View Full Version : Malware/Virus issue on son's computer (Resolved)
gdowling
2009-08-14, 07:53
My son's computer picked up this "virus" on 20Jun @ 12:43pm, but I was only able to finally look at this computer tonight. (It had been shut off for exactly one month.) I was able to determine this based on what I found:
* Spotted a "Windows Firewall" pop-up relating to some Keylogger Trojan.
* Spotted some weird executable running in Task Manager -- killed it.
* Spotted "10394214" in HKLM\Software\Microsoft\Windows\CurrentVersion\Run -- pointing to a numbered executable within C:\Documents and Settings\All Users\Application Data...
* Spotted "nah_Shell" and "ttool" in HKCU\Software\Microsoft\Windows\CurrentVersion\Run
* Spotted "nah_fban.exe" and "nah_log.dat" in his Documents and Settings directory (executable has a 20Jun datestamp).
* Spotted "9129837.exe" in the C:\windows directory (executable has a 20Jun datestamp).
* Spotted 3 DLL files in a SystemBackup directory within C:\Documents and Settings\Adrian\Application Data\Microsoft -- all created on 20Jun.
Spybot S&D was previously installed, but it was under his brother's account -- so TeaTimer was not running at the time of the infection. (That will be rectified once all of this is completed.)
I uninstalled an expired AV program... then installed Symantec Endpoint Protection v11 on his computer and ran a full scan. It found *only* the following (after scanning for over 3 hours) --
* C:\Windows\system32\desktrf.exe -- Adware.Begin2search <-- deleted
I am severely tempted to start attacking this -- since there is definitely more to this than what Symantec found, but I am trying to do the right thing to get his computer properly fixed. Here is the HJT log.
===========
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:54 AM, on 8/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdicoms.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Documents and Settings\Adrian\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSN Search - {24A1E1CC-4393-941E-B765-2264A695D4E3} - C:\WINDOWS\system32\browsearch.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [10394214] C:\Documents and Settings\All Users\Application Data\10394214\10394214.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [nah_Shell] C:\Documents and Settings\Adrian\nah_fban.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\Run: [defender32.exe] C:\DOCUME~1\Adrian\LOCALS~1\Temp\defender32.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: legupd32.exe
O4 - Global Startup: America Online Tray Icon.lnk.disabled
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BWCHelpr-137903.dll
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0DC0D258-FC70-456F-8F79-83D7DC20F0AC} (MPChWrapper.Util) - http://instantsupport.hp.com/update/030227/MPChWrapper.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://netscape.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.classlink2000.com/sites/FILES/wfica.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?rand=20034251
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124311475640
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O22 - SharedTaskScheduler: COM+ Service - {3229DFCD-3EAF-4712-ED45-4876FEDC170C} - C:\WINDOWS\system32\winload.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)
--
End of file - 9029 bytes
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Failure to reply within 5 days will result in the topic being closed.
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
since there is definitely more to this than what Symantec found
There most certainly is !!!
==============================WARNING==============================
There is some evidence of what may be a very nasty infection.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.
==============================WARNING==============================
----------------------------------------------------------------------------------------
Step 1
Download and Run RSIT
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
( They can also be found in the C:\RSIT folder )
----------------------------------------------------------------------------------------
Step 2
Please Download GMER to your desktop
Download GMER (http://www.gmer.net/gmer.zip) and extract it to your desktop.
***Please close any open programs ***
Double-click gmer.exe. The program will begin to run.
Note:- If GMER doesn't run, please Reboot and then rename gmer.exe to Look.exe and try again
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst
If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click Yes.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. GMER will produce a log.
Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.
DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !
Please post the results from the GMER scan in your reply.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
RSIT Logs
GMER Log
gdowling
2009-08-16, 20:31
Shortly after I did my initial post, I applied the latest def files to the AV client. It has since picked up these additional risks:
* C:\Documents and Settings\Adrian\nah_fban.exe -- Trojan.Hanambot <-- deleted
* C:\Documents and Settings\Adrian\Application Data\Microsoft\SystemBackup\winload.dll -- Backdoor.Graybird <-- deleted
* C:\Documents and Settings\Adrian\Start Menu\Programs\Startup\legupd32.exe -- Trojan.Bredolab <-- deleted
* C:\windows\9129837.exe -- Packed.Generic.234 <-- deleted (restart required)
* C:\windows\system32\browserui.dll -- Trojan Horse <-- quarantined
* C:\windows\system32\browsearch.dll -- Trojan.Vundo <-- deleted (restart required)
* C:\windows\system32\clfsw.dll -- Trojan Horse <-- quarantined
* C:\windows\system32\mscert.dll -- Infostealer.Nuklus <-- deleted
* C:\windows\system32\sdra64.exe -- Infostealer.Banker.C <-- deleted (restart required)
* C:\windows\system32\wbem\proquota.exe -- Trojan Horse <-- quarantined
* Well over 150 trojans and various other infostealers/backdoors in C:\windows\Temp... all beginning with "4a85" and ending in either ".qef" or ".qsp".
Also... everytime I log in, Spybot pops up stating that nothing was found in the file "BWCHelpr-137903.dll".
Here is the RSIT "log.txt" (I chose 3 months instead of the default "1 month" because the infection occurred back in June) --
==============================
Logfile of random's system information tool 1.06 (written by random/random)
Run by Adrian at 2009-08-16 12:53:03
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 19 GB (35%) free of 53 GB
Total RAM: 511 MB (31% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:09 PM, on 8/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdicoms.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Adrian\Desktop\RSIT.exe
C:\Documents and Settings\Adrian\Desktop\Adrian.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [10394214] C:\Documents and Settings\All Users\Application Data\10394214\10394214.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [defender32.exe] C:\DOCUME~1\Adrian\LOCALS~1\Temp\defender32.exe
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: America Online Tray Icon.lnk.disabled
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BWCHelpr-137903.dll
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0DC0D258-FC70-456F-8F79-83D7DC20F0AC} (MPChWrapper.Util) - http://instantsupport.hp.com/update/030227/MPChWrapper.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://netscape.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.classlink2000.com/sites/FILES/wfica.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?rand=20034251
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124311475640
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)
--
End of file - 8863 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\SOFTWARE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00320615-B6C2-40A6-8F99-F1C52D674FAD}]
LocalNRDObj Class
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-20 35840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-20 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - hp toolkit - C:\HP\EXPLOREBAR\HPTOOLKT.DLL [2002-06-05 86016]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"KBD"=C:\HP\KBD\KBD.EXE [2001-07-07 61440]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2001-12-19 212992]
"PS2"=C:\WINDOWS\system32\ps2.exe [2002-06-14 81920]
"checktime"=c:\program files\HPSelect\Frontend\ct.exe [2002-01-26 45056]
"UpdateManager"=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-11-24 180269]
"LTMSG"=LTMSG.exe 7 []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2005-08-02 139264]
"lxdimon.exe"=C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe [2007-05-07 435120]
"lxdiamon"=C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe [2007-03-05 20480]
"Symantec PIF AlertEng"=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-05-20 148888]
"10394214"=C:\Documents and Settings\All Users\Application Data\10394214\10394214.exe []
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-12-18 115560]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe /background []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2005-08-02 139264]
"defender32.exe"=C:\DOCUME~1\Adrian\LOCALS~1\Temp\defender32.exe []
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
America Online Tray Icon.lnk.disabled - C:\Program Files\America Online 9.0\aoltray.exe
hp center.lnk - C:\Program Files\hp center\137903\Program\BWCHelpr-137903.dll
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
NETGEAR WG311v3 Wireless Assistant.lnk - C:\WINDOWS\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe
TextBridge Instant Access OCR.lnk - C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\Documents and Settings\Adrian\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-11-02 348160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-09-20 441136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccEvtMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccSetMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SmcService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Symantec Antivirus]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Symantec Antvirus]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableProfileQuota"=1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\hp center\137903\Program\BackWeb-137903.exe"="C:\Program Files\hp center\137903\Program\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\AGE2_X1.ICD"="C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\AGE2_X1.ICD:*:Enabled:Age of Empires II Expansion"
"C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe"="C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe:*:Enabled:Rise of Nations"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1130391532\ee\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1130391532\ee\AOLServiceHost.exe:*:Enabled:AOL Services"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\lxdicoms.exe"="C:\WINDOWS\system32\lxdicoms.exe:*:Enabled:Lexmark Communications System"
"C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\Program Files\Lexmark 3500-4500 Series\App4R.exe"="C:\Program Files\Lexmark 3500-4500 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe"="C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:*:Enabled:ABBYY FineReader"
"C:\Program Files\Lexmark Fax Solutions\FaxCtr.exe"="C:\Program Files\Lexmark Fax Solutions\FaxCtr.exe:*:Enabled:Fax software"
"C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe:*:Enabled:Device Monitor"
"C:\Program Files\Lexmark 3500-4500 Series\Wireless\lxdiwpss.exe"="C:\Program Files\Lexmark 3500-4500 Series\Wireless\lxdiwpss.exe:*:Enabled: "
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Windows Explorer"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\Common Files\AOL\1130391532\ee\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1130391532\ee\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Lexmark 3500-4500 Series\app4r.exe"="C:\Program Files\Lexmark 3500-4500 Series\app4r.exe:*:Enabled:Lexmark Imaging Studio"
======File associations======
.js - open - NOTEPAD.EXE %1
.reg - open - NOTEPAD.EXE %1
.scr - open - NOTEPAD.EXE %1
.vbs - open - NOTEPAD.EXE %1
======List of files/folders created in the last 3 months======
2009-08-16 12:10:00 ----D---- C:\rsit
2009-08-14 01:02:01 ----D---- C:\WINDOWS\ERDNT
2009-08-14 00:48:06 ----D---- C:\Program Files\ERUNT
2009-08-13 20:28:38 ----A---- C:\WINDOWS\system32\S32EVNT1.DLL
2009-07-10 08:11:34 ----D---- C:\Documents and Settings\All Users\Application Data\10394214
2009-07-02 17:01:30 ----A---- C:\WINDOWS\system32\gdi32lib.dll
2009-06-20 15:37:19 ----A---- C:\WINDOWS\system32\iosocket.dll
2009-06-20 12:43:20 ----A---- C:\WINDOWS\system32\mt_32.dll
2009-06-18 19:15:09 ----D---- C:\Documents and Settings\Adrian\Application Data\AdobeUM
2009-06-10 16:22:30 ----A---- C:\aolconnfix.txt
2009-06-10 16:22:30 ----A---- C:\aolconnfix.exe
2009-06-10 03:04:27 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-06-10 03:04:06 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-06-10 03:03:39 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-06-10 03:01:34 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-05-20 20:27:46 ----D---- C:\WINDOWS\.jagex_cache_32
2009-05-20 20:27:27 ----D---- C:\WINDOWS\Sun
2009-05-20 20:26:26 ----A---- C:\WINDOWS\system32\javaws.exe
2009-05-20 20:26:26 ----A---- C:\WINDOWS\system32\javaw.exe
2009-05-20 20:26:26 ----A---- C:\WINDOWS\system32\java.exe
2009-05-20 20:26:26 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-05-20 20:25:41 ----D---- C:\Program Files\Java
2009-05-20 20:24:28 ----D---- C:\Documents and Settings\Adrian\Application Data\Sun
======List of files/folders modified in the last 3 months======
2009-08-16 12:48:24 ----D---- C:\WINDOWS\Temp
2009-08-16 12:26:13 ----D---- C:\WINDOWS\Prefetch
2009-08-16 12:16:46 ----D---- C:\WINDOWS
2009-08-14 13:00:21 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-14 12:00:51 ----D---- C:\WINDOWS\system32
2009-08-14 11:51:17 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-14 03:22:03 ----SHD---- C:\WINDOWS\Installer
2009-08-14 03:19:02 ----D---- C:\Program Files\Symantec
2009-08-14 03:18:46 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-08-14 02:01:39 ----D---- C:\WINDOWS\inf
2009-08-14 01:58:26 ----D---- C:\WINDOWS\system32\wbem
2009-08-14 01:56:35 ----D---- C:\Program Files\Norton AntiVirus
2009-08-14 01:56:35 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-08-14 01:56:35 ----D---- C:\Documents and Settings\Adrian\Application Data\Symantec
2009-08-14 00:48:06 ----D---- C:\Program Files
2009-08-13 23:26:23 ----A---- C:\WINDOWS\system.ini
2009-08-13 20:30:05 ----D---- C:\WINDOWS\system32\drivers
2009-08-13 20:28:17 ----D---- C:\WINDOWS\WinSxS
2009-08-13 20:18:49 ----D---- C:\Program Files\Common Files
2009-08-13 20:10:40 ----SD---- C:\WINDOWS\Tasks
2009-07-10 13:52:27 ----D---- C:\WINDOWS\Minidump
2009-07-10 12:35:11 ----D---- C:\Program Files\Mozilla Firefox
2009-06-21 00:51:33 ----D---- C:\Program Files\Windows Media Player
2009-06-21 00:51:28 ----D---- C:\Program Files\Robot Arena
2009-06-21 00:51:26 ----D---- C:\Program Files\Pyware 3D Java Interactive Viewer
2009-06-21 00:50:16 ----D---- C:\Program Files\LeapFrog
2009-06-21 00:49:56 ----D---- C:\Program Files\Internet Explorer
2009-06-21 00:49:54 ----HD---- C:\Program Files\InstallShield Installation Information
2009-06-21 00:49:43 ----D---- C:\Program Files\Hewlett-Packard
2009-06-21 00:49:02 ----D---- C:\Program Files\Common Files\aolshare
2009-06-21 00:48:56 ----D---- C:\Program Files\AOL
2009-06-21 00:48:56 ----D---- C:\Program Files\America Online 9.0
2009-06-21 00:48:54 ----D---- C:\Program Files\Lexmark Fax Solutions
2009-06-21 00:47:59 ----D---- C:\Documents and Settings\Adrian\Application Data\FaxCtr
2009-06-20 15:36:52 ----SD---- C:\Documents and Settings\Adrian\Application Data\Microsoft
2009-06-18 19:03:10 ----A---- C:\WINDOWS\win.ini
2009-06-10 03:04:30 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-06-10 03:04:12 ----A---- C:\WINDOWS\imsins.BAK
2009-06-10 03:03:59 ----HD---- C:\WINDOWS\$hf_mig$
2009-06-10 03:02:42 ----D---- C:\WINDOWS\system32\en-US
2009-06-10 03:02:20 ----D---- C:\WINDOWS\ie7updates
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 NPPTNT2;NPPTNT2; \??\C:\WINDOWS\system32\npptNT2.sys []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SRTSP;SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [2008-12-19 280112]
R1 SRTSPX;SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [2008-12-19 43824]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2002-06-19 5589]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2002-06-19 22995]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2008-08-21 191536]
R1 WPS;WPS; \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys []
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2002-06-06 40368]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2002-07-16 23701]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2002-07-16 34805]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2002-07-16 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2002-07-16 2201]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2002-07-16 54900]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2002-07-16 14421]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2002-07-16 6325]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2002-07-16 91156]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2002-07-16 95125]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-11-02 773565]
R3 ltmodem5;Agere Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-12-12 652689]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2002-07-24 28164]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090813.022\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090813.022\NAVEX15.SYS []
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-03-09 13780]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2008-08-21 27696]
R3 Teefer2;Teefer2 Miniport; C:\WINDOWS\system32\DRIVERS\teefer2.sys [2008-10-14 49536]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB Root Hub (usbport); C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 W8335XP;NETGEAR WG311v3 802.11g Wireless PCI Adapter for Windows XP (8335); C:\WINDOWS\system32\DRIVERS\WG311v3XP.sys [2005-02-22 265984]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys [2002-10-15 33588]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2003-03-25 10144]
R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2003-03-25 40256]
R3 WpsHelper;WpsHelper; \??\C:\WINDOWS\system32\drivers\WpsHelper.sys []
S1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-05-22 90336]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-04 37376]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-04 42496]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-05-22 69504]
S3 A4S2600;A4S2600; C:\WINDOWS\System32\drivers\A4S2600.sys [1998-05-07 71520]
S3 dbustrcm;dbustrcm; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\dbustrcm.sys []
S3 DockingGroup;LeapFrog WDM USB Device Driver; C:\WINDOWS\System32\Drivers\MS20022K.sys [2002-08-05 14781]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-08-08 158140]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-08-08 12479]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-08-08 12031]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-08-08 11679]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-08-08 11999]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-08-08 19359]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-08-08 29215]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-08-08 19199]
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-08-08 33503]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-08-08 23519]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 perm2;perm2; C:\WINDOWS\System32\DRIVERS\perm2.sys [2004-08-04 27904]
S3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2007-07-12 96384]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2002-07-13 155008]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-04-09 188032]
S3 SRTSPL;SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [2008-12-19 319792]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-04 17024]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WmFilter;Logitech WingMan HID Filter Driver; C:\WINDOWS\system32\drivers\WmFilter.sys [2003-03-25 21216]
S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2003-03-25 5728]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 SysPlant;SysPlant for NT; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [2009-02-26 91976]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AOL ACS;AOL Connectivity Service; C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe [2004-04-21 1434848]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2008-12-10 558456]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-12-18 108392]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-12-18 108392]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-20 152984]
R2 LiveUpdate Notice Ex;LiveUpdate Notice Service Ex; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-12-18 108392]
R2 lxdi_device;lxdi_device; C:\WINDOWS\system32\lxdicoms.exe [2007-04-26 517040]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
R2 SmcService;Symantec Management Client; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [2009-02-26 1799496]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
R2 Symantec AntiVirus;Symantec Endpoint Protection; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2009-02-01 2440120]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2009-01-30 1251720]
R2 WANMiniportService;WAN Miniport (ATW) Service; C:\WINDOWS\wanmpsvc.exe [2003-08-27 65536]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2008-12-10 3093880]
S3 SNAC;Symantec Network Access Control; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [2009-02-01 320840]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]
-----------------EOF-----------------
gdowling
2009-08-16, 20:32
Here is the RSIT "info.txt" --
==============================
info.txt logfile of random's system information tool 1.06 2009-08-16 12:53:18
======Uninstall list======
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->c:\WINDOWS\System32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
-->c:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7550D6AA-CCF3-4FDA-87D6-C2C1B2E5358D}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80FFF4BA-C102-4102-A4B1-935D9573278B}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{80FFF4BA-C102-4102-A4B1-935D9573278B}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9104A09A-EC83-11D8-8469-00D0B726B56E}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9744AE38-1CC6-414F-96CE-0643AEE30A9B}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AB14DF5-3B04-4E3B-9969-695DBA7F2008}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E54F486-CD4A-44A5-B041-16D4E1E56A53}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /X{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Age of Empires III-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Age of Mythology-->"C:\Program Files\Microsoft Games\Age of Mythology\UNINSTAL.EXE" /runtemp /addremove
America Online (Choose which version to remove)-->C:\Program Files\Common Files\aolshare\Aolunins_us.exe
Atari Arcade Hits 1-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hasbro Interactive\Atari Arcade Hits 1\Uninst.isu"
Canon Camera Window for ZoomBrowser EX-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A29EA741-24F7-4C07-9B2C-06CB6491BE4A}
Canon PhotoRecord-->MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}
Canon RAW Image Task for ZoomBrowser EX-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}
Canon RemoteCapture Task for ZoomBrowser EX-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2236B741-6631-49AE-B76E-3E14CA01CC87}
Canon Utilities PhotoStitch 3.1-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{C05E2D43-A05F-4835-A15C-CD0AD1576506}
Canon Utilities ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
Citrix ICA Web Client-->C:\WINDOWS\system32\ctxsetup.exe /uninst C:\PROGRA~1\Citrix\icaweb32\uninst.inf
Command & Conquer Generals-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{06F80017-8F98-4C94-B868-52358569FC32}
Command and ConquerTM Generals Zero Hour-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}
Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative Zen Micro-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D944236D-7992-41D6-8257-930B5832F1CC}\SETUP.EXE" -l0x9 /remove
Creative ZEN V Series (R2)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}\SETUP.EXE" -l0x9 /remove
Creative ZEN V Series-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AA9D879B-0F98-4059-85A5-D05718A1D6F7}\SETUP.EXE" -l0x9 /remove
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Detto IntelliMover Demo-->MsiExec.exe /X{E62C706B-1352-4DCA-B4D4-81C24750B70F}
Digital DFP Solid State Audio Player-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{47BB71CF-F3A3-4EE5-AB3E-110B933557B1}\setup.exe" -l0x9
DLA-->MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Easy Chef's Million Recipes-->C:\CB45\UNWISE.EXE C:\CB45\INSTALL.LOG
easy Internet sign-up-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B5DDB2C-0807-47FD-9C11-80EA761902C0}\Setup.exe" -l0x9
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
HijackThis 2.0.2-->"C:\Documents and Settings\Adrian\Desktop\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB896344)-->"C:\WINDOWS\$NtUninstallKB896344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
hp center-->C:\WINDOWS\BWUnin-6.1.0.153.exe -AppId 137903
hp deskjet 3320 series (Remove only)-->C:\Program Files\hp deskjet 3320 series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB/DeskJet 3320/ -vproduct=3320 -huninstall
hp instant support-->C:\PROGRA~1\HEWLET~1\hpis\Uninstall.exe /s CeS
hp learning adventure-->c:\program files\HPSelect\Frontend\uninstall.exe
HP Memories Disc-->MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
hp toolkit-->c:\Windows\HPTK\unhptkit.exe
Icewind Dale II-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{588C135F-0B15-4A02-8F2D-04697BE2904E}\setup.exe" -l0x9
Inactive HP Printer Drivers (Remove only)-->RunDll32 hpuninst.dll,InstallHinfSection UninstDefault 132 prntunin.inf
Intel(R) Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
iolo technologies' System Mechanic 6-->"C:\Program Files\iolo\System Mechanic 6\unins000.exe"
iPhoto Plus 4-->C:\WINDOWS\uninst.exe -f"C:\Program Files\iPhoto Plus 4\DeIsL1.isu"
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
KBD-->C:\HP\KBD\KBD.EXE uninstalled
LeapFrog Mind Station-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8D16BF2D-4C35-4E6B-AB35-2FF6B1486031}\SETUP.EXE"
Learn2 Player (Uninstall Only)-->C:\Program Files\Learn2.com\StRunner\stuninst.exe
Lernout & Hauspie TruVoice American English TTS Engine-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
Lexar Media Inc. USB Card Reader Driver v2.2(M)-->C:\WINDOWS\iun6002.exe "C:\Program Files\Lexar Media Inc.\USB Card Reader Driver v2.2(M)\irunin.ini"
Lexmark 3500-4500 Series-->C:\Program Files\Lexmark 3500-4500 Series\Install\x86\Uninst.exe
LiveUpdate 3.3 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation)-->MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Logitech Gaming Software-->MsiExec.exe /X{FAAA508A-05C0-488B-BFC2-F9217E545A81}
Macromedia Flash Player 8-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Macromedia Shockwave Player-->C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Mechwarrior CD Patch 1.0-->"C:\hp\drivers\lan\UNINST.EXE"
MediaFACE 4.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\8\INTEL3~1\IDriver.exe /M{7F581D1D-C9A7-4C77-B88A-27537173CEDF} /l1033
Memory Viewer 5-->C:\PROGRA~1\MEMORY~1\UNWISE.EXE C:\PROGRA~1\MEMORY~1\INSTALL.LOG
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0-->c:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Excel Viewer 97-->C:\Program Files\XLView\setup\setup.exe
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005 Tools Express Edition-->MsiExec.exe /I{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}
Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Native Client-->MsiExec.exe /I{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{56B4002F-671C-49F4-984C-C760FE3806B5}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C# 2005 Express Edition - ENU Service Pack 1 (KB926749)-->C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {B6B0F76A-873E-438E-BC25-6704193DD344} /package {7E7D7935-B0C8-4032-80BA-2CDC9E43C3B8}
Microsoft Visual C# 2005 Express Edition - ENU-->C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C# 2005 Express Edition - ENU\setup.exe
Microsoft Visual C# 2005 Express Edition - ENU-->MsiExec.exe /X{7E7D7935-B0C8-4032-80BA-2CDC9E43C3B8}
Microsoft XML Parser and SDK-->MsiExec.exe /I{3E908702-AF35-4611-9518-955DA24B7E07}
Mozilla Firefox (1.5.0.10)-->C:\PROGRA~1\MOZILL~1\uninstall\uninstall.exe /ua "1.5.0.10 (en-US)"
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6 Service Pack 2 (KB954459)-->MsiExec.exe /I{1A528690-6A2D-4BC5-B143-8C4AE8D19D96}
MSXML4 Parser-->MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
MUSICMATCH Jukebox-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
NETGEAR WG311v3 802.11g Wireless PCI Adapter-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{70014586-7BBA-4A92-A610-CDC896C48F8F}
PGate Basic-->C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\remove_tools.html
Pirates of the Caribbean-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Bethesda Softworks\Pirates of the Caribbean\PCUninstall\Setup.exe" -l0x9
Prison Tycoon-->C:\Program Files\Prison Tycoon\data\gvnUninstaller.exe
PS2-->C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions-->C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Quicken Financial Center-->C:\PROGRA~1\QUICKE~1\rem\UNWISE.EXE /s C:\PROGRA~1\QUICKE~1\rem\INSTALL.LOG
QuickTime-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{9FE2F6B1-A114-424D-A0CE-161BF3D89277} /l1033
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RecordNow-->MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
Rise of Nations-->"C:\Program Files\Microsoft Games\Rise of Nations\Uninstal.exe" /runtemp /uninstall
Robot Arena-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77C28982-EFF7-4A10-B703-A6BB93335DCB}\setup.exe"
Roll-->C:\WINDOWS\UniFish3.exe C:\Program Files\Hasbro Interactive\RollerCoaster Tycoon\RollerCoaster Tycoon.log
S3Display-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay-->s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 6.4 (KB925398)-->"C:\WINDOWS\$NtUninstallKB925398_WMP64$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB903235)-->"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908531)-->"C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911562)-->"C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911567)-->"C:\WINDOWS\$NtUninstallKB911567$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912812)-->"C:\WINDOWS\$NtUninstallKB912812$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913580)-->"C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914388)-->"C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Security Update for Windows XP (KB914389)-->"C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Security Update for Windows XP (KB916281)-->"C:\WINDOWS\$NtUninstallKB916281$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917159)-->"C:\WINDOWS\$NtUninstallKB917159$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917344)-->"C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917422)-->"C:\WINDOWS\$NtUninstallKB917422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB917953)-->"C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918118)-->"C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918439)-->"C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Security Update for Windows XP (KB918899)-->"C:\WINDOWS\$NtUninstallKB918899$\spuninst\spuninst.exe"
Security Update for Windows XP (KB919007)-->"C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920213)-->"C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920214)-->"C:\WINDOWS\$NtUninstallKB920214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920670)-->"C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920683)-->"C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB920685)-->"C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921398)-->"C:\WINDOWS\$NtUninstallKB921398$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921503)-->"C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Security Update for Windows XP (KB921883)-->"C:\WINDOWS\$NtUninstallKB921883$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922616)-->"C:\WINDOWS\$NtUninstallKB922616$\spuninst\spuninst.exe"
Security Update for Windows XP (KB922819)-->"C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923191)-->"C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923414)-->"C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923694)-->"C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923980)-->"C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924191)-->"C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924270)-->"C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924496)-->"C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Security Update for Windows XP (KB924667)-->"C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925486)-->"C:\WINDOWS\$NtUninstallKB925486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB925902)-->"C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926255)-->"C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB926436)-->"C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927779)-->"C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Security Update for Windows XP (KB927802)-->"C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928255)-->"C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Security Update for Windows XP (KB928843)-->"C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Security Update for Windows XP (KB929123)-->"C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Security Update for Windows XP (KB930178)-->"C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931261)-->"C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Security Update for Windows XP (KB931784)-->"C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Security Update for Windows XP (KB932168)-->"C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB933729)-->"C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935839)-->"C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB935840)-->"C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Security Update for Windows XP (KB936021)-->"C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938829)-->"C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941202)-->"C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941568)-->"C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB943460)-->"C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944653)-->"C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SimCity 4 Deluxe-->C:\Program Files\Maxis\SimCity 4 Deluxe\EAUninstall.exe
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Space Colony-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{42C402C3-F95B-4BA2-BC90-99816AAF8159}\setup.exe" -l0x9
Spybot - Search & Destroy 1.3-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Symantec Endpoint Protection-->MsiExec.exe /I{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}
Symantec KB-DocID:2003093015493306-->MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
TextBridge Classic-->"C:\PROGRA~1\TEXTBR~1\bin\setup.exe" -funinstal.ins
Texture Manager-->\UNWISE.EXE C:\DOCUME~1\Owner\
TFBC Band Nerd-->C:\Program Files\TFBC Band Nerd\uninstall.exe
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB900485)-->"C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Update for Windows XP (KB911280)-->"C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Update for Windows XP (KB916595)-->"C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Update for Windows XP (KB920342)-->"C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Update for Windows XP (KB920872)-->"C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Update for Windows XP (KB922582)-->"C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Update for Windows XP (KB925720)-->"C:\WINDOWS\$NtUninstallKB925720$\spuninst\spuninst.exe"
Update for Windows XP (KB925876)-->"C:\WINDOWS\$NtUninstallKB925876$\spuninst\spuninst.exe"
Update for Windows XP (KB927891)-->"C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Update for Windows XP (KB930916)-->"C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Update for Windows XP (KB931836)-->"C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Update for Windows XP (KB933360)-->"C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Update for Windows XP (KB936357)-->"C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Update for Windows XP (KB938828)-->"C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Viewpoint Manager (Remove Only)-->C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows XP Hotfix - KB834707-->C:\WINDOWS\$NtUninstallKB834707$\spuninst\spuninst.exe
Windows XP Hotfix - KB867282-->C:\WINDOWS\$NtUninstallKB867282$\spuninst\spuninst.exe
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890047-->C:\WINDOWS\$NtUninstallKB890047$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890923-->"C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WordPerfect Productivity Pack-->C:\WINDOWS\Corel\Uninst32.exe
WordPerfect Productivity Pack-->C:\WINDOWS\Corel\uninst32.exe
WorldView Interactive-->C:\PROGRA~1\WORLDV~1\UNWISE.EXE C:\PROGRA~1\WORLDV~1\INSTALL.LOG
======Security center information======
AV: Symantec Endpoint Protection
FW: Symantec Endpoint Protection
======System event log======
Computer Name: HAL2002
Event Code: 1073
Message: The attempt to power off HAL2002 failed
Record Number: 56068
Source Name: USER32
Time Written: 20090312165755.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: HAL2002
Event Code: 7034
Message: The LiveUpdate service terminated unexpectedly. It has done this 1 time(s).
Record Number: 55974
Source Name: Service Control Manager
Time Written: 20090311165942.000000-300
Event Type: error
User:
Computer Name: HAL2002
Event Code: 7000
Message: The LiveUpdate service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Record Number: 55971
Source Name: Service Control Manager
Time Written: 20090311165907.000000-300
Event Type: error
User:
Computer Name: HAL2002
Event Code: 7009
Message: Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
Record Number: 55970
Source Name: Service Control Manager
Time Written: 20090311165907.000000-300
Event Type: error
User:
Computer Name: HAL2002
Event Code: 10005
Message: DCOM got error "%1053" attempting to start the service LiveUpdate with arguments ""
in order to run the server:
{03E0E6C2-363B-11D3-B536-00902771A435}
Record Number: 55969
Source Name: DCOM
Time Written: 20090311165905.000000-300
Event Type: error
User: HAL2002\Adrian
=====Application event log=====
Computer Name: HAL2002
Event Code: 6
Message:
Could not scan 2 files inside c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer6.zip due to extraction errors encountered by the Decomposer Engines.Application has encountered an error.
For more information, please go to: http://www.symantec.com/techsupp/servlet/ProductMessages?product=SAVCORP&version=11.0.4010.14&language=english&module=1000&error=0014&build=symantec_ent
Record Number: 20220
Source Name: Symantec AntiVirus
Time Written: 20090813234102.000000-240
Event Type: warning
User:
Computer Name: HAL2002
Event Code: 51
Message:
Security Risk Found!Adware.Begin2search in File: C:\WINDOWS\system32\desktrf.exe by: Auto-Protect scan. Action: Process or service must be halted. Action Description:
Record Number: 20219
Source Name: Symantec AntiVirus
Time Written: 20090813233049.000000-240
Event Type: error
User:
Computer Name: HAL2002
Event Code: 51
Message:
Security Risk Found!Adware.Begin2search in File: c:\WINDOWS\system32\desktrf.exe by: Manual scan. Action: Process or service must be halted. Action Description:
Record Number: 20218
Source Name: Symantec AntiVirus
Time Written: 20090813232719.000000-240
Event Type: error
User:
Computer Name: HAL2002
Event Code: 6
Message:
Could not scan 1 files inside c:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_8.cab due to extraction errors encountered by the Decomposer Engines.Application has encountered an error.
For more information, please go to: http://www.symantec.com/techsupp/servlet/ProductMessages?product=SAVCORP&version=11.0.4010.14&language=english&module=1000&error=0014&build=symantec_ent
Record Number: 20217
Source Name: Symantec AntiVirus
Time Written: 20090813230540.000000-240
Event Type: warning
User:
Computer Name: HAL2002
Event Code: 6
Message:
Could not scan 1 files inside c:\WINDOWS\I386\SOFTBAR.IN_ due to extraction errors encountered by the Decomposer Engines.Application has encountered an error.
For more information, please go to: http://www.symantec.com/techsupp/servlet/ProductMessages?product=SAVCORP&version=11.0.4010.14&language=english&module=1000&error=0014&build=symantec_ent
Record Number: 20216
Source Name: Symantec AntiVirus
Time Written: 20090813225529.000000-240
Event Type: warning
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Python22;C:\Program files\PC-Doctor for Windows XP\WINDSAPI;C:\Program Files\QuickTime\QTSystem\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 7, GenuineIntel
"PROCESSOR_REVISION"=0207
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip
-----------------EOF-----------------
Here is the GMER log --
==============================
GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-08-16 13:08:17
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.15 ----
SSDT 82CD17E8 ZwAlertResumeThread
SSDT 82CDC760 ZwAlertThread
SSDT 82D5C4F0 ZwAllocateVirtualMemory
SSDT 82D0DFB0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEF2A8EB0]
SSDT 82EA6CE0 ZwCreateMutant
SSDT 82CD65B8 ZwCreateThread
SSDT 82DBF238 ZwFreeVirtualMemory
SSDT 82CCFDA0 ZwImpersonateAnonymousToken
SSDT 82CD1110 ZwImpersonateThread
SSDT 82CD7840 ZwMapViewOfSection
SSDT 82CCFCC8 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xEF2A9440]
SSDT 82DBA6A0 ZwOpenProcessToken
SSDT 82D66388 ZwOpenThreadToken
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xF86DC840]
SSDT 82DE6340 ZwResumeThread
SSDT 82DA92E0 ZwSetContextThread
SSDT 82EA5F30 ZwSetInformationProcess
SSDT 82EA3FC0 ZwSetInformationThread
SSDT 82CCF5B0 ZwSuspendProcess
SSDT 82CE4C40 ZwSuspendThread
SSDT 82DE7E30 ZwTerminateProcess
SSDT 82CBC008 ZwTerminateThread
SSDT 82DF6A10 ZwUnmapViewOfSection
SSDT 82D5BD28 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 7C 804E26D8 8 Bytes CALL E0D0F3F4
.text ntoskrnl.exe!_abnormal_termination + 3DC 804E2A38 8 Bytes JMP EA3FC082
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Fastfat \FatCdrom tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\CLSID@ Standard Font
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\InprocServer32@ oleaut32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\InprocServer32@InprocServer32 ^1'N59oYf?JZtME*3p~[>M5KDYSUnf(HA*L[xeX)y?
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{0A04E0F8-DC88-B943-2C7B-226A2C7B226A}\ProgID@ StdFont
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR
---- EOF - GMER 1.0.15 ----
----------------------------------------------------------------------------------------
Step 1
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware
and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
If requested, please reboot
If you accidently close it, the log file is saved here and will be named like this:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
----------------------------------------------------------------------------------------
Step 2
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html)
----------------------------------------------------------------------------------------
Step 3
Download GMER's MBR.exe (http://www2.gmer.net/mbr/mbr.exe) to your desktop.
Double click on the MBR.exe file to run it. A log will be produced, MBR.log.
Please open this log in Notepad and post its contents in your next reply.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
MalwareBytes Log
Combofix Log
MBR Log
How are things running now ?
gdowling
2009-08-17, 05:47
As you requested...
============================
Malwarebytes' Anti-Malware 1.40
Database version: 2636
Windows 5.1.2600 Service Pack 2
8/16/2009 9:27:05 PM
mbam-log-2009-08-16 (21-27-05).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 257261
Time elapsed: 3 hour(s), 7 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 33
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\asd3.testmyie2 (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\asd3.testmyie2.1 (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c1-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{24a1e1cc-4393-941e-b765-2264a695d4e3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XP Deluxe Protector (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defender32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\10394214 (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Documents and Settings\Adrian\XP Deluxe Protector (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\10394214 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP521\A0094460.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP523\A0095457.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP523\A0095474.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP527\A0096473.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP532\A0096515.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0097474.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0097484.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0098484.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0099489.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0099500.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101502.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101506.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0101923.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0101926.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0101927.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0101988.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0101989.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0101990.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0101991.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0101992.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0102028.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0102029.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0102030.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0102031.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0102032.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0102036.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP536\A0102063.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\Documents and Settings\Adrian\XP Deluxe Protector\xpdeluxe.exe (Rogue.DeluxeProtector) -> Quarantined and deleted successfully.
C:\Documents and Settings\Adrian\Application Data\Microsoft\SystemBackup\mt_32.dll (Trojan.Conhook.B) -> Quarantined and deleted successfully.
C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\main\mt_32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Adrian\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gdi32lib.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mt_32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
============================
ComboFix 09-08-10.06 - Adrian 08/16/2009 21:59.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.166 [GMT -4:00]
Running from: c:\documents and settings\Adrian\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Adrian\nah_log.dat
c:\windows\Installer\1c51f0.msp
c:\windows\Installer\312740.msi
c:\windows\sndrec32.exe
c:\windows\system32\iosocket.dll
c:\windows\system32\mdm.exe
c:\windows\system32\proquota.exe . . . is missing!!
.
((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.
2009-08-16 21:14 . 2009-08-16 21:14 -------- d-----w- c:\documents and settings\Adrian\Application Data\Malwarebytes
2009-08-16 21:14 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-16 21:14 . 2009-08-16 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 21:14 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-16 21:14 . 2009-08-16 21:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-16 16:10 . 2009-08-16 16:53 -------- d-----w- C:\rsit
2009-08-14 04:48 . 2009-08-14 04:50 -------- d-----w- c:\program files\ERUNT
2009-08-14 00:35 . 2009-08-14 00:35 -------- d-----w- c:\documents and settings\Adrian\Local Settings\Application Data\Symantec
2009-08-14 00:30 . 2009-02-26 19:11 91976 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2009-08-14 00:28 . 2009-08-14 07:18 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-14 00:28 . 2009-08-14 07:18 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-14 00:27 . 2006-05-16 14:58 2584848 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\WindowsInstaller-KB893803-x86.exe
2009-08-14 00:26 . 2009-02-26 20:19 300432 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\Setup.exe
2009-08-14 00:26 . 2009-02-26 19:07 669000 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\smcinst.exe
2009-08-14 00:26 . 2008-12-10 19:47 3553808 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\LUSETUP.EXE
2009-08-14 00:26 . 2008-12-10 19:46 927096 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\LuCheck.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-14 07:19 . 2002-07-27 03:33 -------- d-----w- c:\program files\Symantec
2009-08-14 07:18 . 2009-08-14 00:28 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-14 07:18 . 2009-08-14 00:28 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-14 07:18 . 2002-07-27 03:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-14 05:56 . 2003-11-09 04:52 -------- d-----w- c:\documents and settings\Adrian\Application Data\Symantec
2009-08-14 05:56 . 2002-07-27 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-14 05:56 . 2002-07-27 03:33 -------- d-----w- c:\program files\Norton AntiVirus
2009-06-21 04:51 . 2002-12-26 03:17 -------- d-----w- c:\program files\Robot Arena
2009-06-21 04:51 . 2005-07-22 04:06 -------- d-----w- c:\program files\Pyware 3D Java Interactive Viewer
2009-06-21 04:50 . 2002-12-26 19:22 -------- d-----w- c:\program files\LeapFrog
2009-06-21 04:49 . 2002-07-24 23:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-21 04:49 . 2002-07-24 23:21 -------- d-----w- c:\program files\Hewlett-Packard
2009-06-21 04:49 . 2002-12-25 19:25 -------- d-----w- c:\program files\Common Files\aolshare
2009-06-21 04:48 . 2003-11-04 20:00 -------- d-----w- c:\program files\America Online 9.0
2009-06-21 04:48 . 2009-01-30 21:43 -------- d-----w- c:\program files\Lexmark Fax Solutions
2009-06-21 04:47 . 2005-12-01 20:02 -------- d-----w- c:\documents and settings\Adrian\Application Data\FaxCtr
2009-06-18 23:15 . 2009-06-18 23:15 -------- d-----w- c:\documents and settings\Adrian\Application Data\AdobeUM
2009-06-10 20:22 . 2009-06-10 20:22 10920 ----a-w- C:\aolconnfix.exe
2009-05-21 00:32 . 2009-05-21 00:28 34 ----a-w- c:\documents and settings\Adrian\jagex_runescape_preferences.dat
2009-05-21 00:25 . 2009-05-21 00:26 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-21 00:24 . 2009-05-21 00:24 152576 ----a-w- c:\documents and settings\Adrian\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2002-12-26 19:45 . 2002-12-26 19:45 6021736 ----a-w- c:\program files\MindStation.exe
2007-03-10 03:54 . 2006-11-24 16:48 61038 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-03-10 03:54 . 2006-11-24 16:48 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-03-10 03:54 . 2006-11-24 16:48 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 139264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-12-19 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-06-14 81920]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 45056]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-24 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 139264]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]
c:\documents and settings\Adrian\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Watch.lnk.disabled [2004-10-1 745]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online Tray Icon.lnk.disabled [2003-11-8 834]
hp center.lnk - c:\program files\hp center\137903\Program\BWCHelpr-137903.dll [2002-7-24 20480]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
NETGEAR WG311v3 Wireless Assistant.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2005-8-28 2238]
TextBridge Instant Access OCR.lnk - c:\program files\TextBridge Classic\Bin\TBMenu.exe [2004-10-1 23552]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6\\0iolobtdfg c:\windows\system32
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcxMonitor"=ALCXMNTR.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"IgfxTray"=c:\windows\System32\igfxtray.exe
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"MediaFace Integration"=c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\Wireless\\lxdiwpss.exe"=
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/14/2009 1:08 AM 101936]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 DockingGroup;LeapFrog WDM USB Device Driver;c:\windows\system32\drivers\MS20022K.sys [12/26/2002 4:28 PM 14781]
S3 perm2;perm2;c:\windows\system32\drivers\perm2.sys [12/25/2005 1:39 AM 27904]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe
SafeBoot-Symantec Antvirus
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
Name-Space Handler: ftp\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\Common\Lib\URLSTO~1.DLL
Name-Space Handler: http\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\Common\Lib\URLSTO~1.DLL
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-16 22:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-08-17 22:34
ComboFix-quarantined-files.txt 2009-08-17 02:34
Pre-Run: 19,368,321,024 bytes free
Post-Run: 19,523,936,256 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
185 --- E O F --- 2009-06-10 07:04
============================
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x07285D73
malicious code @ sector 0x07285D76 !
PE file found in sector at 0x07285D8C !
============================
To answer your question about "how things are running now" -- it still seems a bit sluggish, but I do not normally use this computer (it is my son's) so I have nothing to compare it against. It does seem a bit faster than when I first got it, though.
----------------------------------------------------------------------------------------
Step 1
Create A Batch File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it MBRfix.bat Please save it on your desktop. ( It must be next to MBR.exe)
@Echo Off
CD %~pd0
PEV -l "%systemdrive%\proquota.exe" >KLog.txt&KLog.txt
mbr -f
del /q %0
Double click on MBRFix.bat
A log will be saved on your desktop named KLog.txt, and then MBR will run again and produce it's own report
I will need to see both logs in your reply
----------------------------------------------------------------------------------------
Step 2
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
MBR log
KLog.txt
Kaspersky Log
gdowling
2009-08-18, 17:50
Sorry for the delay. Here are the KLog and MBR logfiles. However, when I hit the "accept" button on the Kaspersky website, the language changed from English to what appears to be Russian. I rebooted my computer, and I am seeing the same thing on the site. No other sites have this problem in my browser. I will delete the cache & cookies and see if that helps, but do you have any other suggestions otherwise?
I would upload the image as an attachment, but I cannot get the JPG size down below the 97K limit -- even zipped.
=========================
-c----w- 45,056 2001-08-18 12:00:00 C:\WINDOWS\$NtServicePackUninstall$\proquota.exe
------w- 50,176 2004-08-04 07:56:55 C:\WINDOWS\ServicePackFiles\i386\proquota.exe
----a-w- 50,176 2008-04-14 00:12:32 C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\proquota.exe
Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 145,408 Blocks: 284
=========================
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x07285D73
malicious code @ sector 0x07285D76 !
PE file found in sector at 0x07285D8C !
I've never heard of that problem with Kaspersky before ??
Try this instead ...
Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan (http://www.pandasecurity.com/activescan/index/) << LINK
Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small export to notepad button and save the report to your desktop.
Please post the report in your reply.
gdowling
2009-08-19, 02:47
It took about 6 hours to run (I think), but here it is --
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-18 19:44:21
PROTECTIONS: 1
MALWARE: 48
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Symantec Endpoint Protection 11.0.4010.14 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00020302 adware/ncase Adware No 0 Yes No c:\temp\salmau.dat
00020302 adware/ncase Adware No 0 Yes No c:\temp\salm.log
00020302 adware/ncase Adware No 0 Yes No c:\temp\salm_gdf.dat
00020302 adware/ncase Adware No 0 Yes No c:\temp\salm_kyf.dat
00020937 adware/statblaster Adware No 0 Yes No hkey_local_machine\software\wildmedia
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\dsi
00029767 adware/delfinmedia Adware No 1 Yes No c:\keys.ini
00029767 adware/delfinmedia Adware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\pgate
00034463 adware/wupd Adware No 0 Yes No c:\program files\adtools service
00035328 Application/KillApp.A HackTools No 0 Yes No C:\hp\bin\Terminator.exe
00065260 adware/ipinsight Adware No 0 Yes No c:\windows\inf\polall1r.inf
00065260 adware/ipinsight Adware No 0 Yes No c:\windows\inf\conscorr.inf
00096718 adware/twain-tech Adware No 0 Yes No c:\windows\twaintec.ini
00110908 adware/localnrd Adware No 0 Yes No c:\windows\inf\localnrd.inf
00110908 adware/localnrd Adware No 0 Yes No hkey_classes_root\localnrddll.localnrddllobj
00110908 adware/localnrd Adware No 0 Yes No hkey_local_machine\software\classes\localnrddll.localnrddllobj
00110908 adware/localnrd Adware No 0 Yes No hkey_local_machine\software\classes\localnrddll.localnrddllobj.1
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.trafficmp.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.doubleclick.net/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][.doubleclick.net/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.atdmt.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.247realmedia.com/]
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@247realmedia[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{87C4765D-CA7E-4B13-8B1E-0BBDA0B37949}.txt[{87C4765D-CA7E-4B13-8B1E-0BBDA0B37949}.txt]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.mediaplex.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.mediaplex.com/]
00145758 Cookie/Mysearch TrackingCookie No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Cookies\system@mysearch[1].txt
00148161 Adware/SAHAgent Adware No 0 No No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0101924.exe[winbbb.dat]
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.revenue.net/]
00159564 Cookie/WUpd TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@revenue[1].txt
00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@z1.adserver[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.azjmp.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.statcounter.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Cookies\adrian@apmebf[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][.apmebf.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.burstnet.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Cookies\adrian@serving-sys[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Cookies\adrian@bs.serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.bs.serving-sys.com/]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[www.burstbeacon.com/]
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adtech.de/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{8E3DBB5A-5962-4C76-99D1-A75E990D4E00}.txt[{8E3DBB5A-5962-4C76-99D1-A75E990D4E00}.txt]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.ads.pointroll.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{53CFAF61-F077-460C-9A8D-DCF879B10808}\{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt[{C6561877-3A4E-4D7D-B275-9949EEE1FC7A}.txt][.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.questionmarket.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.zedo.com/]
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.bluestreak.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adrevolver.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.adultfriendfinder.com/]
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[searchportal.information.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.target.com/]
00219288 adware/clickalchemy Adware No 0 Yes No c:\windows\inf\alchem.inf
00219288 adware/clickalchemy Adware No 0 Yes No c:\windows\alchem.ini
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.atwola.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\cookies.txt[.atwola.com/]
00278769 Application/PRScheduler HackTools No 0 Yes No C:\Program Files\iolo\System Mechanic 6\Disabled Entries\Current User\PowerReg Scheduler.exe
00447834 Adware/Lop Adware No 0 Yes No C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\093E4764.exe
00447834 Adware/Lop Adware No 0 Yes No C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\093E4764.dll
00447834 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101536.exe
00447834 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101537.exe
00447834 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101538.dll
00447834 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101539.exe
00447834 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101540.exe
00447834 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101545.exe
00447834 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101548.dll
00447834 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101549.exe
00447834 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101554.dll
00447834 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101555.exe
00447834 Adware/Lop Adware No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101557.dll
00590315 Rootkit/Agent.LNB HackTools No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP536\A0102090.sys
01573568 Trj/Hanambot.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0101922.exe
02495756 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP526\A0095501.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0101925.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP535\A0102033.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP534\A0101703.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP536\A0102126.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP536\A0102064.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{B762F5BE-1DFD-40DA-9793-F321C2185D05}\RP536\A0102065.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\system32\iosocket.dll.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location .r
;===================================================================================================================================================================================
No C:\Documents and Settings\Default User\Start Menu\Programs\Startup\AutoPlay.exe .r
No C:\Documents and Settings\Owner\Desktop\everything\rs_cheats.zip[autominers.zip][Sythe's quick autominer.exe]
No C:\hp\bin\AUTOPLAY.EXE .r
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description .r
;===================================================================================================================================================================================
191613 HIGH MS08-020 .r
187733 HIGH MS08-008 .r
;===================================================================================================================================================================================
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
FCopy::
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\proquota.exe|C:\windows\system32\proquota.exe
File::
c:\windows\inf\alchem.inf
c:\windows\alchem.ini
c:\program files\adtools service
C:\hp\bin\Terminator.exe
c:\windows\inf\polall1r.inf
c:\windows\inf\conscorr.inf
c:\windows\twaintec.ini
c:\windows\inf\localnrd.inf
c:\keys.ini
c:\temp\salmau.dat
c:\temp\salm.log
c:\temp\salm_gdf.dat
c:\temp\salm_kyf.dat
Registry::
[-hkey_local_machine\software\wildmedia]
[-hkey_local_machine\software\dsi]
[-hkey_local_machine\software\microsoft\windows\currentversion\uninstall\pgate]
[-hkey_classes_root\localnrddll.localnrddllobj]
[-hkey_local_machine\software\classes\localnrddll.localnrddllobj]
[-hkey_local_machine\software\classes\localnrddll.localnrddllobj.1]
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
Please post a fresh RSIT log along with the Combofix Log
gdowling
2009-08-20, 05:26
I had to run ComboFix twice because it updated itself the first time.
===================
ComboFix 09-08-19.01 - Adrian 08/19/2009 21:36.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.173 [GMT -4:00]
Running from: c:\documents and settings\Adrian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Adrian\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
FILE ::
"c:\hp\bin\Terminator.exe"
"c:\keys.ini"
"c:\program files\adtools service"
"c:\temp\salm.log"
"c:\temp\salm_gdf.dat"
"c:\temp\salm_kyf.dat"
"c:\temp\salmau.dat"
"c:\windows\alchem.ini"
"c:\windows\inf\alchem.inf"
"c:\windows\inf\conscorr.inf"
"c:\windows\inf\localnrd.inf"
"c:\windows\inf\polall1r.inf"
"c:\windows\twaintec.ini"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\hp\bin\Terminator.exe
c:\keys.ini
c:\temp\salm.log
c:\temp\salm_gdf.dat
c:\temp\salm_kyf.dat
c:\temp\salmau.dat
c:\windows\alchem.ini
c:\windows\Fonts\Wphv07nb.ttf
c:\windows\inf\alchem.inf
c:\windows\inf\conscorr.inf
c:\windows\inf\localnrd.inf
c:\windows\inf\polall1r.inf
c:\windows\system32\wbem\proquota.exe
c:\windows\twaintec.ini
c:\windows\system32\proquota.exe . . . is missing!!
.
--------------- FCopy ---------------
c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\proquota.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.
2009-08-18 15:34 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-18 15:34 . 2009-08-18 15:34 -------- d-----w- c:\program files\Panda Security
2009-08-18 15:15 . 2009-08-18 15:15 152576 ----a-w- c:\documents and settings\Adrian\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-18 14:28 . 2004-08-04 07:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-16 21:14 . 2009-08-16 21:14 -------- d-----w- c:\documents and settings\Adrian\Application Data\Malwarebytes
2009-08-16 21:14 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-16 21:14 . 2009-08-16 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 21:14 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-16 21:14 . 2009-08-16 21:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-16 21:13 . 2009-06-09 15:06 1871872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-16 16:10 . 2009-08-16 16:53 -------- d-----w- C:\rsit
2009-08-14 04:48 . 2009-08-14 04:50 -------- d-----w- c:\program files\ERUNT
2009-08-14 00:35 . 2009-08-14 00:35 -------- d-----w- c:\documents and settings\Adrian\Local Settings\Application Data\Symantec
2009-08-14 00:30 . 2009-02-26 19:11 91976 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2009-08-14 00:28 . 2009-08-14 07:18 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-14 00:28 . 2009-08-14 07:18 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-14 00:27 . 2006-05-16 14:58 2584848 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\WindowsInstaller-KB893803-x86.exe
2009-08-14 00:26 . 2009-02-26 20:19 300432 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\Setup.exe
2009-08-14 00:26 . 2009-02-26 19:07 669000 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\smcinst.exe
2009-08-14 00:26 . 2008-12-10 19:47 3553808 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\LUSETUP.EXE
2009-08-14 00:26 . 2008-12-10 19:46 927096 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\LuCheck.exe
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 04:53 . 2009-07-29 04:53 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:53 . 2009-07-29 04:53 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 15:17 . 2009-05-21 00:25 -------- d-----w- c:\program files\Java
2009-08-14 07:19 . 2002-07-27 03:33 -------- d-----w- c:\program files\Symantec
2009-08-14 07:18 . 2009-08-14 00:28 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-14 07:18 . 2009-08-14 00:28 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-14 07:18 . 2002-07-27 03:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-14 05:56 . 2003-11-09 04:52 -------- d-----w- c:\documents and settings\Adrian\Application Data\Symantec
2009-08-14 05:56 . 2002-07-27 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-14 05:56 . 2002-07-27 03:33 -------- d-----w- c:\program files\Norton AntiVirus
2009-08-05 09:11 . 2004-01-10 18:21 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2002-08-06 02:05 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2002-08-06 02:04 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-25 09:23 . 2009-05-21 00:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 18:55 . 2003-11-09 00:52 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-07-10 05:06 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-02-06 22:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2002-08-06 02:03 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-21 04:51 . 2002-12-26 03:17 -------- d-----w- c:\program files\Robot Arena
2009-06-21 04:51 . 2005-07-22 04:06 -------- d-----w- c:\program files\Pyware 3D Java Interactive Viewer
2009-06-21 04:50 . 2002-12-26 19:22 -------- d-----w- c:\program files\LeapFrog
2009-06-21 04:49 . 2002-07-24 23:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-21 04:49 . 2002-07-24 23:21 -------- d-----w- c:\program files\Hewlett-Packard
2009-06-21 04:49 . 2002-12-25 19:25 -------- d-----w- c:\program files\Common Files\aolshare
2009-06-21 04:48 . 2003-11-04 20:00 -------- d-----w- c:\program files\America Online 9.0
2009-06-21 04:48 . 2009-01-30 21:43 -------- d-----w- c:\program files\Lexmark Fax Solutions
2009-06-21 04:47 . 2005-12-01 20:02 -------- d-----w- c:\documents and settings\Adrian\Application Data\FaxCtr
2009-06-12 11:50 . 2003-11-09 00:55 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 20:22 . 2009-06-10 20:22 10920 ----a-w- C:\aolconnfix.exe
2009-06-10 14:21 . 2003-11-09 00:52 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2002-08-06 02:06 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-09 15:06 . 2003-11-09 00:54 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2003-05-30 14:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2002-12-26 19:45 . 2002-12-26 19:45 6021736 ----a-w- c:\program files\MindStation.exe
2007-03-10 03:54 . 2006-11-24 16:48 61038 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-03-10 03:54 . 2006-11-24 16:48 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-03-10 03:54 . 2006-11-24 16:48 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-17_02.23.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-20 01:07 . 2009-08-20 01:07 16384 c:\windows\Temp\Perflib_Perfdata_4a4.dat
- 2004-08-19 15:15 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
+ 2004-08-19 15:15 . 2007-07-27 14:41 26488 c:\windows\system32\spupdsvc.exe
- 2007-12-09 16:59 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2007-12-09 16:59 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2002-08-29 11:14 . 2009-06-29 16:12 44544 c:\windows\system32\pngfilt.dll
- 2002-08-29 11:14 . 2009-04-29 04:56 44544 c:\windows\system32\pngfilt.dll
- 2006-10-27 20:09 . 2009-04-29 04:55 52224 c:\windows\system32\msfeedsbs.dll
+ 2006-10-27 20:09 . 2009-06-29 16:12 52224 c:\windows\system32\msfeedsbs.dll
+ 2002-08-29 11:14 . 2009-06-29 16:12 27648 c:\windows\system32\jsproxy.dll
- 2002-08-29 11:14 . 2009-04-29 04:55 27648 c:\windows\system32\jsproxy.dll
- 2006-10-27 07:44 . 2009-04-28 09:05 13824 c:\windows\system32\ieudinit.exe
+ 2006-10-27 07:44 . 2009-06-29 11:07 13824 c:\windows\system32\ieudinit.exe
- 2002-08-06 02:04 . 2009-04-29 04:55 44544 c:\windows\system32\iernonce.dll
+ 2002-08-06 02:04 . 2009-06-29 16:12 44544 c:\windows\system32\iernonce.dll
+ 2002-08-29 11:14 . 2009-06-29 11:07 70656 c:\windows\system32\ie4uinit.exe
- 2002-08-29 11:14 . 2009-04-28 09:05 70656 c:\windows\system32\ie4uinit.exe
- 2006-10-17 17:58 . 2009-04-29 04:55 63488 c:\windows\system32\icardie.dll
+ 2006-10-17 17:58 . 2009-06-29 16:12 63488 c:\windows\system32\icardie.dll
+ 2009-06-12 11:50 . 2009-06-12 11:50 76288 c:\windows\system32\dllcache\telnet.exe
+ 2006-05-10 05:23 . 2009-06-29 16:12 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2007-08-20 10:04 . 2009-06-29 16:12 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-08-20 10:04 . 2009-04-29 04:55 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2006-05-10 05:22 . 2009-04-29 04:55 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2007-08-17 10:20 . 2009-04-28 09:05 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2007-08-17 10:20 . 2009-06-29 11:07 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2006-10-27 07:44 . 2009-06-29 16:12 44544 c:\windows\system32\dllcache\iernonce.dll
- 2006-10-27 07:44 . 2009-04-29 04:55 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2006-10-17 18:06 . 2009-06-29 16:12 78336 c:\windows\system32\dllcache\ieencode.dll
- 2006-10-17 18:06 . 2009-04-29 04:55 78336 c:\windows\system32\dllcache\ieencode.dll
- 2006-10-27 07:44 . 2009-04-28 09:05 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2006-10-27 07:44 . 2009-06-29 11:07 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-20 10:04 . 2009-04-29 04:55 63488 c:\windows\system32\dllcache\icardie.dll
+ 2007-08-20 10:04 . 2009-06-29 16:12 63488 c:\windows\system32\dllcache\icardie.dll
- 2006-10-17 18:03 . 2007-01-09 00:01 17408 c:\windows\system32\dllcache\corpol.dll
+ 2006-10-17 18:03 . 2009-06-29 16:12 17408 c:\windows\system32\dllcache\corpol.dll
+ 2009-06-10 14:21 . 2009-06-10 14:21 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-07-17 18:55 . 2009-07-17 18:55 58880 c:\windows\system32\dllcache\atl.dll
+ 2009-08-18 14:10 . 2009-04-29 04:56 44544 c:\windows\ie7updates\KB972260-IE7\pngfilt.dll
+ 2009-08-18 14:10 . 2009-04-29 04:55 52224 c:\windows\ie7updates\KB972260-IE7\msfeedsbs.dll
+ 2009-08-18 14:10 . 2009-04-29 04:55 27648 c:\windows\ie7updates\KB972260-IE7\jsproxy.dll
+ 2009-08-18 14:10 . 2009-04-28 09:05 13824 c:\windows\ie7updates\KB972260-IE7\ieudinit.exe
+ 2009-08-18 14:10 . 2009-04-29 04:55 44544 c:\windows\ie7updates\KB972260-IE7\iernonce.dll
+ 2009-08-18 14:11 . 2009-04-29 04:55 78336 c:\windows\ie7updates\KB972260-IE7\ieencode.dll
+ 2009-08-18 14:11 . 2009-04-28 09:05 70656 c:\windows\ie7updates\KB972260-IE7\ie4uinit.exe
+ 2009-08-18 14:11 . 2009-04-29 04:55 63488 c:\windows\ie7updates\KB972260-IE7\icardie.dll
+ 2009-08-18 14:11 . 2007-01-09 00:01 17408 c:\windows\ie7updates\KB972260-IE7\corpol.dll
- 2002-08-29 11:14 . 2009-04-29 04:56 233472 c:\windows\system32\webcheck.dll
+ 2002-08-29 11:14 . 2009-06-29 16:12 233472 c:\windows\system32\webcheck.dll
- 2002-08-29 11:14 . 2009-04-29 04:56 105984 c:\windows\system32\url.dll
+ 2002-08-29 11:14 . 2009-06-29 16:12 105984 c:\windows\system32\url.dll
- 2002-08-29 11:14 . 2009-04-29 04:56 102912 c:\windows\system32\occache.dll
+ 2002-08-29 11:14 . 2009-06-29 16:12 102912 c:\windows\system32\occache.dll
- 2002-08-29 11:14 . 2009-04-29 04:56 671232 c:\windows\system32\mstime.dll
+ 2002-08-29 11:14 . 2009-06-29 16:12 671232 c:\windows\system32\mstime.dll
+ 2002-08-29 11:14 . 2009-06-29 16:12 193024 c:\windows\system32\msrating.dll
- 2002-08-29 11:14 . 2009-04-29 04:56 193024 c:\windows\system32\msrating.dll
+ 2002-08-29 11:14 . 2009-06-29 16:12 477696 c:\windows\system32\mshtmled.dll
- 2002-08-29 11:14 . 2009-04-29 04:56 477696 c:\windows\system32\mshtmled.dll
+ 2006-10-27 20:09 . 2009-06-29 16:12 459264 c:\windows\system32\msfeeds.dll
- 2006-10-27 20:09 . 2009-04-29 04:55 459264 c:\windows\system32\msfeeds.dll
+ 2009-08-18 15:17 . 2009-07-25 09:23 149280 c:\windows\system32\javaws.exe
+ 2009-08-18 15:17 . 2009-07-25 09:23 145184 c:\windows\system32\javaw.exe
+ 2009-08-18 15:17 . 2009-07-25 09:23 145184 c:\windows\system32\java.exe
+ 2006-10-17 17:57 . 2009-06-29 16:12 268288 c:\windows\system32\iertutil.dll
- 2006-10-17 17:57 . 2009-04-29 04:55 268288 c:\windows\system32\iertutil.dll
- 2002-08-29 11:14 . 2009-04-29 04:55 385024 c:\windows\system32\iedkcs32.dll
+ 2002-08-29 11:14 . 2009-06-29 16:12 385024 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 17:27 . 2009-06-29 16:12 380928 c:\windows\system32\ieapfltr.dll
- 2002-08-06 02:04 . 2009-04-25 05:26 161792 c:\windows\system32\ieakui.dll
+ 2002-08-06 02:04 . 2009-06-29 08:33 161792 c:\windows\system32\ieakui.dll
+ 2003-11-09 00:53 . 2009-06-29 16:12 230400 c:\windows\system32\ieaksie.dll
- 2003-11-09 00:53 . 2009-04-29 04:55 230400 c:\windows\system32\ieaksie.dll
- 2003-11-09 00:53 . 2009-04-29 04:55 153088 c:\windows\system32\ieakeng.dll
+ 2003-11-09 00:53 . 2009-06-29 16:12 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 07:56 . 2009-06-29 16:12 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 07:56 . 2009-04-29 04:55 133120 c:\windows\system32\extmgr.dll
- 2002-08-29 11:14 . 2009-04-29 04:55 214528 c:\windows\system32\dxtrans.dll
+ 2002-08-29 11:14 . 2009-06-29 16:12 214528 c:\windows\system32\dxtrans.dll
+ 2002-08-29 11:14 . 2009-06-29 16:12 347136 c:\windows\system32\dxtmsft.dll
- 2002-08-29 11:14 . 2009-04-29 04:55 347136 c:\windows\system32\dxtmsft.dll
+ 2009-07-14 03:43 . 2009-07-14 03:43 286208 c:\windows\system32\dllcache\wmpdxm.dll
- 2006-08-17 12:28 . 2006-08-17 12:28 132096 c:\windows\system32\dllcache\wkssvc.dll
+ 2006-08-17 12:28 . 2009-06-10 06:32 132096 c:\windows\system32\dllcache\wkssvc.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 827392 c:\windows\system32\dllcache\wininet.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\wininet.dll
+ 2006-10-27 20:09 . 2009-06-29 16:12 233472 c:\windows\system32\dllcache\webcheck.dll
- 2006-10-27 20:09 . 2009-04-29 04:56 233472 c:\windows\system32\dllcache\webcheck.dll
- 2006-10-17 18:05 . 2009-04-29 04:56 105984 c:\windows\system32\dllcache\url.dll
+ 2006-10-17 18:05 . 2009-06-29 16:12 105984 c:\windows\system32\dllcache\url.dll
- 2006-10-17 18:04 . 2009-04-29 04:56 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 18:04 . 2009-06-29 16:12 102912 c:\windows\system32\dllcache\occache.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 671232 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 193024 c:\windows\system32\dllcache\msrating.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2007-08-20 10:04 . 2009-04-29 04:55 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-08-20 10:04 . 2009-06-29 16:12 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2006-10-17 18:04 . 2009-06-29 08:35 634632 c:\windows\system32\dllcache\iexplore.exe
- 2007-08-20 10:04 . 2009-04-29 04:55 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2007-08-20 10:04 . 2009-06-29 16:12 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2006-10-27 07:44 . 2009-06-29 16:12 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-10-27 07:44 . 2009-04-29 04:55 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-08-20 10:04 . 2009-06-29 16:12 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2006-10-27 07:42 . 2009-06-29 08:33 161792 c:\windows\system32\dllcache\ieakui.dll
- 2006-10-27 07:42 . 2009-04-25 05:26 161792 c:\windows\system32\dllcache\ieakui.dll
- 2006-10-27 07:44 . 2009-04-29 04:55 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-10-27 07:44 . 2009-06-29 16:12 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-10-27 07:44 . 2009-06-29 16:12 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-10-27 07:44 . 2009-04-29 04:55 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 133120 c:\windows\system32\dllcache\extmgr.dll
- 2006-05-10 05:22 . 2009-04-29 04:55 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2006-05-10 05:22 . 2009-04-29 04:55 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2006-05-10 05:22 . 2009-04-29 04:55 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-10-27 07:44 . 2009-06-29 16:12 124928 c:\windows\system32\dllcache\advpack.dll
- 2006-10-27 07:44 . 2009-04-29 04:55 124928 c:\windows\system32\dllcache\advpack.dll
- 2002-08-29 11:14 . 2009-04-29 04:55 124928 c:\windows\system32\advpack.dll
+ 2002-08-29 11:14 . 2009-06-29 16:12 124928 c:\windows\system32\advpack.dll
+ 2009-08-18 14:10 . 2009-04-29 04:56 827392 c:\windows\ie7updates\KB972260-IE7\wininet.dll
+ 2009-08-18 14:10 . 2009-04-29 04:56 233472 c:\windows\ie7updates\KB972260-IE7\webcheck.dll
+ 2009-08-18 14:10 . 2009-04-29 04:56 105984 c:\windows\ie7updates\KB972260-IE7\url.dll
+ 2009-08-18 14:11 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB972260-IE7\spuninst\updspapi.dll
+ 2009-08-18 14:11 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB972260-IE7\spuninst\spuninst.exe
+ 2009-08-18 14:10 . 2009-04-29 04:56 102912 c:\windows\ie7updates\KB972260-IE7\occache.dll
+ 2009-08-18 14:10 . 2009-04-29 04:56 671232 c:\windows\ie7updates\KB972260-IE7\mstime.dll
+ 2009-08-18 14:10 . 2009-04-29 04:56 193024 c:\windows\ie7updates\KB972260-IE7\msrating.dll
+ 2009-08-18 14:10 . 2009-04-29 04:56 477696 c:\windows\ie7updates\KB972260-IE7\mshtmled.dll
+ 2009-08-18 14:10 . 2009-04-29 04:55 459264 c:\windows\ie7updates\KB972260-IE7\msfeeds.dll
+ 2009-08-18 14:11 . 2009-04-25 05:27 636088 c:\windows\ie7updates\KB972260-IE7\iexplore.exe
+ 2009-08-18 14:10 . 2009-04-29 04:55 268288 c:\windows\ie7updates\KB972260-IE7\iertutil.dll
+ 2009-08-18 14:11 . 2009-04-29 04:55 385024 c:\windows\ie7updates\KB972260-IE7\iedkcs32.dll
+ 2009-08-18 14:11 . 2009-04-29 04:55 383488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dll
+ 2009-08-18 14:11 . 2009-04-25 05:26 161792 c:\windows\ie7updates\KB972260-IE7\ieakui.dll
+ 2009-08-18 14:11 . 2009-04-29 04:55 230400 c:\windows\ie7updates\KB972260-IE7\ieaksie.dll
+ 2009-08-18 14:11 . 2009-04-29 04:55 153088 c:\windows\ie7updates\KB972260-IE7\ieakeng.dll
+ 2009-08-18 14:11 . 2009-04-29 04:55 133120 c:\windows\ie7updates\KB972260-IE7\extmgr.dll
+ 2009-08-18 14:11 . 2009-04-29 04:55 214528 c:\windows\ie7updates\KB972260-IE7\dxtrans.dll
+ 2009-08-18 14:11 . 2009-04-29 04:55 347136 c:\windows\ie7updates\KB972260-IE7\dxtmsft.dll
+ 2009-08-18 14:11 . 2009-04-29 04:55 124928 c:\windows\ie7updates\KB972260-IE7\advpack.dll
+ 2009-08-20 01:11 . 2009-08-20 01:11 167936 c:\windows\ERDNT\AutoBackup\8-19-2009\Users\00000002\UsrClass.dat
+ 2009-08-20 01:11 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\8-19-2009\ERDNT.EXE
+ 2009-08-18 13:42 . 2009-08-18 13:42 163840 c:\windows\ERDNT\AutoBackup\8-18-2009\Users\00000002\UsrClass.dat
+ 2009-08-18 13:42 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\8-18-2009\ERDNT.EXE
+ 2009-04-17 12:59 . 2009-04-17 12:59 128256 c:\windows\Downloaded Program Files\as2stubie.dll
+ 2004-01-21 20:20 . 2009-06-29 16:12 1159680 c:\windows\system32\urlmon.dll
- 2004-01-21 20:20 . 2009-04-29 04:56 1159680 c:\windows\system32\urlmon.dll
+ 2004-07-07 22:37 . 2009-07-19 13:33 3597824 c:\windows\system32\mshtml.dll
+ 2006-10-27 20:09 . 2009-07-19 13:32 6067200 c:\windows\system32\ieframe.dll
+ 2006-09-06 05:01 . 2009-06-29 08:33 2452872 c:\windows\system32\ieapfltr.dat
+ 2006-05-10 05:23 . 2009-06-29 16:12 1159680 c:\windows\system32\dllcache\urlmon.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2007-10-29 22:43 . 2009-06-03 19:27 1290752 c:\windows\system32\dllcache\quartz.dll
+ 2006-11-08 05:06 . 2009-07-10 13:42 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2006-05-19 15:08 . 2009-07-19 13:33 3597824 c:\windows\system32\dllcache\mshtml.dll
+ 2007-08-20 10:04 . 2009-07-19 13:32 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2007-04-17 09:32 . 2009-06-29 08:33 2452872 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-08-18 14:10 . 2009-04-29 04:56 1159680 c:\windows\ie7updates\KB972260-IE7\urlmon.dll
+ 2009-08-18 14:10 . 2009-04-29 04:56 3596288 c:\windows\ie7updates\KB972260-IE7\mshtml.dll
+ 2009-08-18 14:10 . 2009-04-29 04:55 6066176 c:\windows\ie7updates\KB972260-IE7\ieframe.dll
+ 2009-08-18 14:11 . 2008-07-09 14:25 2455488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dat
+ 2009-08-20 01:11 . 2009-08-20 01:11 2916352 c:\windows\ERDNT\AutoBackup\8-19-2009\Users\00000001\NTUSER.DAT
+ 2009-08-18 13:42 . 2009-08-18 13:42 2916352 c:\windows\ERDNT\AutoBackup\8-18-2009\Users\00000001\NTUSER.DAT
+ 2003-09-17 04:25 . 2009-07-14 03:43 10841088 c:\windows\system32\wmp.dll
+ 2005-05-12 11:13 . 2009-07-29 21:49 24281536 c:\windows\system32\MRT.exe
+ 2009-07-14 03:43 . 2009-07-14 03:43 10841088 c:\windows\system32\dllcache\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 139264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-12-19 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-06-14 81920]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 45056]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-24 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 139264]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Watch.lnk.disabled [2004-10-1 745]
c:\documents and settings\Adrian\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online Tray Icon.lnk.disabled [2003-11-8 834]
hp center.lnk - c:\program files\hp center\137903\Program\BWCHelpr-137903.dll [2002-7-24 20480]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
NETGEAR WG311v3 Wireless Assistant.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2005-8-28 2238]
TextBridge Instant Access OCR.lnk - c:\program files\TextBridge Classic\Bin\TBMenu.exe [2004-10-1 23552]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6\\0iolobtdfg c:\windows\system32
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcxMonitor"=ALCXMNTR.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"IgfxTray"=c:\windows\System32\igfxtray.exe
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"MediaFace Integration"=c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\Wireless\\lxdiwpss.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/18/2009 11:34 AM 28544]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/14/2009 1:08 AM 101936]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 DockingGroup;LeapFrog WDM USB Device Driver;c:\windows\system32\drivers\MS20022K.sys [12/26/2002 4:28 PM 14781]
S3 perm2;perm2;c:\windows\system32\drivers\perm2.sys [12/25/2005 1:39 AM 27904]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - PAVBOOT
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
Name-Space Handler: ftp\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\Common\Lib\URLSTO~1.DLL
Name-Space Handler: http\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\Common\Lib\URLSTO~1.DLL
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 22:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-08-20 22:12
ComboFix-quarantined-files.txt 2009-08-20 02:11
ComboFix2.txt 2009-08-17 02:34
Pre-Run: 19,062,513,664 bytes free
Post-Run: 19,052,957,696 bytes free
393 --- E O F --- 2009-08-18 23:55
gdowling
2009-08-20, 05:27
===================
Logfile of random's system information tool 1.06 (written by random/random)
Run by Adrian at 2009-08-19 22:15:55
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 18 GB (34%) free of 53 GB
Total RAM: 511 MB (25% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:13 PM, on 8/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdicoms.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Adrian\Desktop\RSIT.exe
C:\Documents and Settings\Adrian\Desktop\Adrian.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: America Online Tray Icon.lnk.disabled
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BWCHelpr-137903.dll
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0DC0D258-FC70-456F-8F79-83D7DC20F0AC} (MPChWrapper.Util) - http://instantsupport.hp.com/update/030227/MPChWrapper.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://netscape.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.classlink2000.com/sites/FILES/wfica.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124311475640
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 8125 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\SOFTWARE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-07-25 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - hp toolkit - C:\HP\EXPLOREBAR\HPTOOLKT.DLL [2002-06-05 86016]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"KBD"=C:\HP\KBD\KBD.EXE [2001-07-07 61440]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2001-12-19 212992]
"PS2"=C:\WINDOWS\system32\ps2.exe [2002-06-14 81920]
"checktime"=c:\program files\HPSelect\Frontend\ct.exe [2002-01-26 45056]
"UpdateManager"=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2006-11-24 180269]
"LTMSG"=LTMSG.exe 7 []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2005-08-02 139264]
"lxdimon.exe"=C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe [2007-05-07 435120]
"lxdiamon"=C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe [2007-03-05 20480]
"Symantec PIF AlertEng"=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-12-18 115560]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2005-08-02 139264]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
America Online Tray Icon.lnk.disabled - C:\Program Files\America Online 9.0\aoltray.exe
hp center.lnk - C:\Program Files\hp center\137903\Program\BWCHelpr-137903.dll
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
NETGEAR WG311v3 Wireless Assistant.lnk - C:\WINDOWS\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe
TextBridge Instant Access OCR.lnk - C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
C:\Documents and Settings\Adrian\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-11-02 348160]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2006-09-20 441136]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccEvtMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ccSetMgr]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SmcService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Symantec Antivirus]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SYMTDI]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe"="C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe:*:Enabled:Rise of Nations"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\lxdicoms.exe"="C:\WINDOWS\system32\lxdicoms.exe:*:Enabled:Lexmark Communications System"
"C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\Program Files\Lexmark 3500-4500 Series\App4R.exe"="C:\Program Files\Lexmark 3500-4500 Series\App4R.exe:*:Enabled:Lexmark Imaging Studio"
"C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe"="C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:*:Enabled:ABBYY FineReader"
"C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"="C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe:*:Enabled:Device Monitor"
"C:\Program Files\Lexmark 3500-4500 Series\Wireless\lxdiwpss.exe"="C:\Program Files\Lexmark 3500-4500 Series\Wireless\lxdiwpss.exe:*:Enabled: "
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\Common Files\AOL\1130391532\ee\AOLServiceHost.exe"="C:\Program Files\Common Files\AOL\1130391532\ee\AOLServiceHost.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Lexmark 3500-4500 Series\app4r.exe"="C:\Program Files\Lexmark 3500-4500 Series\app4r.exe:*:Enabled:Lexmark Imaging Studio"
======File associations======
.js - open - NOTEPAD.EXE %1
.vbs - open - NOTEPAD.EXE %1
======List of files/folders created in the last 3 months======
2009-08-19 22:12:07 ----A---- C:\ComboFix.txt
2009-08-19 21:33:33 ----A---- C:\WINDOWS\NIRCMD.exe
2009-08-19 21:33:32 ----A---- C:\WINDOWS\SWREG.exe
2009-08-19 21:33:32 ----A---- C:\WINDOWS\PEV.exe
2009-08-19 21:33:31 ----A---- C:\WINDOWS\zip.exe
2009-08-19 21:33:31 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-08-19 21:33:31 ----A---- C:\WINDOWS\SWSC.exe
2009-08-19 21:33:31 ----A---- C:\WINDOWS\sed.exe
2009-08-19 21:33:31 ----A---- C:\WINDOWS\grep.exe
2009-08-18 11:34:12 ----D---- C:\Program Files\Panda Security
2009-08-18 11:17:54 ----A---- C:\WINDOWS\system32\javaws.exe
2009-08-18 11:17:54 ----A---- C:\WINDOWS\system32\javaw.exe
2009-08-18 11:17:54 ----A---- C:\WINDOWS\system32\java.exe
2009-08-18 10:28:27 ----A---- C:\WINDOWS\system32\wmpns.dll
2009-08-18 10:22:33 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-18 10:20:34 ----HDC---- C:\WINDOWS\$NtUninstallKB961371-v2$
2009-08-18 10:19:26 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-18 10:17:58 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-18 10:17:30 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-18 10:16:55 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-08-18 10:16:32 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-08-18 10:16:12 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-18 10:14:51 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9L$
2009-08-18 10:05:47 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-18 10:04:03 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-18 09:59:12 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-16 21:54:06 ----A---- C:\Boot.bak
2009-08-16 21:52:58 ----RASHD---- C:\cmdcons
2009-08-16 21:48:47 ----D---- C:\Qoobox
2009-08-16 17:14:51 ----D---- C:\Documents and Settings\Adrian\Application Data\Malwarebytes
2009-08-16 17:14:21 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-08-16 17:14:18 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-08-16 12:10:00 ----D---- C:\rsit
2009-08-14 01:02:01 ----D---- C:\WINDOWS\ERDNT
2009-08-14 00:48:06 ----D---- C:\Program Files\ERUNT
2009-08-13 20:28:38 ----A---- C:\WINDOWS\system32\S32EVNT1.DLL
2009-06-18 19:15:09 ----D---- C:\Documents and Settings\Adrian\Application Data\AdobeUM
2009-06-10 16:22:30 ----A---- C:\aolconnfix.txt
2009-06-10 16:22:30 ----A---- C:\aolconnfix.exe
2009-06-10 03:04:27 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2009-06-10 03:04:06 ----HDC---- C:\WINDOWS\$NtUninstallKB969898$
2009-06-10 03:03:39 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2009-06-10 03:01:34 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2009-05-20 20:27:46 ----D---- C:\WINDOWS\.jagex_cache_32
2009-05-20 20:27:27 ----D---- C:\WINDOWS\Sun
2009-05-20 20:26:26 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-05-20 20:25:41 ----D---- C:\Program Files\Java
2009-05-20 20:24:28 ----D---- C:\Documents and Settings\Adrian\Application Data\Sun
======List of files/folders modified in the last 3 months======
2009-08-19 22:15:55 ----D---- C:\WINDOWS\Prefetch
2009-08-19 22:12:17 ----D---- C:\WINDOWS\system32
2009-08-19 22:02:12 ----D---- C:\WINDOWS
2009-08-19 22:02:11 ----A---- C:\WINDOWS\system.ini
2009-08-19 22:00:00 ----D---- C:\WINDOWS\system32\wbem
2009-08-19 22:00:00 ----D---- C:\WINDOWS\inf
2009-08-19 21:59:58 ----D---- C:\WINDOWS\Fonts
2009-08-19 21:59:57 ----D---- C:\temp
2009-08-19 21:59:48 ----D---- C:\WINDOWS\Temp
2009-08-19 21:51:39 ----D---- C:\WINDOWS\system32\drivers
2009-08-19 21:51:39 ----D---- C:\WINDOWS\AppPatch
2009-08-19 21:51:12 ----D---- C:\Program Files\Common Files
2009-08-19 21:35:36 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-19 21:34:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-08-18 11:34:12 ----D---- C:\Program Files
2009-08-18 11:33:42 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-18 11:18:19 ----SHD---- C:\WINDOWS\Installer
2009-08-18 10:28:24 ----D---- C:\Program Files\Windows Media Player
2009-08-18 10:26:42 ----D---- C:\Program Files\Internet Explorer
2009-08-18 10:22:40 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-18 10:21:21 ----A---- C:\WINDOWS\imsins.BAK
2009-08-18 10:17:34 ----D---- C:\WINDOWS\ServicePackFiles
2009-08-18 10:17:14 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-18 10:13:47 ----D---- C:\WINDOWS\system32\en-US
2009-08-18 10:10:34 ----D---- C:\WINDOWS\ie7updates
2009-08-18 10:04:15 ----D---- C:\Program Files\Outlook Express
2009-08-16 21:54:09 ----RASH---- C:\BOOT.INI
2009-08-14 03:19:02 ----D---- C:\Program Files\Symantec
2009-08-14 03:18:46 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-08-14 01:56:35 ----D---- C:\Program Files\Norton AntiVirus
2009-08-14 01:56:35 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-08-14 01:56:35 ----D---- C:\Documents and Settings\Adrian\Application Data\Symantec
2009-08-13 20:28:17 ----D---- C:\WINDOWS\WinSxS
2009-08-13 20:10:40 ----SD---- C:\WINDOWS\Tasks
2009-08-05 05:11:47 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-07-29 17:49:16 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-29 00:53:14 ----A---- C:\WINDOWS\system32\t2embed.dll
2009-07-29 00:53:14 ----A---- C:\WINDOWS\system32\fontsub.dll
2009-07-19 09:33:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 09:32:59 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-17 14:55:28 ----A---- C:\WINDOWS\system32\atl.dll
2009-07-13 23:43:24 ----A---- C:\WINDOWS\system32\wmpdxm.dll
2009-07-13 23:43:24 ----A---- C:\WINDOWS\system32\wmp.dll
2009-07-10 13:52:27 ----D---- C:\WINDOWS\Minidump
2009-07-10 12:35:11 ----D---- C:\Program Files\Mozilla Firefox
2009-06-29 12:12:20 ----A---- C:\WINDOWS\system32\wininet.dll
2009-06-29 12:12:19 ----A---- C:\WINDOWS\system32\webcheck.dll
2009-06-29 12:12:19 ----A---- C:\WINDOWS\system32\urlmon.dll
2009-06-29 12:12:18 ----A---- C:\WINDOWS\system32\url.dll
2009-06-29 12:12:18 ----A---- C:\WINDOWS\system32\pngfilt.dll
2009-06-29 12:12:18 ----A---- C:\WINDOWS\system32\occache.dll
2009-06-29 12:12:18 ----A---- C:\WINDOWS\system32\mstime.dll
2009-06-29 12:12:18 ----A---- C:\WINDOWS\system32\msrating.dll
2009-06-29 12:12:18 ----A---- C:\WINDOWS\system32\mshtmled.dll
2009-06-29 12:12:16 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2009-06-29 12:12:16 ----A---- C:\WINDOWS\system32\msfeeds.dll
2009-06-29 12:12:16 ----A---- C:\WINDOWS\system32\jsproxy.dll
2009-06-29 12:12:16 ----A---- C:\WINDOWS\system32\iertutil.dll
2009-06-29 12:12:16 ----A---- C:\WINDOWS\system32\iernonce.dll
2009-06-29 12:12:14 ----A---- C:\WINDOWS\system32\ieencode.dll
2009-06-29 12:12:14 ----A---- C:\WINDOWS\system32\iedkcs32.dll
2009-06-29 12:12:14 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2009-06-29 12:12:14 ----A---- C:\WINDOWS\system32\ieaksie.dll
2009-06-29 12:12:14 ----A---- C:\WINDOWS\system32\ieakeng.dll
2009-06-29 12:12:14 ----A---- C:\WINDOWS\system32\icardie.dll
2009-06-29 12:12:14 ----A---- C:\WINDOWS\system32\extmgr.dll
2009-06-29 12:12:14 ----A---- C:\WINDOWS\system32\dxtrans.dll
2009-06-29 12:12:14 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2009-06-29 12:12:14 ----A---- C:\WINDOWS\system32\corpol.dll
2009-06-29 12:12:14 ----A---- C:\WINDOWS\system32\advpack.dll
2009-06-29 07:07:12 ----A---- C:\WINDOWS\system32\ieudinit.exe
2009-06-29 07:07:11 ----A---- C:\WINDOWS\system32\ie4uinit.exe
2009-06-29 04:33:39 ----A---- C:\WINDOWS\system32\ieakui.dll
2009-06-21 00:51:28 ----D---- C:\Program Files\Robot Arena
2009-06-21 00:51:26 ----D---- C:\Program Files\Pyware 3D Java Interactive Viewer
2009-06-21 00:50:16 ----D---- C:\Program Files\LeapFrog
2009-06-21 00:49:54 ----HD---- C:\Program Files\InstallShield Installation Information
2009-06-21 00:49:43 ----D---- C:\Program Files\Hewlett-Packard
2009-06-21 00:49:02 ----D---- C:\Program Files\Common Files\aolshare
2009-06-21 00:48:56 ----D---- C:\Program Files\AOL
2009-06-21 00:48:56 ----D---- C:\Program Files\America Online 9.0
2009-06-21 00:48:54 ----D---- C:\Program Files\Lexmark Fax Solutions
2009-06-21 00:47:59 ----D---- C:\Documents and Settings\Adrian\Application Data\FaxCtr
2009-06-20 15:36:52 ----SD---- C:\Documents and Settings\Adrian\Application Data\Microsoft
2009-06-18 19:03:10 ----A---- C:\WINDOWS\win.ini
2009-06-12 07:50:53 ----A---- C:\WINDOWS\system32\telnet.exe
2009-06-10 10:21:48 ----A---- C:\WINDOWS\system32\avifil32.dll
2009-06-10 02:32:40 ----A---- C:\WINDOWS\system32\wkssvc.dll
2009-06-09 11:06:50 ----A---- C:\WINDOWS\system32\mstscax.dll
2009-06-03 15:27:58 ----A---- C:\WINDOWS\system32\quartz.dll
2009-05-26 09:47:03 ----A---- C:\WINDOWS\system32\ieframe.dll.mui
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 NPPTNT2;NPPTNT2; \??\C:\WINDOWS\system32\npptNT2.sys []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SRTSP;SRTSP; C:\WINDOWS\System32\Drivers\SRTSP.SYS [2008-12-19 280112]
R1 SRTSPX;SRTSPX; C:\WINDOWS\System32\Drivers\SRTSPX.SYS [2008-12-19 43824]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2002-06-19 5589]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2002-06-19 22995]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2008-08-21 191536]
R1 WPS;WPS; \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys []
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2002-06-06 40368]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2002-07-16 23701]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2002-07-16 34805]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2002-07-16 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2002-07-16 2201]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2002-07-16 54900]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2002-07-16 14421]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2002-07-16 6325]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2002-07-16 91156]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2002-07-16 95125]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 catchme;catchme; \??\C:\DOCUME~1\Adrian\LOCALS~1\Temp\catchme.sys []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-11-02 773565]
R3 ltmodem5;Agere Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-12-12 652689]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MxlW2k;MxlW2k; C:\WINDOWS\system32\drivers\MxlW2k.sys [2002-07-24 28164]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090818.016\NAVENG.SYS []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090818.016\NAVEX15.SYS []
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-03-09 13780]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2007-07-12 96384]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2008-08-21 27696]
R3 Teefer2;Teefer2 Miniport; C:\WINDOWS\system32\DRIVERS\teefer2.sys [2008-10-14 49536]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;USB Root Hub (usbport); C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
R3 W8335XP;NETGEAR WG311v3 802.11g Wireless PCI Adapter for Windows XP (8335); C:\WINDOWS\system32\DRIVERS\WG311v3XP.sys [2005-02-22 265984]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys [2002-10-15 33588]
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\WINDOWS\system32\drivers\WmBEnum.sys [2003-03-25 10144]
R3 WmXlCore;Logitech WingMan Translation Layer Driver; C:\WINDOWS\system32\drivers\WmXlCore.sys [2003-03-25 40256]
S1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-05-22 90336]
S1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-04 37376]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-04 42496]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-05-22 69504]
S3 A4S2600;A4S2600; C:\WINDOWS\System32\drivers\A4S2600.sys [1998-05-07 71520]
S3 COH_Mon;COH_Mon; \??\C:\WINDOWS\system32\Drivers\COH_Mon.sys []
S3 dbustrcm;dbustrcm; \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\dbustrcm.sys []
S3 DockingGroup;LeapFrog WDM USB Device Driver; C:\WINDOWS\System32\Drivers\MS20022K.sys [2002-08-05 14781]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\System32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2001-08-08 158140]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2001-08-08 12479]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2001-08-08 12031]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2001-08-08 11679]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2001-08-08 11999]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2001-08-08 19359]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2001-08-08 29215]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2001-08-08 19199]
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2001-08-08 33503]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2001-08-08 23519]
S3 mbr;mbr; \??\C:\DOCUME~1\Adrian\LOCALS~1\Temp\mbr.sys []
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 nv4;nv4; C:\WINDOWS\System32\DRIVERS\nv4.sys [2001-08-17 731648]
S3 perm2;perm2; C:\WINDOWS\System32\DRIVERS\perm2.sys [2004-08-04 27904]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 S3Psddr;S3Psddr; C:\WINDOWS\System32\DRIVERS\s3gnbm.sys [2002-07-13 155008]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-04-09 188032]
S3 SRTSPL;SRTSPL; C:\WINDOWS\System32\Drivers\SRTSPL.SYS [2008-12-19 319792]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2004-08-04 17024]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WmFilter;Logitech WingMan HID Filter Driver; C:\WINDOWS\system32\drivers\WmFilter.sys [2003-03-25 21216]
S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\WINDOWS\system32\drivers\WmVirHid.sys [2003-03-25 5728]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WpsHelper;WpsHelper; \??\C:\WINDOWS\system32\drivers\WpsHelper.sys []
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 SysPlant;SysPlant for NT; C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys [2009-02-26 91976]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AOL ACS;AOL Connectivity Service; C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe [2004-04-21 1434848]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2008-12-10 558456]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-12-18 108392]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-12-18 108392]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-07-25 153376]
R2 LiveUpdate Notice Ex;LiveUpdate Notice Service Ex; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-12-18 108392]
R2 lxdi_device;lxdi_device; C:\WINDOWS\system32\lxdicoms.exe [2007-04-26 517040]
R2 MSSQL$SQLEXPRESS;SQL Server (SQLEXPRESS); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
R2 SmcService;Symantec Management Client; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [2009-02-26 1799496]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2009-01-30 1251720]
R2 WANMiniportService;WAN Miniport (ATW) Service; C:\WINDOWS\wanmpsvc.exe [2003-08-27 65536]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
S2 Symantec AntiVirus;Symantec Endpoint Protection; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2009-02-01 2440120]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2008-12-10 3093880]
S3 SNAC;Symantec Network Access Control; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [2009-02-01 320840]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]
-----------------EOF-----------------
How are things running now ?
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
FCopy::
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\proquota.exe|C:\windows\system32\proquota.exe
Folder::
c:\program files\adtools service
ADS::
Save this as CFScript.txt and place it on your desktop.
http://i51.photobucket.com/albums/f387/Katana_1970/CFScriptb.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
gdowling
2009-08-23, 04:14
Before I ran the CFScript, I had my son check the computer to see how it was running. He said it is running better than when he had the viruses on it, *but* it was slower than it was before.
Here is the ComboFix log --
==========================
ComboFix 09-08-22.06 - Adrian 08/22/2009 18:43.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.174 [GMT -4:00]
Running from: c:\documents and settings\Adrian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Adrian\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\adtools service
c:\program files\adtools service\Info.txt
c:\windows\flow3.exe
.
--------------- FCopy ---------------
c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\proquota.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.
2009-08-22 22:45 . 2009-08-22 22:45 -------- d-----w- c:\windows\LastGood
2009-08-22 22:43 . 2004-08-04 07:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-22 22:43 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-18 15:34 . 2008-06-19 21:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-18 15:34 . 2009-08-18 15:34 -------- d-----w- c:\program files\Panda Security
2009-08-18 15:15 . 2009-08-18 15:15 152576 ----a-w- c:\documents and settings\Adrian\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-18 14:28 . 2004-08-04 07:56 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-08-16 21:14 . 2009-08-16 21:14 -------- d-----w- c:\documents and settings\Adrian\Application Data\Malwarebytes
2009-08-16 21:14 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-16 21:14 . 2009-08-16 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-16 21:14 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-16 21:14 . 2009-08-16 21:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-16 21:13 . 2009-06-09 15:06 1871872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2009-08-16 16:10 . 2009-08-16 16:53 -------- d-----w- C:\rsit
2009-08-14 04:48 . 2009-08-14 04:50 -------- d-----w- c:\program files\ERUNT
2009-08-14 00:35 . 2009-08-14 00:35 -------- d-----w- c:\documents and settings\Adrian\Local Settings\Application Data\Symantec
2009-08-14 00:30 . 2009-02-26 19:11 91976 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2009-08-14 00:28 . 2009-08-14 07:18 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-14 00:28 . 2009-08-14 07:18 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-14 00:27 . 2006-05-16 14:58 2584848 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\WindowsInstaller-KB893803-x86.exe
2009-08-14 00:26 . 2009-02-26 20:19 300432 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\Setup.exe
2009-08-14 00:26 . 2009-02-26 19:07 669000 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\smcinst.exe
2009-08-14 00:26 . 2008-12-10 19:47 3553808 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\LUSETUP.EXE
2009-08-14 00:26 . 2008-12-10 19:46 927096 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{C1B0BDC8-0624-4036-90D1-F7DF0EE8C96D}\LuCheck.exe
2009-08-05 09:11 . 2009-08-05 09:11 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-29 04:53 . 2009-07-29 04:53 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-29 04:53 . 2009-07-29 04:53 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 15:17 . 2009-05-21 00:25 -------- d-----w- c:\program files\Java
2009-08-14 07:19 . 2002-07-27 03:33 -------- d-----w- c:\program files\Symantec
2009-08-14 07:18 . 2009-08-14 00:28 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-14 07:18 . 2009-08-14 00:28 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-14 07:18 . 2002-07-27 03:33 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-14 05:56 . 2003-11-09 04:52 -------- d-----w- c:\documents and settings\Adrian\Application Data\Symantec
2009-08-14 05:56 . 2002-07-27 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-14 05:56 . 2002-07-27 03:33 -------- d-----w- c:\program files\Norton AntiVirus
2009-08-05 09:11 . 2004-01-10 18:21 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:53 . 2002-08-06 02:05 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2002-08-06 02:04 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-25 09:23 . 2009-05-21 00:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 18:55 . 2003-11-09 00:52 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-07-10 05:06 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-02-06 22:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2002-08-06 02:03 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-12 11:50 . 2003-11-09 00:55 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 20:22 . 2009-06-10 20:22 10920 ----a-w- C:\aolconnfix.exe
2009-06-10 14:21 . 2003-11-09 00:52 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2002-08-06 02:06 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-09 15:06 . 2003-11-09 00:54 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2003-05-30 14:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2002-12-26 19:45 . 2002-12-26 19:45 6021736 ----a-w- c:\program files\MindStation.exe
2007-03-10 03:54 . 2006-11-24 16:48 61038 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-03-10 03:54 . 2006-11-24 16:48 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-03-10 03:54 . 2006-11-24 16:48 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-08-20_02.02.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-22 22:12 . 2009-08-22 22:12 16384 c:\windows\Temp\Perflib_Perfdata_41c.dat
+ 2009-08-22 22:45 . 2008-04-14 00:12 50176 c:\windows\LastGood\system32\proquota.exe
+ 2009-08-22 21:59 . 2009-08-22 21:59 167936 c:\windows\ERDNT\AutoBackup\8-22-2009\Users\00000002\UsrClass.dat
+ 2009-08-22 21:59 . 2005-10-20 16:02 163328 c:\windows\ERDNT\AutoBackup\8-22-2009\ERDNT.EXE
+ 2009-08-22 21:59 . 2009-08-22 21:59 2916352 c:\windows\ERDNT\AutoBackup\8-22-2009\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 139264]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2001-12-19 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-06-14 81920]
"checktime"="c:\program files\HPSelect\Frontend\ct.exe" [2002-01-26 45056]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-24 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-02 139264]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-05-07 435120]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-03-05 20480]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-18 115560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Watch.lnk.disabled [2004-10-1 745]
c:\documents and settings\Adrian\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online Tray Icon.lnk.disabled [2003-11-8 834]
hp center.lnk - c:\program files\hp center\137903\Program\BWCHelpr-137903.dll [2002-7-24 20480]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
NETGEAR WG311v3 Wireless Assistant.lnk - c:\windows\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2005-8-28 2238]
TextBridge Instant Access OCR.lnk - c:\program files\TextBridge Classic\Bin\TBMenu.exe [2004-10-1 23552]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6\\0iolobtdfg c:\windows\system32
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcxMonitor"=ALCXMNTR.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"IgfxTray"=c:\windows\System32\igfxtray.exe
"NvCplDaemon"=RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
"MediaFace Integration"=c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\Wireless\\lxdiwpss.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/18/2009 11:34 AM 28544]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/14/2009 1:08 AM 101936]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 DockingGroup;LeapFrog WDM USB Device Driver;c:\windows\system32\drivers\MS20022K.sys [12/26/2002 4:28 PM 14781]
S3 perm2;perm2;c:\windows\system32\drivers\perm2.sys [12/25/2005 1:39 AM 27904]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
Name-Space Handler: ftp\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\Common\Lib\URLSTO~1.DLL
Name-Space Handler: http\DLA.IEClickMon - {A5A08E80-B472-11D2-89D1-0080C8C12A3A} - c:\progra~1\iolo\Common\Lib\URLSTO~1.DLL
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Adrian\Application Data\Mozilla\Firefox\Profiles\42nswhtd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 19:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-08-22 19:19
ComboFix-quarantined-files.txt 2009-08-22 23:18
ComboFix2.txt 2009-08-20 02:12
ComboFix3.txt 2009-08-17 02:34
Pre-Run: 18,907,975,680 bytes free
Post-Run: 18,871,447,552 bytes free
193 --- E O F --- 2009-08-18 23:55
There is no sign of infection now, in what way is it slower ?
How does the machine connect to the internet ?
Click on Start > All Programs > Accessories > System Tools > Disk Cleanup.
Select C drive and click OK.
Put a "Tick" in all the available boxes
Select the More Options tab.
Under System Restore, click on Clean up....
You will be prompted. Click Yes.
When done, click OK.
You will be prompted again. Press Yes to confirm.
When done, Disk Cleanup will close automatically.
----------------------------------------------------------------------------------------
Step 1
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total
Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
c:\windows\ltmsg.exe
Click Submit/Send File
When the scan has finished, you can copy the URL from the browser address window and paste it in your reply.
If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)
----------------------------------------------------------------------------------------
Step 2
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html
Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
**Note**
To optimize scanning time and produce a more sensible report for review: Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
Virus Total Report
Kaspersky Log
How are things running now ?
gdowling
2009-08-24, 05:20
Here is the URL to the "ltmsg.exe" analysis -- http://www.virustotal.com/analisis/771f4d56e7de7e46682adb0f8b5936454165f4cd77bdfedca68d8d6326b8159c-1251057338
I also performed the Disk Cleanup as mentioned above. The computer is slow to login and load programs -- and it still launches Spybot to scan the file "BWCHelpr-137903.dll". It takes a while to load any program, and it is slow to launch IE and go to any website. [Even the ComboFix program takes about 30 minutes to run.] Currently, this computer is connected to a cable modem via a 10/100 router (one of the ports... not wireless).
The Kaspersky AV log is below -- at least I was able to see the website in English this time. It took almost 6 hours to run. However, when I hit the "reply" button to type this response in, my AV program detected three "Trojan Horse" TMP files (all beginning with DWH) in my Temp directory.
===============================
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, August 23, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 23, 2009 20:54:02
Records in database: 2681601
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
Scan statistics:
Objects scanned: 142296
Threats found: 12
Infected objects found: 139
Suspicious objects found: 0
Scan duration: 05:53:23
File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0B940001\4B951216.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0B940002\4B95126A.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0B940003\4B9512B8.VBN Infected: Trojan.Win32.Inject.afgz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DC40000\4FCC8CBC.VBN Infected: Trojan.Win32.Agent2.cgis 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DC40001\4FCC9E35.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DC40002\4FCC9ED3.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DD80000\4FDD87EC.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DD80001\4FDD8A73.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DD80002\4FDD8ACF.VBN Infected: Backdoor.Win32.Sinowal.fci 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DD80003\4FDD8B0B.VBN Infected: Trojan.Win32.Agent2.cgis 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DD80008\4FDD8CC1.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DD8000A\4FDD8DDA.VBN Infected: Backdoor.Win32.Bredolab.gu 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DD8000C\4FDD8E44.VBN Infected: Trojan.Win32.Inject.afgz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DD8000D\4FDD9689.VBN Infected: Exploit.JS.Pdfka.mr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0DD8000E\4FDD96C8.VBN Infected: Exploit.SWF.Agent.bl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40000.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40001.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40003.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40004.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40005.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40006.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40007.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40008.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40009.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4000A.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4000D.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4000E.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4000F.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40010.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40012.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40013.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40014.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40015.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40017.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40018.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40019.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4001A.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4001B.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4001C.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4001D.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4001E.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4001F.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40021.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40022.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40025.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40027.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40028.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40029.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4002A.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4002B.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4002D.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40030.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40031.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40032.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40034.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40036.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40037.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40038.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4003A.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4003B.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4003C.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4003D.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4003E.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4003F.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40040.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40041.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40047.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40049.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4004A.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4004F.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40052.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40055.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40056.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40057.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40058.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4005A.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4005B.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4005D.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4005F.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40060.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40061.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40064.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40065.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40066.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40067.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40068.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4006A.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4006B.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4006C.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4006E.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40070.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40071.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40073.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40074.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40076.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40077.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40079.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4007A.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4007C.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4007D.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4007E.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40081.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40083.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40087.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40088.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40089.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4008A.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4008B.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4008C.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4008E.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4008F.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40090.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40092.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40093.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40095.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40096.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE40098.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4009A.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4009B.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4009D.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE4009F.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400A0.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400A1.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400A2.VBN Infected: Trojan-Spy.Win32.Zbot.wto 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400A3.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400A4.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400A5.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400A6.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400A7.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400A8.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400A9.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400AB.VBN Infected: Trojan.Win32.Inject.aeew 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400AD.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400B0.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400B2.VBN Infected: Trojan.Win32.Agent.cttq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400B3.VBN Infected: Trojan-Spy.Win32.Small.cdb 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400B4.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0EE400B5.VBN Infected: Trojan.Win32.Tdss.aiay 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\iosocket.dll.vir Infected: Trojan.Win32.BHO.xvv 1
Selected area has been scanned.
There is no infection showing there, they have all been removed already.
Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: America Online Tray Icon.lnk.disabled
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BWCHelpr-137903.dll
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311v3 Wireless Assistant.lnk = ?
O4 - Global Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis
Download Winpatrol (http://www.winpatrol.com) It is an excellent startup manager and then some !!
Install Winpatrol, and when running click on the Startup Programs tab
The following items can safely be disabled.
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxdimon.exe] "C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe"
O4 - HKLM\..\Run: [lxdiamon] "C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe"
Just click on each item and then click Disable
(if the program is running, Winpatrol will ask if you wish to stop it)
Reboot your computer and see if that has helped the boot time.
How are things running now ?
gdowling
2009-08-25, 16:48
Things are running a bit better than before... but still a tad slow. It took a little over 1 minute to load up the default IE page (msn.com), but the actual login process to the computer was better.
At this point, I'll go ahead and do the defrag/scandisk and all of that fun stuff. At least I can now see the light at the end of the tunnel.
Thank you for all of your help!!! It is much appreciated.
Have you tried running a "Vanilla" IE ?
Start > All Programs > Accessories > System Tools - IE (No Add-Ons)
Other than that, I don't have much to suggest (apart from the defrag you already mentioned )
----------------------------------------------------------------------------------------
Congratulations your logs look clean :)
Let's see if I can help you keep it that way
First lets tidy up
Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
OTCleanup
Please download OTCleanup from HERE (http://oldtimer.geekstogo.com/OTC.exe)
Click the OTC.exe icon and then click the CleanUp button.
If you get any pop ups asking if it is OK let the program proceed. At the end the program will ask to let it reboot the computer. Let it do so.
Let me know if there were any problems with OT CleanIt
You can also delete any logs we have produced, and empty your Recycle bin.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'