\GenePccMon.exe () PRC - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG) PRC - C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe (Nero AG) PRC - C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation) PRC - C:\Program Files\Microsoft ActiveSync\rapimgr.exe (Microsoft Corporation) PRC - C:\WINDOWS\system32\wbem\unsecapp.exe (Microsoft Corporation) PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation) PRC - C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Stuart\Desktop\OTL.exe (OldTimer Tools) MOD - C:\Program Files\Alwil Software\Avast4\AhJsctNs.dll (ALWIL Software) MOD - C:\WINDOWS\AppPatch\aclayers.dll (Microsoft Corporation) MOD - C:\WINDOWS\system32\shimeng.dll (Microsoft Corporation) ========== Win32 Services (SafeList) ========== SRV - (GoogleDesktopManager-110309-193829) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google) SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software) SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software) SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software) SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software) SRV - (TomTomHOMEService) -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (TomTom) SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft) SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit) SRV - (MSSQL$MSSMLBIZ) SQL Server (MSSMLBIZ) -- c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation) SRV - (SQLWriter) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation) SRV - (SQLBrowser) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation) SRV - (MSSQLServerADHelper) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe (Microsoft Corporation) SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.) SRV - (KService) -- C:\Program Files\Kontiki\KService.exe (Kontiki Inc.) SRV - (BcmSqlStartupSvc) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation) SRV - (WLSetupSvc) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe (Microsoft Corporation) SRV - (usnjsvc) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe (Microsoft Corporation) SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPZIPM12.EXE (HP) SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.) SRV - (HP Port Resolver) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE (Hewlett-Packard Company) SRV - (HP Status Server) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE (Hewlett-Packard Company) ========== Driver Services (SafeList) ========== DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software) DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software) DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software) DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software) DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software) DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software) DRV - (USBAAPL) -- C:\WINDOWS\system32\drivers\usbaapl.sys (Apple, Inc.) DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB) DRV - (GEARAspiWDM) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.) DRV - (usb_rndisx) -- C:\WINDOWS\system32\drivers\usb8023x.sys (Microsoft Corporation) DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider) DRV - (Secdrv) -- C:\WINDOWS\system32\drivers\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.) DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation) DRV - (RTSTOR) -- C:\WINDOWS\system32\drivers\RTSTOR.sys (Realtek Semiconductor Corp.) DRV - (DCamUSBGene) -- C:\WINDOWS\system32\drivers\USBGENE.sys (Genesys Logic, Inc.) DRV - (s117obex) -- C:\WINDOWS\system32\drivers\s117obex.sys (MCCI Corporation) DRV - (s117mdm) -- C:\WINDOWS\system32\drivers\s117mdm.sys (MCCI Corporation) DRV - (s117mgmt) Sony Ericsson Device 117 USB WMC Device Management Drivers (WDM) -- C:\WINDOWS\system32\drivers\s117mgmt.sys (MCCI Corporation) DRV - (s117unic) Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (WDM) -- C:\WINDOWS\system32\drivers\s117unic.sys (MCCI Corporation) DRV - (s117nd5) Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (NDIS) -- C:\WINDOWS\system32\drivers\s117nd5.sys (MCCI Corporation) DRV - (s117mdfl) -- C:\WINDOWS\system32\drivers\s117mdfl.sys (MCCI Corporation) DRV - (s117bus) Sony Ericsson Device 117 driver (WDM) -- C:\WINDOWS\system32\drivers\s117bus.sys (MCCI Corporation) DRV - (RTLE8023xp) -- C:\WINDOWS\system32\drivers\Rtenicxp.sys (Realtek Semiconductor Corporation ) DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.) DRV - (AR5211) -- C:\WINDOWS\system32\drivers\ar5211.sys (Atheros Communications, Inc.) DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.) DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.) DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.) DRV - (mdmxsdk) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant) DRV - (UIUSys) -- C:\WINDOWS\system32\drivers\UIUSYS.SYS (Conexant Systems, Inc) DRV - (Ptilink) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.) DRV - (PxHelp20) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions) DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.) DRV - (StillCam) -- C:\WINDOWS\system32\drivers\serscan.sys (Microsoft Corporation) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Bing [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "Sign In" FF - prefs.js..extensions.enabledItems: en-GB@dictionaries.addons.mozilla.org:1.19 FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.2.20080717 FF - HKLM\software\mozilla\Firefox\extensions\\{8EFF74B6-7518-4FF3-B5AA-09FFE4CF82B3}: C:\Documents and Settings\Stuart\Local Settings\Application Data\{8EFF74B6-7518-4FF3-B5AA-09FFE4CF82B3} [2010/01/15 10:36:58 | 000,000,000 | ---D | M] [2009/01/26 14:57:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Mozilla\Extensions [2009/01/26 14:57:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Mozilla\Extensions\home2@tomtom.com [2009/01/11 17:39:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Mozilla\Firefox\Profiles\v594u440.default\extensions [2008/11/28 08:16:45 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Stuart\Application Data\Mozilla\Firefox\Profiles\v594u440.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1} [2008/04/06 21:48:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Mozilla\Firefox\Profiles\v594u440.default\extensions\Access Privileges Test [2008/03/26 22:20:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Mozilla\Firefox\Profiles\v594u440.default\extensions\en-GB@dictionaries.addons.mozilla.org [2009/01/11 18:36:40 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2007/12/19 12:57:38 | 000,310,272 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll [2008/03/24 19:21:00 | 002,889,088 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll O1 HOSTS File: ([2009/08/14 10:31:37 | 000,001,090 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 208.67.70.3 O1 - Hosts: 127.0.0.1 38.99.150.167 O1 - Hosts: 127.0.0.1 38.99.150.205 O1 - Hosts: 127.0.0.1 88.255.90.60 O1 - Hosts: 127.0.0.1 opal.spod.org O1 - Hosts: 127.0.0.1 sendspace.com O1 - Hosts: 127.0.0.1 ad1.ny.yieldmanager.com O1 - Hosts: 127.0.0.1 ad2.ny.yieldmanager.com O1 - Hosts: 127.0.0.1 ny.yieldmanager.com O1 - Hosts: 127.0.0.1 yieldmanager.com O1 - Hosts: 127.0.0.1 193.165.167.2 O1 - Hosts: 127.0.0.1 152.66.249.135 O1 - Hosts: 192.168.1.72 HP0019BBE9D69E O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.) O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found. O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.) O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.) O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found. O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.) O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation) O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.) O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software) O4 - HKLM..\Run: [GenePccMon.exe] C:\Program Files\Genesys PC Camera Device\GenePccMon.exe () O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google) O4 - HKLM..\Run: [identityPatrol] C:\Program Files\IdentityPatrol\IdentityPatrol.exe (Identity Patrol) O4 - HKLM..\Run: [iSUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation) O4 - HKLM..\Run: [iSUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation) O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.) O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG) O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.) O4 - HKLM..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.) O4 - HKLM..\Run: [sunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.) O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG) O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation) O4 - HKCU..\Run: [TomTomHOME.exe] C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe (TomTom) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit UK) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe (ArcSoft, Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.) O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet) O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet) O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} http://upload.facebook.com/controls/FacebookPhotoUploader3.cab (Facebook Photo Uploader 4 Control) O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://www.pitchero.com/profile/ImageUploader5.cab (Image Uploader Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} Quote
thingameejig Posted March 1, 2010 Author Posted March 1, 2010 OTL report continued http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab (EPUImageControl Class) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254 O18 - Protocol\Handler\intu-res {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll () O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\Stuart\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Stuart\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2010/01/16 03:36:33 | 000,000,025 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{7dcf3ec0-0136-11df-8744-001060d01536}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell - "" = AutoRun O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe () O35 - comfile [open] -- "%1" %* O35 - exefile [open] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/01/08 11:46:07 | 000,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found MsConfig - State: "system.ini" - 0 MsConfig - State: "win.ini" - 0 MsConfig - State: "bootini" - 0 MsConfig - State: "services" - 0 MsConfig - State: "startup" - 0 CREATERESTOREPOINT Restore point Set: OTL Restore Point (72342462038802432) ========== Files/Folders - Created Within 30 Days ========== [2010/03/01 14:21:01 | 000,551,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Stuart\Desktop\OTL.exe [2010/03/01 00:49:46 | 000,000,000 | ---D | C] -- C:\Program Files\TrendMicro [2010/02/25 13:09:59 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\browserchoice.exe [2010/02/22 22:22:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\InstallShield [2010/02/22 22:22:47 | 000,000,000 | ---D | C] -- C:\Program Files\CA Design [2010/02/19 21:30:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2010/02/19 21:26:39 | 000,017,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll [2010/02/14 20:47:18 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes [2010/02/14 20:44:07 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime [2009/09/23 06:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2009/02/13 06:44:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google [2009/02/12 10:37:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google [2009/01/11 11:11:38 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2009/01/11 11:11:38 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [2008/02/05 15:43:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple [2008/01/09 18:40:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe [2006/02/19 03:28:56 | 000,012,288 | ---- | C] (Hewlett-Packard Development Company, L.P.) -- C:\WINDOWS\Fonts\RandFont.dll [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2010/03/01 14:29:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2010/03/01 14:21:05 | 000,551,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Stuart\Desktop\OTL.exe [2010/03/01 14:02:40 | 000,002,519 | ---- | M] () -- C:\WINDOWS\System32\sk_bho.ini [2010/03/01 14:02:04 | 000,013,672 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/03/01 14:00:31 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job [2010/03/01 14:00:03 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2010/03/01 14:00:01 | 000,000,256 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job [2010/03/01 14:00:01 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/03/01 13:59:51 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/03/01 12:17:37 | 001,002,044 | ---- | M] () -- C:\WINDOWS\System32\IDPExe.zip [2010/03/01 12:17:37 | 000,000,076 | ---- | M] () -- C:\WINDOWS\System32\IDPVer.ini [2010/03/01 12:17:27 | 001,669,117 | ---- | M] () -- C:\WINDOWS\System32\IDPSig.zip [2010/03/01 12:13:34 | 012,058,624 | -H-- | M] () -- C:\Documents and Settings\Stuart\NTUSER.DAT [2010/03/01 12:13:10 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Stuart\ntuser.ini [2010/03/01 12:11:58 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Stuart\defogger_reenable [2010/03/01 11:32:08 | 000,000,036 | ---- | M] () -- C:\WINDOWS\System32\10001.sks [2010/03/01 11:32:08 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\10004.sks [2010/03/01 11:32:08 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\10003.sks [2010/03/01 11:32:08 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\10002.sks [2010/03/01 09:19:27 | 000,002,380 | ---- | M] () -- C:\WINDOWS\System32\BlockedCookies [2010/03/01 00:50:27 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Stuart\Desktop\HiJackThis.lnk [2010/03/01 00:03:47 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{5A6F850F-0EEA-403D-B358-444B4AA78D53}.job [2010/02/26 07:06:27 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk [2010/02/24 07:52:48 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010/02/23 18:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job [2010/02/22 22:22:53 | 000,001,824 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CADwizz Ultra.lnk [2010/02/21 22:36:22 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm [2010/02/21 22:36:22 | 000,000,232 | -H-- | M] () -- C:\sqmdata09.sqm [2010/02/19 21:39:54 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010/02/19 21:26:21 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb [2010/02/19 21:26:21 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb [2010/02/19 00:29:07 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk [2010/02/18 15:37:45 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm [2010/02/18 15:37:45 | 000,000,232 | -H-- | M] () -- C:\sqmdata08.sqm [2010/02/18 14:57:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2010/02/17 16:16:44 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm [2010/02/17 16:16:44 | 000,000,232 | -H-- | M] () -- C:\sqmdata07.sqm [2010/02/14 21:01:44 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk [2010/02/13 14:28:01 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk [2010/02/12 10:03:03 | 000,293,376 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\browserchoice.exe [2010/02/11 16:37:08 | 000,040,827 | ---- | M] () -- C:\Documents and Settings\Stuart\My Documents\Design Solutions UK Ltd.docx [2010/02/09 14:33:04 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm [2010/02/09 14:33:04 | 000,000,232 | -H-- | M] () -- C:\sqmdata06.sqm [2010/02/04 22:47:12 | 000,000,232 | -H-- | M] () -- C:\sqmdata05.sqm [2010/02/04 22:47:11 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm [2010/02/02 14:35:08 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm [2010/02/02 14:35:08 | 000,000,232 | -H-- | M] () -- C:\sqmdata04.sqm [2010/02/02 10:57:12 | 000,000,007 | ---- | M] () -- C:\WINDOWS\sbacknt.bin [2010/02/01 22:55:07 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm [2010/02/01 22:55:07 | 000,000,232 | -H-- | M] () -- C:\sqmdata03.sqm [2010/02/01 20:21:41 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm [2010/02/01 20:21:41 | 000,000,232 | -H-- | M] () -- C:\sqmdata02.sqm [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/03/01 12:18:03 | 000,622,113 | ---- | C] () -- C:\WINDOWS\System32\IDPList.dll [2010/03/01 12:18:03 | 000,013,772 | ---- | C] () -- C:\WINDOWS\System32\IDPImmData.dll [2010/03/01 12:18:02 | 000,000,162 | ---- | C] () -- C:\WINDOWS\System32\IDPCritProc.dll [2010/03/01 12:17:37 | 001,002,044 | ---- | C] () -- C:\WINDOWS\System32\IDPExe.zip [2010/03/01 12:17:27 | 001,669,117 | ---- | C] () -- C:\WINDOWS\System32\IDPSig.zip [2010/03/01 12:11:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Stuart\defogger_reenable [2010/03/01 00:49:46 | 000,002,443 | ---- | C] () -- C:\Documents and Settings\Stuart\Desktop\HiJackThis.lnk [2010/02/26 07:06:27 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk [2010/02/22 22:22:53 | 000,001,824 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\CADwizz Ultra.lnk [2010/02/19 21:30:09 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/02/14 20:48:11 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk [2010/02/13 14:28:01 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk [2010/02/11 16:37:08 | 000,040,827 | ---- | C] () -- C:\Documents and Settings\Stuart\My Documents\Design Solutions UK Ltd.docx [2010/01/16 02:04:05 | 000,000,042 | ---- | C] () -- C:\WINDOWS\System32\RegistryPatrolUpdates.ini [2010/01/16 01:30:24 | 000,000,076 | ---- | C] () -- C:\WINDOWS\System32\IDPVer.ini [2010/01/16 01:30:06 | 000,002,519 | ---- | C] () -- C:\WINDOWS\System32\sk_bho.ini [2010/01/15 23:16:50 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\Stuart\Application Data\openList.awt [2010/01/15 23:16:50 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\Stuart\Application Data\closedList.awt [2010/01/15 15:00:43 | 000,000,089 | ---- | C] () -- C:\WINDOWS\wininit.ini [2010/01/15 10:33:35 | 000,000,004 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\mvhgkr.dat [2010/01/08 21:50:22 | 000,171,080 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat [2009/08/31 14:00:22 | 000,021,504 | ---- | C] () -- C:\WINDOWS\System32\WBCustomizer.dll [2009/08/31 14:00:21 | 000,185,344 | ---- | C] () -- C:\WINDOWS\System32\MemWarp.dll [2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll [2009/01/09 16:52:12 | 000,162,304 | ---- | C] () -- C:\WINDOWS\System32\ztvunrar36.dll [2009/01/09 16:52:12 | 000,153,088 | ---- | C] () -- C:\WINDOWS\System32\UNRAR3.dll [2009/01/09 16:52:12 | 000,077,312 | ---- | C] () -- C:\WINDOWS\System32\ztvunace26.dll [2009/01/09 16:52:12 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll [2008/03/26 20:07:12 | 000,000,221 | ---- | C] () -- C:\WINDOWS\NCLogConfig.ini [2008/03/01 23:23:43 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\LocalService\Application Data\$_hpcst$.hpc [2008/01/11 21:51:00 | 000,198,656 | ---- | C] () -- C:\Documents and Settings\Stuart\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008/01/10 20:47:59 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2008/01/10 11:27:03 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI [2008/01/09 22:54:22 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat [2008/01/08 23:56:56 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Stuart\Application Data\$_hpcst$.hpc [2008/01/08 21:31:47 | 000,000,191 | ---- | C] () -- C:\WINDOWS\WinHelp.ini [2008/01/08 21:04:17 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Stuart\Local Settings\Application Data\fusioncache.dat [2008/01/08 20:50:59 | 000,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll [2008/01/08 20:50:45 | 000,000,166 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini [2008/01/08 20:48:26 | 000,000,737 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini [2008/01/08 20:35:50 | 000,001,400 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log [2008/01/08 12:50:04 | 000,515,328 | R--- | C] () -- C:\WINDOWS\System32\drivers\USBGENE1.sys [2008/01/08 12:50:04 | 000,232,704 | R--- | C] () -- C:\WINDOWS\System32\drivers\USBGENE0.sys [2007/11/20 13:32:41 | 000,025,964 | ---- | C] () -- C:\WINDOWS\System32\IDPSigLevel.dll [2007/11/20 13:32:40 | 005,527,385 | ---- | C] () -- C:\WINDOWS\System32\IDPRSig.dll [2007/11/20 13:32:39 | 004,985,733 | ---- | C] () -- C:\WINDOWS\System32\IDPFSig.dll [2007/11/20 13:32:39 | 000,343,272 | ---- | C] () -- C:\WINDOWS\System32\IDPESig.dll [2007/11/20 13:32:39 | 000,002,380 | ---- | C] () -- C:\WINDOWS\System32\IDPBlkCoo.dll [2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini [2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini [2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini [2007/09/06 09:55:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll [2007/09/06 09:55:00 | 001,478,656 | ---- | C] () -- C:\WINDOWS\System32\nview.dll [2007/09/06 09:55:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll [2007/09/06 09:55:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll [2006/02/28 12:00:00 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll [2006/02/28 12:00:00 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll [2006/02/28 12:00:00 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll [2006/02/28 12:00:00 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll [2006/02/28 12:00:00 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll [2001/07/07 03:00:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini Quote
thingameejig Posted March 1, 2010 Author Posted March 1, 2010 OTL report continued ========== LOP Check ========== [2008/03/14 00:44:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES [2010/03/01 14:29:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kontiki [2009/12/08 09:23:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound [2010/01/11 09:42:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SITEguard [2008/12/21 13:41:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sky [2008/06/11 06:47:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sony [2010/01/15 17:28:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\STOPzilla! [2010/02/26 19:58:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2010/01/14 18:09:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom [2009/03/12 10:35:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3} [2009/09/10 14:11:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} [2009/04/09 17:05:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} [2010/01/15 19:37:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9} [2009/09/22 13:10:26 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} [2009/12/08 09:23:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\NCH Swift Sound [2009/01/09 16:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Simply Super Software [2008/02/29 00:23:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\social.im [2008/07/04 07:10:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Sony [2009/01/26 14:57:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\TomTom [2010/01/12 13:07:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\vghd [2009/01/13 21:34:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Windows Desktop Search [2009/03/18 11:03:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Stuart\Application Data\Windows Search [2010/02/23 18:49:00 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job [2010/03/01 14:00:01 | 000,000,256 | ---- | M] () -- C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job [2010/03/01 00:03:47 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{5A6F850F-0EEA-403D-B358-444B4AA78D53}.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2006/02/28 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys [2008/09/08 07:31:27 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys [2008/09/08 07:31:27 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys [2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys < MD5 for: ATAPI.SYS > [2006/02/28 12:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2008/09/08 07:31:27 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2008/09/08 07:31:27 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys [2006/02/28 12:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys < MD5 for: EVENTLOG.DLL > [2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll [2006/02/28 12:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll < MD5 for: NETLOGON.DLL > [2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll [2006/02/28 12:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll < MD5 for: SCECLI.DLL > [2006/02/28 12:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > [2009/03/08 03:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll [2009/03/08 03:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll [4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ] < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\system32\drivers\*.sys /lockedfiles > ========== Alternate Data Streams ========== @Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9239D250 @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9 < End of report > Quote
thingameejig Posted March 1, 2010 Author Posted March 1, 2010 Extras report OTL Extras logfile created on: 01/03/2010 14:26:36 - Run 1 OTL by OldTimer - Version 3.1.32.0 Folder = C:\Documents and Settings\Stuart\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 78.00% Memory free 5.00 Gb Paging File | 4.00 Gb Available in Paging File | 87.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 232.88 Gb Total Space | 164.54 Gb Free Space | 70.66% Space Free | Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: EXTREMEPAD Current User Name: Stuart Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .reg [@ = regfile] -- [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = htmlfile] -- Reg Error: Key error. File not found ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation) piffile [open] -- "%1" %* regfile [open] -- regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service "10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation) "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation) "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation) "C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "D:\setup\HPZNET01.EXE" = D:\setup\HPZNET01.EXE:*:Enabled:hpznet01.exe -- File not found "D:\setup\HPONICIFS01.EXE" = D:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe -- File not found "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- () "C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard) "C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard) "C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- (Hewlett-Packard) "C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( ) "C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- (Hewlett-Packard Development Company, L.P.) "C:\Program Files\Microsoft ActiveSync\rapimgr.exe" = C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager -- (Microsoft Corporation) "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation) "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application -- (Microsoft Corporation) "C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation) "C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2008\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.) "C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe" = C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe:*:Enabled:Nero Home -- (Nero AG) "C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation) "C:\Program Files\Kontiki\KService.exe" = C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service -- (Kontiki Inc.) "C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.) "C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath -- (Skype Technologies S.A.) "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour "{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis "{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow "{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics "{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0 "{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime "{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig "{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress "{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java 6 Update 18 "{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ) "{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth "{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK "{2F8C106A-7DFC-45DE-8006-F9145AADF1D8}" = iPod Updater 2004-08-06 "{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java 6 Update 3 "{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5 "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7 "{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1 "{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar) "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone "{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant "{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support "{3FB39BED-37C8-4E60-8E02-315B8C2B07E3}" = Genesys PC Camera Device "{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1 "{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4B41AE13-BA0E-4328-8E83-AD2A0BEB33EB}" = Sky Player "{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant "{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies "{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger "{516DC482-7BEB-4E1E-BCFC-879C50D315FB}" = Amethyst CADwizz Ultra "{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder "{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English) "{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features "{5545B622-9998-4f13-9CD6-B908675BDCB2}" = QuickBooks Pro Edition 2006 "{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer "{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service "{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg "{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap "{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD "{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI "{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar) "{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar "{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder "{7E545666-F422-45FD-B3DF-C0B99A1A579F}" = QuickBooks Pro 2008 "{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI "{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status "{876A4C7A-412A-40b8-9DCF-B04D2339B73E}" = c7100_Help "{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc "{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload "{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}" = TomTom HOME Visual Studio Merge Quote
thingameejig Posted March 1, 2010 Author Posted March 1, 2010 extras report continued Modules "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12 "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007 "{90120000-0015-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007 "{90120000-0016-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007 "{90120000-0018-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007 "{90120000-0019-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007 "{90120000-001A-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007 "{90120000-001B-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_PROHYBRIDR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_PROHYBRIDR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007 "{90120000-001F-0C0A-0000-0000000FF1CE}_PROHYBRIDR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}_PROHYBRIDR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007 "{90120000-0117-0409-0000-0000000FF1CE}_PROHYBRIDR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components "{91120000-0031-0000-0000-0000000FF1CE}" = Microsoft Office Professional Hybrid 2007 "{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{91120000-0031-0000-0000-0000000FF1CE}_PROHYBRIDR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581) "{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant "{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector "{99052DB7-9592-4522-A558-5417BBAD48EE}" = Microsoft ActiveSync "{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy "{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A351224F-533A-4EED-89F4-0BF3417FD31D}" = WD Backup "{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar) "{A7B279F4-E9B0-470F-A6A0-54C31C340DBC}" = C7100 "{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components "{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support "{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1 "{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0 "{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2 "{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour "{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config "{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply "{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client "{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery "{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter "{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA "{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update "{C994D98C-293D-4825-958E-EB684B4D413F}" = MSN Toolbar "{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1 "{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar "{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari "{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp "{DC24971E-1946-445D-8A82-CE685433FA7D}" = Realtek USB 2.0 Card Reader "{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware "{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch "{E3CAAC8F-DEFD-4985-BFA3-0F6FCBCAC55E}" = Amethyst CADwizz MAX V3 "{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1 "{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar) "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC "{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729) "{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01 "{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan "{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes "{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA "{F87DA817-8D53-42CC-AA45-93A100341033}" = Nero 7 Essentials "{FA54AFB1-5745-4389-B8C1-9F7509672ED1}" = iPhone Configuration Utility "{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations "{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA "{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer "Ad-Aware" = Ad-Aware "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "avast!" = avast! Antivirus "BCM Monitor" = BCM Monitor "Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2 "CNXT_MODEM_PCI_VEN_14F1&DEV_2C06&SUBSYS_14F10000" = Soft Modem with SmartCP "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com "Google Desktop" = Google Desktop "Google Updater" = Google Updater "HP Document Viewer" = HP Document Viewer 7.0 "HP Imaging Device Functions" = HP Imaging Device Functions 7.0 "HP Photo & Imaging" = HP Photosmart Premier Software 6.5 "HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0 "HPExtendedCapabilities" = HP Customer Participation Program 7.0 "HPOCR" = OCR Software by I.R.I.S 7.0 "Identity Patrol v2.0" = Identity Patrol v2.0 "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "InstallShield_{2F8C106A-7DFC-45DE-8006-F9145AADF1D8}" = iPod Updater 2004-08-06 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft SQL Server 2005" = Microsoft SQL Server 2005 "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "Nortel Business Element Manager" = Nortel Business Element Manager "NVIDIA Drivers" = NVIDIA Drivers "PKR" = PKR "PROHYBRIDR" = 2007 Microsoft Office system "Registry Patrol" = Registry Patrol "Shop for HP Supplies" = Shop for HP Supplies "Switch" = Switch Sound File Converter "SynTPDeinstKey" = Synaptics Pointing Device Driver "TomTom HOME" = TomTom HOME 2.7.3.1894 "vghd" = VirtuaGirl HD "Windows Live Toolbar" = Windows Live Toolbar "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows Mobile Device Handbook" = Windows Mobile® Device Handbook "Windows XP Service Pack" = Windows XP Service Pack 3 "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 "Yahoo! Software Update" = Yahoo! Software Update ========== Last 10 Event Log Errors ========== [ Antivirus Events ] Error - 30/12/2008 17:12:02 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522 Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\Content.IE5\TFDPR1FL\aa[1].js failed, 0000A413. Error - 30/12/2008 17:12:02 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522 Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of https://anytimepc-client.sky.com/vod/page/home.do failed, 0000A413. Error - 06/01/2009 14:46:12 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522 Description = Internal error has occurred in module aswar scan function failed!, function A0000111. Error - 05/11/2009 07:24:47 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522 Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://fb.mindjolt.com/fb/ad/game_iframead.jsp?gameKey=OU72CABMJ3BRHVFI&fb_sig_in_iframe=1&fb_sig_iframe_key=751d31dd6b56b26b... failed, 0000A413. Error - 05/11/2009 18:16:55 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522 Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of MindJolt Games... failed, 0000A413. Error - 06/11/2009 22:35:40 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522 Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of http://fb.mindjolt.com/fb/ad/game_iframead.jsp?gameKey=OU72CABMJ3BRHVFI&fb_sig_in_iframe=1&fb_sig_iframe_key=faeac4e1eef307c2... failed, 0000A413. Error - 08/11/2009 04:14:34 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522 Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK failed, 0000A413. Error - 16/01/2010 00:24:38 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522 Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\DOCUMENTS AND SETTINGS\STUART\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP\42AC6A93CE20\SIDEBAR_REMOVED_PLUGIN_DATA failed, 00000005. Error - 16/01/2010 08:27:26 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522 Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\DOCUMENTS AND SETTINGS\STUART\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP\42AC6A93CE20\SIDEBAR_REMOVED_PLUGIN_DATA failed, 00000005. Error - 16/01/2010 19:37:20 | Computer Name = EXTREMEPAD | Source = avast! | ID = 33554522 Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of C:\DOCUMENTS AND SETTINGS\STUART\LOCAL SETTINGS\APPLICATION DATA\GOOGLE\GOOGLE DESKTOP\42AC6A93CE20\SIDEBAR_REMOVED_PLUGIN_DATA failed, 00000005. [ Application Events ] Error - 24/02/2010 14:24:05 | Computer Name = EXTREMEPAD | Source = Google Update | ID = 20 Description = Error - 24/02/2010 15:24:05 | Computer Name = EXTREMEPAD | Source = Google Update | ID = 20 Description = Error - 24/02/2010 16:24:05 | Computer Name = EXTREMEPAD | Source = Google Update | ID = 20 Description = Error - 24/02/2010 17:24:05 | Computer Name = EXTREMEPAD | Source = Google Update | ID = 20 Description = Error - 25/02/2010 09:06:06 | Computer Name = EXTREMEPAD | Source = Application Error | ID = 1000 Description = Faulting application identitypatrol.exe, version 2.2.0.0, faulting module msvbvm60.dll, version 6.0.98.2, fault address 0x0005d26c. Error - 26/02/2010 03:03:46 | Computer Name = EXTREMEPAD | Source = Windows Search Service | ID = 3024 Description = The update cannot be started because the content sources cannot be accessed. Fix the errors and try the update again. Context: Application, SystemIndex Catalog Error - 26/02/2010 12:22:49 | Computer Name = EXTREMEPAD | Source = Application Error | ID = 1000 Description = Faulting application identitypatrol.exe, version 2.2.0.0, faulting module msvbvm60.dll, version 6.0.98.2, fault address 0x0005d26c. Error - 26/02/2010 16:41:20 | Computer Name = EXTREMEPAD | Source = Application Error | ID = 1000 Description = Faulting application identitypatrol.exe, version 2.2.0.0, faulting module msvbvm60.dll, version 6.0.98.2, fault address 0x0005d26c. Error - 28/02/2010 21:34:32 | Computer Name = EXTREMEPAD | Source = Application Error | ID = 1000 Description = Faulting application hijackthis.exe, version 2.0.0.3, faulting module msvbvm60.dll, version 6.0.98.2, fault address 0x0005d26c. Error - 01/03/2010 08:18:37 | Computer Name = EXTREMEPAD | Source = Application Error | ID = 1000 Description = Faulting application identitypatrol.exe, version 2.2.0.0, faulting module msvbvm60.dll, version 6.0.98.2, fault address 0x0005d26c. [ OSession Events ] Error - 13/08/2009 07:14:35 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 3 seconds with 0 seconds of active time. This session ended with a crash. Error - 13/08/2009 07:19:48 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 104 seconds with 60 seconds of active time. This session ended with a crash. Error - 02/09/2009 14:56:36 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6316.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 218 seconds with 180 seconds of active time. This session ended with a crash. Error - 28/09/2009 17:41:55 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 110 seconds with 0 seconds of active time. This session ended with a crash. Error - 11/10/2009 08:48:58 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6504.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 97 seconds with 60 seconds of active time. This session ended with a crash. Error - 27/10/2009 17:06:35 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 103 seconds with 60 seconds of active time. This session ended with a crash. Error - 08/12/2009 01:50:10 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 213 seconds with 60 seconds of active time. This session ended with a crash. Error - 10/12/2009 09:09:10 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1827 seconds with 240 seconds of active time. This session ended with a crash. Error - 12/12/2009 16:30:31 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 71 seconds with 60 seconds of active time. This session ended with a crash. Error - 28/01/2010 04:04:38 | Computer Name = EXTREMEPAD | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 329 seconds with 120 seconds of active time. This session ended with a crash. [ System Events ] Error - 24/02/2010 06:18:20 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022 Description = The KService service hung on starting. Error - 26/02/2010 16:40:38 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022 Description = The KService service hung on starting. Error - 01/03/2010 03:52:28 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022 Description = The KService service hung on starting. Error - 01/03/2010 08:16:41 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022 Description = The KService service hung on starting. Error - 01/03/2010 08:43:00 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022 Description = The KService service hung on starting. Error - 01/03/2010 08:54:01 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7011 Description = Timeout (30000 milliseconds) waiting for a transaction response from the avast! Mail Scanner service. Error - 01/03/2010 08:54:31 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7011 Description = Timeout (30000 milliseconds) waiting for a transaction response from the avast! Mail Scanner service. Quote
thingameejig Posted March 1, 2010 Author Posted March 1, 2010 extras report continued Error - 01/03/2010 08:55:01 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7011 Description = Timeout (30000 milliseconds) waiting for a transaction response from the service. Error - 01/03/2010 09:04:58 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022 Description = The KService service hung on starting. Error - 01/03/2010 10:02:03 | Computer Name = EXTREMEPAD | Source = Service Control Manager | ID = 7022 Description = The KService service hung on starting. < End of report > Quote
ExTS Admin Starbuck Posted March 1, 2010 ExTS Admin Posted March 1, 2010 Hi thingameejig, Step 1 Click on start... settings... control panel and double-click on Add or Remove Programs. From within Add or Remove Programs uninstall the following: Java 6 Update 3 Java 6 Update 5 Java 6 Update 7 These are old versions of Java and should have been removed. Don't remove... Java 6 Update 18 This is the latest version. Reboot the system when completed. Step 2 Double click on OTL.exe to run it. Copy the lines in the codebox below. (make sure you include the first lot of : ) :Otl O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found. O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O33 - MountPoints2\{7dcf3ec0-0136-11df-8744-001060d01536}\Shell\AutoRun\command - "" = E:\InstallTomTomHOME.exe -- File not found O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell - "" = AutoRun O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found [2010/02/19 21:30:09 | 000,009,728 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini @Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9239D250 @Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9 :commands [emptytemp] [purity] [RESETHOSTS] [EMPTYFLASH] Return to OTL, right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste. http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png Click the red Run Fix button. http://img.photobucket.com/albums/v708/starbuck50/runfixbutton.png OTL will reboot your system once the fix has completed. After the reboot, you may need to double click OTL to launch the program and retrieve the log. Copy and paste the contents of the OTL log that comes up after the fix in your next reply. Step 3 Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif This is an example, you may rename ComboFix to anything you want. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix. For more information read: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs Then: Double click on Combo-Fix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. If running Vista, you may not see this screen Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: http://img.photobucket.com/albums/v706/ried7/whatnext.png Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall In your next reply, please submit: Otl report that comes up after the fix. ComboFix.txt Thanks. Quote Member of:UNITE
thingameejig Posted March 1, 2010 Author Posted March 1, 2010 All processes killed ========== OTL ========== Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found. Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully. Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\SITEguard deleted successfully. Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found. Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found. Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found. Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found. Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7} C:\WINDOWS\Downloaded Program Files\gp.inf not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7dcf3ec0-0136-11df-8744-001060d01536}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7dcf3ec0-0136-11df-8744-001060d01536}\ not found. File E:\InstallTomTomHOME.exe not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\ deleted successfully. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c8e06ce9-c4bb-11dd-858c-001060d01536}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c8e06ce9-c4bb-11dd-858c-001060d01536}\ not found. Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c8e06ce9-c4bb-11dd-858c-001060d01536}\ not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c8e06ce9-c4bb-11dd-858c-001060d01536}\ not found. File E:\LaunchU3.exe not found. C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:9239D250 deleted successfully. ADS C:\Documents and Settings\All Users\Application Data\TEMP:CB0AACC9 deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 204952 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Flash cache emptied: 41085 bytes User: LocalService ->Temp folder emptied: 66016 bytes ->Temporary Internet Files folder emptied: 47759 bytes User: NetworkService ->Temp folder emptied: 295392 bytes ->Temporary Internet Files folder emptied: 12107441 bytes User: Stuart ->Temp folder emptied: 136638028 bytes ->Temporary Internet Files folder emptied: 138550175 bytes ->Java cache emptied: 25802316 bytes ->FireFox cache emptied: 58484417 bytes ->Apple Safari cache emptied: 10554646 bytes ->Flash cache emptied: 49989 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 2176856 bytes %systemroot%\System32 .tmp files removed: 3613713 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 155178763 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23449822 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 1362480 bytes Total Files Cleaned = 542.00 mb C:\WINDOWS\System32\drivers\etc\Hosts moved successfully. HOSTS file reset successfully [EMPTYFLASH] User: Administrator User: All Users User: Default User ->Flash cache emptied: 0 bytes User: LocalService User: NetworkService User: Stuart ->Flash cache emptied: 0 bytes Total Flash Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.1.32.0 log created on 03012010_173214 Files\Folders moved on Reboot... File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_e38.dat not found! C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\Content.IE5\IL5T36U2\9279-suspected-key-logger[2].html moved successfully. C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\Content.IE5\IL5T36U2\ads[3].htm moved successfully. C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\Content.IE5\00ZM1POQ\ads[3].htm moved successfully. C:\Documents and Settings\Stuart\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully. File move failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot. File\Folder C:\WINDOWS\temp\Perflib_Perfdata_6fc.dat not found! Registry entries deleted on Reboot... Quote
thingameejig Posted March 1, 2010 Author Posted March 1, 2010 ComboFix 10-03-01.01 - Stuart 01/03/2010 18:44:12.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2303 [GMT 0:00] Running from: c:\documents and settings\Stuart\Desktop\Combo-Fix.exe AV: avast! antivirus 4.8.1368 [VPS 100301-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} . ((((((((((((((((((((((((( Files Created from 2010-02-01 to 2010-03-01 ))))))))))))))))))))))))))))))) . 2010-03-01 17:32 . 2010-03-01 17:32 -------- d-----w- C:\_OTL 2010-03-01 15:24 . 2010-03-01 15:24 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2010-03-01 15:24 . 2010-03-01 15:24 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys 2010-03-01 15:24 . 2010-03-01 15:24 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll 2010-03-01 15:23 . 2010-03-01 15:23 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll 2010-03-01 15:22 . 2010-03-01 15:22 562272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll 2010-03-01 15:22 . 2010-03-01 15:22 221408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll 2010-03-01 15:21 . 2010-03-01 15:22 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll 2010-03-01 15:21 . 2010-03-01 15:21 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll 2010-03-01 15:20 . 2010-03-01 15:20 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll 2010-03-01 15:14 . 2010-03-01 15:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-03-01 15:14 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe 2010-03-01 12:18 . 2004-07-16 16:11 622113 ----a-w- c:\windows\system32\IDPList.dll 2010-03-01 12:18 . 2004-05-15 12:12 13772 ----a-w- c:\windows\system32\IDPImmData.dll 2010-03-01 12:18 . 2004-06-12 12:02 162 ----a-w- c:\windows\system32\IDPCritProc.dll 2010-03-01 12:17 . 2010-03-01 12:17 1002044 ----a-w- c:\windows\system32\IDPExe.zip 2010-03-01 12:17 . 2010-03-01 12:17 1669117 ----a-w- c:\windows\system32\IDPSig.zip 2010-03-01 00:49 . 2010-03-01 00:49 388096 ----a-r- c:\documents and settings\Stuart\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe 2010-03-01 00:49 . 2010-03-01 00:49 -------- d-----w- c:\program files\TrendMicro 2010-02-25 13:09 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe 2010-02-22 22:22 . 2010-02-22 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield 2010-02-22 22:22 . 2010-02-22 22:22 -------- d-----w- c:\program files\CA Design 2010-02-14 20:47 . 2010-02-14 20:48 -------- d-----w- c:\program files\iTunes 2010-02-14 20:44 . 2010-02-14 20:44 -------- d-----w- c:\program files\QuickTime 2010-02-14 20:37 . 2010-02-14 20:37 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe 2010-02-10 23:07 . 2010-02-10 23:07 -------- d-sh--w- c:\documents and settings\Default User\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-01 18:46 . 2008-12-19 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki 2010-03-01 17:09 . 2008-02-23 22:28 -------- d-----w- c:\program files\Java 2010-03-01 17:09 . 2008-02-23 22:27 -------- d-----w- c:\program files\Common Files\Java 2010-03-01 15:24 . 2009-09-22 17:49 884176 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2010-03-01 15:23 . 2009-09-23 09:38 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-03-01 15:23 . 2009-09-22 17:49 211064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2010-03-01 15:23 . 2009-09-22 17:49 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2010-03-01 15:23 . 2009-09-22 17:49 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2010-03-01 15:22 . 2009-09-22 17:49 390320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2010-03-01 15:22 . 2009-09-22 17:49 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2010-03-01 15:21 . 2009-09-22 17:49 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2010-03-01 15:20 . 2009-09-22 17:49 329048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2010-03-01 15:20 . 2009-09-22 17:49 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2010-03-01 15:18 . 2009-09-22 17:49 961984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2010-03-01 15:18 . 2009-09-22 17:49 835312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2010-03-01 15:17 . 2009-09-22 17:49 842992 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2010-03-01 15:17 . 2009-09-22 17:49 1593320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2010-03-01 15:17 . 2009-09-22 17:49 815184 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2010-03-01 15:16 . 2009-09-22 17:49 1229232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2010-03-01 15:14 . 2008-01-08 17:47 -------- d-----w- c:\program files\Lavasoft 2010-02-28 23:13 . 2009-02-12 10:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2010-02-26 19:58 . 2008-01-08 20:34 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-02-22 22:22 . 2008-01-08 12:24 -------- d-----w- c:\program files\Common Files\InstallShield 2010-02-14 20:47 . 2008-01-08 22:51 -------- d-----w- c:\program files\iPod 2010-02-14 20:47 . 2008-01-30 19:48 -------- d-----w- c:\program files\Common Files\Apple 2010-02-13 14:27 . 2008-01-08 21:58 -------- d-----w- c:\program files\Google 2010-02-10 23:07 . 2008-01-09 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-02-04 15:53 . 2009-09-22 17:50 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-02-02 10:57 . 2009-03-15 22:02 7 ----a-w- c:\windows\sbacknt.bin 2010-01-27 08:55 . 2010-01-27 08:55 503808 ----a-w- c:\documents and settings\Stuart\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7706e4d1-n\msvcp71.dll 2010-01-27 08:55 . 2010-01-27 08:55 348160 ----a-w- c:\documents and settings\Stuart\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7706e4d1-n\msvcr71.dll 2010-01-27 08:55 . 2010-01-27 08:55 499712 ----a-w- c:\documents and settings\Stuart\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7706e4d1-n\jmc.dll 2010-01-27 08:55 . 2010-01-27 08:55 61440 ----a-w- c:\documents and settings\Stuart\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-527bf776-n\decora-sse.dll 2010-01-27 08:55 . 2010-01-27 08:55 12800 ----a-w- c:\documents and settings\Stuart\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-527bf776-n\decora-d3d.dll 2010-01-24 19:22 . 2008-01-09 22:49 -------- d-----w- c:\documents and settings\Stuart\Application Data\Skype 2010-01-24 18:33 . 2008-01-09 22:54 -------- d-----w- c:\documents and settings\Stuart\Application Data\skypePM 2010-01-21 08:18 . 2008-02-29 00:26 -------- d-----w- c:\program files\Microsoft Silverlight 2010-01-18 18:09 . 2008-01-09 00:16 -------- d-----w- c:\program files\Common Files\Adobe 2010-01-18 00:00 . 2008-03-14 00:52 3360 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys 2010-01-16 14:19 . 2008-01-08 12:26 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-01-16 03:57 . 2010-01-16 01:24 -------- d-----w- c:\program files\IdentityPatrol 2010-01-16 02:09 . 2010-01-16 01:12 -------- d-----w- c:\program files\Registry Patrol 2010-01-15 19:37 . 2010-01-15 19:37 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9} 2010-01-15 17:46 . 2010-01-12 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-01-15 17:43 . 2009-08-11 15:33 -------- d-----w- c:\program files\Citrix 2010-01-15 17:28 . 2009-12-30 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla! 2010-01-15 16:59 . 2010-01-12 16:17 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-01-15 16:51 . 2010-01-15 16:50 960 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg 2010-01-15 12:43 . 2010-01-15 10:33 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\mvhgkr.dat 2010-01-15 12:43 . 2010-01-15 10:36 120 ----a-w- c:\windows\Qcitiwoni.dat 2010-01-15 10:36 . 2010-01-15 10:36 0 ----a-w- c:\windows\Oxefikomeje.bin 2010-01-15 10:33 . 2010-01-15 10:33 4 ----a-w- c:\documents and settings\LocalService\Application Data\mvhgkr.dat 2010-01-14 18:09 . 2010-01-14 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom 2010-01-14 18:07 . 2010-01-14 18:07 -------- d-----w- c:\program files\TomTom HOME 2 2010-01-14 18:00 . 2010-01-14 18:00 -------- d-----w- c:\program files\TomTom DesktopSuite 2010-01-14 09:48 . 2008-01-08 23:13 -------- d-----w- c:\program files\PKR 2010-01-12 17:35 . 2009-03-02 17:12 -------- d-----w- c:\program files\Yahoo! 2010-01-12 16:24 . 2010-01-12 16:24 -------- d-----w- c:\documents and settings\Stuart\Application Data\Malwarebytes 2010-01-12 16:24 . 2010-01-12 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-01-12 13:07 . 2009-03-15 22:02 -------- d-----w- c:\program files\vghd 2010-01-12 13:07 . 2009-03-15 22:02 152904 ----a-w- c:\windows\system32\vghd.scr 2010-01-12 13:07 . 2010-01-12 13:07 -------- d-----w- c:\documents and settings\Stuart\Application Data\vghd 2010-01-11 09:42 . 2009-12-30 10:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard 2010-01-08 21:50 . 2010-01-08 21:50 171080 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2009-12-31 16:50 . 2006-02-28 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-30 12:00 . 2008-01-08 20:35 78304 ----a-w- c:\documents and settings\Stuart\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-30 11:58 . 2009-12-30 11:59 816384 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\Components\DownloadQB17\Patch\qbpatch2.exe 2009-12-21 19:14 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2009-12-17 17:14 . 2008-11-27 10:31 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-12-16 18:43 . 2008-01-08 12:03 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-08 19:26 . 2006-02-28 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-12-04 18:22 . 2006-02-28 12:00 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 139264] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-24 864256] "GenePccMon.exe"="c:\program files\Genesys PC Camera Device\GenePccMon.exe" [2007-02-13 36864] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-01-15 30192] "IdentityPatrol"="c:\program files\IdentityPatrol\IdentityPatrol.exe" [2008-02-12 6840320] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-14 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-14 81920] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-8 967960] WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2009-9-23 98304] Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"= "c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Kontiki\\KService.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [22/09/2009 17:50 64288] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/01/2009 11:27 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/01/2009 11:27 20560] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 15:52 1229232] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [13/11/2009 11:31 92008] R3 DCamUSBGene;GenesysLogic USB2.0 PC Camera;c:\windows\system32\drivers\USBGENE.sys [08/01/2008 12:50 131584] S2 gupdate1c98cfde1ebe9de;Google Update Service (gupdate1c98cfde1ebe9de);c:\program files\Google\Update\GoogleUpdate.exe [12/02/2009 10:37 133104] S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [15/01/2010 22:20 30192] . Contents of the 'Scheduled Tasks' folder 2010-03-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 15:17] 2010-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2010-03-01 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20] 2010-03-01 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-12 18:46] 2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 10:37] 2010-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-12 10:37] 2010-03-01 c:\windows\Tasks\User_Feed_Synchronization-{5A6F850F-0EEA-403D-B358-444B4AA78D53}.job - c:\windows\system32\msfeedssync.exe [2007-08-13 03:31] . . Quote
thingameejig Posted March 1, 2010 Author Posted March 1, 2010 ------- Supplementary Scan ------- . uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/keyword/%s . - - - - ORPHANS REMOVED - - - - HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover Rootkit scan 2010-03-01 18:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run GenePccMon.exe = c:\program files\Genesys PC Camera Device\GenePccMon.exe??????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1228) c:\windows\system32\WININET.dll c:\docume~1\Stuart\LOCALS~1\Temp\catchme.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-03-01 18:47:43 ComboFix-quarantined-files.txt 2010-03-01 18:47 Pre-Run: 176,929,280,000 bytes free Post-Run: 176,884,244,480 bytes free - - End Of File - - EE1C7C556386AC4DF4435886877D28ED Quote
ExTS Admin Starbuck Posted March 1, 2010 ExTS Admin Posted March 1, 2010 Hi thingameejig, I see that Combofix has been run twice before, when was it run? Let's get an online scan done and see if there's anything else. I'd like you to do an ESET OnlineScanHold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps) Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop. Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button. [*]Accept any security warnings from your browser. [*]Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png [*]Click the Start button. [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. [*]When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. [*]Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button. [*]Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt Quote Member of:UNITE
thingameejig Posted March 1, 2010 Author Posted March 1, 2010 The combofix was only run today, it froze twice before it ran fully. results of esetscan.... C:\Program Files\Registry Patrol\RegistryPatrol.exe a variant of Win32/Adware.RegistryPatrol application cleaned by deleting - quarantined C:\WINDOWS\system32\drivers\etc\hosts.20100115-150815.backup Win32/Qhost trojan cleaned by deleting - quarantined C:\WINDOWS\system32\drivers\etc\hosts.20100115-151016.backup Win32/Qhost trojan cleaned by deleting - quarantined C:\_OTL\MovedFiles\03012010_173214\C_WINDOWS\System32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined (thank you for advice and help so far, I don't fully understand wht we hve achieved but I am sure it's all good. As i originaly stated i have a potential problem on two other pc's, should i duplicate these steps on them or is each step specific to the first?. Likewise if we haven't finished yet I apologise for the interuption.... i'm all ears again! (or eyes and fingers!)) Quote
ExTS Admin Starbuck Posted March 2, 2010 ExTS Admin Posted March 2, 2010 (edited) Hi thingameejig I don't fully understand wht we hve achieved but I am sure it's all good There was no actual Keylogger showing in the reports, maybe it was just a program that shows signs of working like a keylogger. Sounds odd i know, but i actually use a couple. The main program i use for storing/copying and pasting my canned speeches is sometimes thrown up as a keylogger, but it's not....but it has the ability to use keyboard shortcuts. You did have a couple of problems, but they have now been sorted. C:\WINDOWS\system32\drivers\etc\hosts.20100115-150815.backup Win32/Qhost trojan cleaned by deleting - quarantined C:\WINDOWS\system32\drivers\etc\hosts.20100115-151016.backup Win32/Qhost trojan cleaned by deleting - quarantined C:\_OTL\MovedFiles\03012010_173214\C_WINDOWS\Syste m32\drivers\etc\hosts Win32/Qhost trojan cleaned by deleting - quarantined we beat Eset to these as we had already reset your hosts file. :) s i originaly stated i have a potential problem on two other pc's, should i duplicate these steps on them or is each step specific to the first? No, each system has to be treated differently. Never use the same fix for another system. Feel free to start a new thread for the other systems and we'll be glad to take a look for you. If your system seems to be running ok, we'll finish off the cleaning. so....... everything ok now? Edited March 2, 2010 by Starbuck Quote Member of:UNITE
thingameejig Posted March 2, 2010 Author Posted March 2, 2010 If your system seems to be running ok, we'll finish off the cleaning. so....... everything ok now? Yes, the system is OK however the odd thing is there wasn't any sign of a problem with it before we started. I started the thread because of the theft we experienced from our on line banking. Overnight I ran my AV software.... Advent proffesional ..... found nothing adaware (free download) .... found nothing stopzilla .... found loads, such as... Catchme (trojan) HKlM \system\ current control settings GASF Internet security 2010 ezula dash memory I deleted these turn laptop off/on then re ran stopzilla and Internet security 2010 & GASF are still there other than that I am ready/happy to continu aith the proccess Further to this I have my doubts..... I am wondering if it would be simpler to just reinstall windows altogether and start again ???? I am also considering buying a fourth laptop and having it solely designated to online banking and such like... Unfortunately this experience has left me with little faith in on line security Quote
RandyL Posted March 2, 2010 Posted March 2, 2010 One of our secucurity experts will likely say the same things any one else will. But follow through with the cleaning first. I think you are probably just about done. After that you might get some opinions on over all security. A dedicated banking computer would be over kill in my opinion. In any case I will wait. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
ExTS Admin Starbuck Posted March 2, 2010 ExTS Admin Posted March 2, 2010 Hi thingameejig stopzilla .... found loads, such as... Catchme (trojan) HKlM \system\ current control settings GASF Internet security 2010 ezula dash memory Catchme isn't a trojan,it's part of one our cleaning tools .... but some programs may flag it as such because of how it works. GASF Internet security 2010 these are interesting though. GASF is associated with the TDSS rootkit, which is designed to steal information. I suspect that this may have been removed by one of your security programs prier to us checking. Combofix is very good at detecting this rootkit, but didn't find anything. It maybe that there's a registry entry still laying around somewhere. This is the problem with these types of rootkits. If we had seen this in the reports we would normally have recommended a reformat/reinstall to make sure it was removed completely. There is a tool designed specifically to search for this, it wouldn't hurt to run that. Internet security 2010 is a rouge program, but none of the scans detected it ... maybe this is just registry remnants again. Like i say these may have been removed by one of your security programs and may have just left a few orphan entries in the registry. Let's take a look to be on the safe side. Step 1 Download TDSSKiller and save it to your Desktop. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. Click on Start >> Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here. Step 2 Please update MBAM and run another scan: Start MBAM Click on the Update tab >> click Search for Updates If it says that MBAM needs to close to update it... let it close and then restart it. On restart >> click the Scan button. Don't forget: When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. Make sure that everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. Copy and paste the contents of that report in your next reply and exit MBAM.Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Let me have both reports and we'll check that everything has gone. Thanks. Quote Member of:UNITE
thingameejig Posted March 2, 2010 Author Posted March 2, 2010 18:10:31:359 1796 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25 18:10:31:359 1796 ================================================================================ 18:10:31:359 1796 SystemInfo: 18:10:31:359 1796 OS Version: 5.1.2600 ServicePack: 3.0 18:10:31:359 1796 Product type: Workstation 18:10:31:359 1796 ComputerName: EXTREMEPAD 18:10:31:359 1796 UserName: Stuart 18:10:31:359 1796 Windows directory: C:\WINDOWS 18:10:31:359 1796 Processor architecture: Intel x86 18:10:31:359 1796 Number of processors: 2 18:10:31:359 1796 Page size: 0x1000 18:10:31:359 1796 Boot type: Normal boot 18:10:31:359 1796 ================================================================================ 18:10:31:375 1796 UnloadDriverW: NtUnloadDriver error 2 18:10:31:375 1796 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 18:10:31:406 1796 Initialize success 18:10:31:406 1796 18:10:31:406 1796 Scanning Services ... 18:10:31:406 1796 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 18:10:31:406 1796 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 18:10:31:406 1796 wfopen_ex: Trying to KLMD file open 18:10:31:406 1796 wfopen_ex: File opened ok (Flags 2) 18:10:31:406 1796 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 18:10:31:406 1796 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 18:10:31:406 1796 wfopen_ex: Trying to KLMD file open 18:10:31:406 1796 wfopen_ex: File opened ok (Flags 2) 18:10:31:906 1796 GetAdvancedServicesInfo: Raw services enum returned 401 services 18:10:31:906 1796 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 18:10:31:906 1796 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 18:10:31:906 1796 18:10:31:906 1796 Scanning Kernel memory ... 18:10:31:906 1796 Devices to scan: 2 18:10:31:906 1796 18:10:31:906 1796 Driver Name: Disk 18:10:31:906 1796 IRP_MJ_CREATE : BA90EBB0 18:10:31:906 1796 IRP_MJ_CREATE_NAMED_PIPE : 804F4562 18:10:31:906 1796 IRP_MJ_CLOSE : BA90EBB0 18:10:31:906 1796 IRP_MJ_READ : BA908D1F 18:10:31:906 1796 IRP_MJ_WRITE : BA908D1F 18:10:31:906 1796 IRP_MJ_QUERY_INFORMATION : 804F4562 18:10:31:906 1796 IRP_MJ_SET_INFORMATION : 804F4562 18:10:31:906 1796 IRP_MJ_QUERY_EA : 804F4562 18:10:31:906 1796 IRP_MJ_SET_EA : 804F4562 18:10:31:906 1796 IRP_MJ_FLUSH_BUFFERS : BA9092E2 18:10:31:906 1796 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562 18:10:31:906 1796 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562 18:10:31:906 1796 IRP_MJ_DIRECTORY_CONTROL : 804F4562 18:10:31:906 1796 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562 18:10:31:906 1796 IRP_MJ_DEVICE_CONTROL : BA9093BB 18:10:31:906 1796 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28 18:10:31:906 1796 IRP_MJ_SHUTDOWN : BA9092E2 18:10:31:906 1796 IRP_MJ_LOCK_CONTROL : 804F4562 18:10:31:906 1796 IRP_MJ_CLEANUP : 804F4562 18:10:31:906 1796 IRP_MJ_CREATE_MAILSLOT : 804F4562 18:10:31:906 1796 IRP_MJ_QUERY_SECURITY : 804F4562 18:10:31:906 1796 IRP_MJ_SET_SECURITY : 804F4562 18:10:31:906 1796 IRP_MJ_POWER : BA90AC82 18:10:31:906 1796 IRP_MJ_SYSTEM_CONTROL : BA90F99E 18:10:31:906 1796 IRP_MJ_DEVICE_CHANGE : 804F4562 18:10:31:906 1796 IRP_MJ_QUERY_QUOTA : 804F4562 18:10:31:906 1796 IRP_MJ_SET_QUOTA : 804F4562 18:10:31:906 1796 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code 18:10:31:906 1796 sion 18:10:31:921 1796 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 18:10:31:921 1796 18:10:31:921 1796 Driver Name: atapi 18:10:31:921 1796 IRP_MJ_CREATE : BA6ED6F2 18:10:31:921 1796 IRP_MJ_CREATE_NAMED_PIPE : 804F4562 18:10:31:921 1796 IRP_MJ_CLOSE : BA6ED6F2 18:10:31:921 1796 IRP_MJ_READ : 804F4562 18:10:31:921 1796 IRP_MJ_WRITE : 804F4562 18:10:31:921 1796 IRP_MJ_QUERY_INFORMATION : 804F4562 18:10:31:921 1796 IRP_MJ_SET_INFORMATION : 804F4562 18:10:31:921 1796 IRP_MJ_QUERY_EA : 804F4562 18:10:31:921 1796 IRP_MJ_SET_EA : 804F4562 18:10:31:921 1796 IRP_MJ_FLUSH_BUFFERS : 804F4562 18:10:31:921 1796 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562 18:10:31:921 1796 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562 18:10:31:921 1796 IRP_MJ_DIRECTORY_CONTROL : 804F4562 18:10:31:921 1796 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562 18:10:31:921 1796 IRP_MJ_DEVICE_CONTROL : BA6ED712 18:10:31:921 1796 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA6E9852 18:10:31:921 1796 IRP_MJ_SHUTDOWN : 804F4562 18:10:31:921 1796 IRP_MJ_LOCK_CONTROL : 804F4562 18:10:31:921 1796 IRP_MJ_CLEANUP : 804F4562 18:10:31:921 1796 IRP_MJ_CREATE_MAILSLOT : 804F4562 18:10:31:921 1796 IRP_MJ_QUERY_SECURITY : 804F4562 18:10:31:921 1796 IRP_MJ_SET_SECURITY : 804F4562 18:10:31:921 1796 IRP_MJ_POWER : BA6ED73C 18:10:31:921 1796 IRP_MJ_SYSTEM_CONTROL : BA6F4336 18:10:31:921 1796 IRP_MJ_DEVICE_CHANGE : 804F4562 18:10:31:921 1796 IRP_MJ_QUERY_QUOTA : 804F4562 18:10:31:921 1796 IRP_MJ_SET_QUOTA : 804F4562 18:10:31:921 1796 siohd: 0 18:10:32:000 1796 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean 18:10:32:000 1796 18:10:32:000 1796 Completed 18:10:32:015 1796 18:10:32:015 1796 Results: 18:10:32:015 1796 Memory objects infected / cured / cured on reboot: 0 / 0 / 0 18:10:32:015 1796 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 18:10:32:015 1796 File objects infected / cured / cured on reboot: 0 / 0 / 0 18:10:32:015 1796 18:10:32:015 1796 KLMD(ARK) unloaded successfully MBAM ?????what is this? how do i access it? Quote
ExTS Admin Starbuck Posted March 2, 2010 ExTS Admin Posted March 2, 2010 MBAM ?????what is this? how do i access it? Sorry my mistake, i thought you had MBAM installed. That's what happens when you work too many logs at once. Please download Malwarebytes Anti-Malware and save it to your desktop. Make sure you are connected to the Internet. Double-click on Download_mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware [*]Then click Finish. [*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. [*]On the Scanner tab:Make sure the "Perform Full Scan" option is selected. Then click on the Scan button. [*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. [*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. [*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". [*]Click OK to close the message box and continue with the removal process. [*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found. [*]Make sure that everything is checked, and click Remove Selected. [*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) [*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM. [*]Copy and paste the contents of that report in your next reply and exit MBAM.Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Let me have the report after the scan. Thanks Quote Member of:UNITE
thingameejig Posted March 3, 2010 Author Posted March 3, 2010 OK, by coincedence on other advise I had run this earlier (just didn't recognise the reference to it), however i ran it again. Below is the log from earlier, however when I ran it the second time it finished the scan displayed a virus and upon removal a note popped up saying that the software had experienced a fault and had to close. Malwarebytes' Anti-Malware 1.44 Database version: 3813 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 02/03/2010 16:11:17 mbam-log-2010-03-02 (16-11-17).txt Scan type: Full Scan (C:\|) Objects scanned: 232391 Time elapsed: 1 hour(s), 4 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\LocalService\Application Data\mvhgkr.dat (Malware.Trace) -> Quarantined and deleted successfully. Quote
thingameejig Posted March 3, 2010 Author Posted March 3, 2010 With everything i have carried out i was begining to restore my faith in my security. In addition to your instructions i have also ran... advent anti virus adaware stopzilla microsoft malicous tool removal windows protection scan However in the half an hour Ilost connectivity to my bt home hub, my wifi didn't register it ..... I moved to within 10 feet of the unit, it then registered it but didn't connect. After four attempts it reconnected then shortly afterwards it failed. I then turned the hub off/on and things appear back to normal. whilstdoing this I opened microsoft outlook which came up with the error "personal folders not closed properly" last time i used it (not true to my knowledge) Question.... are these just coincidences? could this be related to the infiltration i suspect I have? Or am I just becoming too sensitive about everyday normal computing glitches? Quote
ExTS Admin Starbuck Posted March 3, 2010 ExTS Admin Posted March 3, 2010 Hi thingameejig, Files Infected: C:\Documents and Settings\LocalService\Application Data\mvhgkr.dat (Malware.Trace) -> Quarantined and deleted successfully. This is actually related to 'Internet Security 2010'. This is why sometimes we recommend a reformat/re-install .... there isn't a single program that will find every bad file/folder, we have to use so many. The programs we use all search in different ways, that's why some programs find things and some miss things. After four attempts it reconnected then shortly afterwards it failed. I then turned the hub off/on and things appear back to normal. whilstdoing this I opened microsoft outlook which came up with the error "personal folders not closed properly" last time i used it (not true to my knowledge) Question.... are these just coincidences? could this be related to the infiltration i suspect I have? In another thread i'm working on, someone else was having connection problems ( they were on BT as well) seems they checked with BT and it turns out that BT are upgrading their system at the moment and some small problems are bound to occur. Quote Member of:UNITE
thingameejig Posted March 3, 2010 Author Posted March 3, 2010 So would you say were about done? System seems fine....... ?? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.