View Full Version : Firefox Redirect From Google
Hello,
I see that Firefox redirecting is a common problem, but there is not a common fix. I have installed Spyware Doctor and scans using this do not fix the problem.
I have read the instructions and backed up my registry and run HJT, see a copy of the log file below.
Thanks in advance for any advice.
Ben
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19:33, on 20/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Outlook Express\msimn.exe
c:\program files\bbc iplayer desktop\bbc iplayer desktop.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 3983 bytes
Hi Ben h
HijackThis log isn't complete.
Please rescan with HijackThis and post back a fresh HijackThis log :)
Not sure what happened there, here it is again.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:37:42, on 23/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {A38FF314-88B6-11DE-BEBD-168756D89593} - C:\DOCUME~1\Ben\LOCALS~1\Temp\~2D.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Bev')
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Bev')
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Bev')
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-1007\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" (User 'Bev')
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-500\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PrivacyCenter - {5199201E-60B4-11DE-85CF-260556D89593} - C:\Program Files\PrivacyCenter\protector.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223713212125
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 11961 bytes
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)
Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..
Here you go, ran first time with no problems. However the text file is hugh so I have uploaded it to my website. I hope this is OK, otherwise it will be over about 10 posts.
http://www.twin-turbo.co.uk/GMER/GMER.txt
Ben
It looks like to be fine.
Does redirect happen in Firefox only and not in IE?
It is still redirecting from firefox from a google search. If I try in explorer it tells me that I have an unregistered version of privacycentre. I had a problem with this not so long ago and thought it has been cleared, but as I never use explorer I have not seen this until now.
Ben
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe) Ensure all Firefox windows are closed. To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista). When prompted to run the scan, click Yes. GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
GooredFix by jpshortstuff (12.07.09)
Log created at 19:20 on 24/08/2009 (Ben)
Firefox version 3.5.2 (en-US)
========== GooredScan ==========
C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:10 20/07/2005]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [18:17 19/01/2009]
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [18:16 19/01/2009]
-=E.O.F=-
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.
Here are the two log files.
ComboFix 09-08-24.05 - Ben 24/08/2009 22:17.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.572 [GMT 1:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
Infected copy of c:\windows\system32\ws2_32.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1464\A0087246.dll
.
((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.
2009-08-24 17:46 . 2009-08-24 17:48 -------- d-----w- c:\documents and settings\Ben\Application Data\FileZilla
2009-08-24 17:45 . 2009-08-24 17:45 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-24 17:45 . 2009-08-24 17:45 4076719 ----a-w- c:\temp\FileZilla_3.2.7.1_win32-setup.exe
2009-08-20 20:17 . 2009-08-20 20:17 -------- d-----w- c:\program files\Trend Micro
2009-08-20 20:16 . 2009-08-20 20:16 812344 ----a-w- c:\temp\HJTInstall.exe
2009-08-20 20:13 . 2009-08-20 20:13 -------- d-----w- c:\program files\ERUNT
2009-08-20 20:12 . 2009-08-20 20:12 791393 ----a-w- c:\temp\erunt-setup.exe
2009-08-16 15:01 . 2009-08-16 15:02 -------- d-----w- c:\program files\BBC iPlayer Desktop
2009-08-15 16:20 . 2009-08-15 16:21 -------- d-----w- c:\documents and settings\Ben\Local Settings\Application Data\Temp
2009-08-15 13:25 . 2009-03-31 10:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-08-15 13:25 . 2009-03-31 10:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-08-15 13:25 . 2009-03-31 10:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-08-15 13:25 . 2009-03-31 10:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-08-15 12:40 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-15 12:39 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-15 12:39 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-15 12:39 . 2009-08-15 12:40 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-15 12:39 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-15 12:39 . 2009-08-24 17:11 -------- d-----w- c:\program files\Spyware Doctor
2009-08-15 12:39 . 2009-08-15 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-15 12:39 . 2009-08-15 12:39 -------- d-----w- c:\documents and settings\Ben\Application Data\PC Tools
2009-08-15 11:39 . 2009-08-15 11:39 36864 ----a-w- c:\temp\setup.exe
2009-08-15 08:38 . 2009-08-15 08:38 -------- d-----w- c:\temp\PGXTF10021_all
2009-08-15 08:37 . 2009-08-15 08:37 1464319 ----a-w- c:\temp\PGXTF10021_all.zip
2009-08-14 20:55 . 2009-08-14 20:55 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-14 20:39 . 2009-08-14 20:58 355392 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-08-14 20:39 . 2009-08-14 20:43 457792 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2009-08-14 20:38 . 2009-08-14 20:38 -------- d-----w- c:\documents and settings\Ben\Local Settings\Application Data\PunkBuster
2009-08-14 20:38 . 2009-08-14 20:58 179264 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-08-14 20:38 . 2009-08-14 20:55 57344 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-08-14 20:38 . 2009-08-14 20:55 874660 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-08-14 20:38 . 2009-08-14 20:55 2661440 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-08-14 17:18 . 2009-08-14 17:18 -------- d-----w- c:\documents and settings\Ben\Application Data\id Software
2009-08-14 17:18 . 2009-08-14 20:55 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-14 17:18 . 2009-08-14 17:18 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-14 17:18 . 2009-08-14 17:18 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-08-14 17:18 . 2009-08-14 17:18 -------- d-----w- c:\windows\system32\LogFiles
2009-08-14 17:18 . 2009-08-14 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-08-14 17:17 . 2009-08-14 17:17 3987968 ----a-w- c:\temp\QuakeLiveNP.msi
2009-08-12 18:53 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 22:55 . 2009-08-05 22:55 625728 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-26 16:33 . 2009-07-26 16:33 -------- d-----w- c:\windows\Cache
2009-07-26 16:33 . 2009-07-26 16:33 -------- d-----w- c:\program files\Coupon Printer
2009-07-26 16:33 . 2009-07-26 16:33 31 ---ha-w- c:\windows\UKCpInfo.sys
2009-07-26 16:33 . 2009-07-26 16:33 951656 ----a-w- c:\temp\couponprinter.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-24 21:32 . 2008-12-06 18:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-24 21:02 . 2007-11-06 19:24 169936 ----a-w- c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\l2c10be6.default\FlashGot.exe
2009-08-20 16:38 . 2009-06-05 20:15 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-20 16:31 . 2009-06-05 20:16 38208 ----a-w- c:\documents and settings\Ben\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-15 17:00 . 2005-07-18 19:48 -------- d-----w- c:\program files\NavNT
2009-08-05 09:01 . 2004-08-10 11:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 11:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 09:08 . 2004-08-10 11:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 13:01 . 2009-07-06 13:01 2373712 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\pbsvc.exe
2009-06-30 17:02 . 2007-06-28 21:07 1878984 ----a-w- c:\documents and settings\Ben\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-29 16:12 . 2004-08-10 11:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 11:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 11:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2004-08-10 11:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 11:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-10 11:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-10 11:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2004-08-10 12:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-10 11:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-10 11:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-12-27 22:10 . 2005-12-27 22:10 97 ----a-w- c:\program files\WS_FTP.LOG
2005-12-27 22:08 . 2005-12-27 22:08 153991 ----a-w- c:\program files\Ws-ftp.zip
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
"Google Update"="c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-15 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-20 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-13 155648]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-19 136600]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-22 1181064]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\STSYSTRA.EXE [2005-03-22 339968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
c:\documents and settings\Ben\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-8-16 95744]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-13 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ws-ftp\\ws_ftp32.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13445:TCP"= 13445:TCP:BitComet 13445 TCP
"13445:UDP"= 13445:UDP:BitComet 13445 UDP
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/08/2009 13:39 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [15/08/2009 14:25 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [15/08/2009 14:25 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [15/08/2009 13:40 159600]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/08/2009 13:39 348752]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [15/08/2009 13:39 64392]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [15/08/2009 14:25 33056]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 usbsnoop;USB Snoopy Filter Driver Service;c:\windows\system32\drivers\USBSnoop.sys [07/04/2006 14:29 23972]
S3 usbsnpys;USB Snoopy Driver Exposer Service;c:\windows\system32\drivers\USBSnpys.sys [07/04/2006 14:29 92544]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1833754385-3838629134-3540252015-1006Core.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 16:18]
2009-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1833754385-3838629134-3540252015-1006UA.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 16:18]
2005-07-12 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
2009-08-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -
BHO-{A38FF314-88B6-11DE-BEBD-168756D89593} - c:\docume~1\Ben\LOCALS~1\Temp\~2D.dll
Toolbar-SITEguard - (no file)
HKLM-Run-adiras - adiras.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\l2c10be6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 22:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(684)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\windows\system32\NavLogon.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
c:\program files\Spyware Doctor\TFEngine\TFNI.dll
- - - - - - - > 'lsass.exe'(740)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
- - - - - - - > 'explorer.exe'(3492)
c:\windows\system32\WININET.dll
c:\program files\Spyware Doctor\pctgmhk.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\program files\Creative\Creative Zen\CTJBNS2.dll
c:\program files\Creative\Creative Zen\CTIntrfc.dll
c:\program files\Creative\Creative Zen\CTConfig.DLL
c:\program files\Creative\Creative Zen\JBNSRES.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\program files\NavNT\defwatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Spyware Doctor\TFEngine\TFService.exe
c:\program files\Lexmark X5100 Series\lxbabmon.exe
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2009-08-24 22:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-24 21:40
Pre-Run: 54,068,666,368 bytes free
Post-Run: 54,446,940,160 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
316 --- E O F --- 2009-08-14 09:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:45:59, on 24/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Bev')
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Bev')
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Bev')
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-1007\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" (User 'Bev')
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-500\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223713212125
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 11244 bytes
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13445:TCP"=-
"13445:UDP"=-
DDS::
IE: &D&ownload &with BitComet
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Here is the log file
File::
c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13445:TCP"=-
"13445:UDP"=-
DDS::
IE: &D&ownload &with BitComet
IE: &D&ownload all video with BitComet
IE: &D&ownload all with BitComet
Try again
ComboFix 09-08-24.06 - Ben 25/08/2009 18:28.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.605 [GMT 1:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FILE ::
"c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.
((((((((((((((((((((((((( Files Created from 2009-07-25 to 2009-08-25 )))))))))))))))))))))))))))))))
.
2009-08-24 17:46 . 2009-08-24 17:48 -------- d-----w- c:\documents and settings\Ben\Application Data\FileZilla
2009-08-24 17:45 . 2009-08-24 17:45 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-24 17:45 . 2009-08-24 17:45 4076719 ----a-w- c:\temp\FileZilla_3.2.7.1_win32-setup.exe
2009-08-20 20:17 . 2009-08-20 20:17 -------- d-----w- c:\program files\Trend Micro
2009-08-20 20:16 . 2009-08-20 20:16 812344 ----a-w- c:\temp\HJTInstall.exe
2009-08-20 20:13 . 2009-08-20 20:13 -------- d-----w- c:\program files\ERUNT
2009-08-20 20:12 . 2009-08-20 20:12 791393 ----a-w- c:\temp\erunt-setup.exe
2009-08-16 15:01 . 2009-08-16 15:02 -------- d-----w- c:\program files\BBC iPlayer Desktop
2009-08-15 16:20 . 2009-08-15 16:21 -------- d-----w- c:\documents and settings\Ben\Local Settings\Application Data\Temp
2009-08-15 13:25 . 2009-03-31 10:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-08-15 13:25 . 2009-03-31 10:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-08-15 13:25 . 2009-03-31 10:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-08-15 13:25 . 2009-03-31 10:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-08-15 12:40 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-15 12:39 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-15 12:39 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-15 12:39 . 2009-08-15 12:40 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-15 12:39 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-15 12:39 . 2009-08-25 17:07 -------- d-----w- c:\program files\Spyware Doctor
2009-08-15 12:39 . 2009-08-15 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-15 12:39 . 2009-08-15 12:39 -------- d-----w- c:\documents and settings\Ben\Application Data\PC Tools
2009-08-15 11:39 . 2009-08-15 11:39 36864 ----a-w- c:\temp\setup.exe
2009-08-15 08:38 . 2009-08-15 08:38 -------- d-----w- c:\temp\PGXTF10021_all
2009-08-15 08:37 . 2009-08-15 08:37 1464319 ----a-w- c:\temp\PGXTF10021_all.zip
2009-08-14 20:55 . 2009-08-14 20:55 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-14 20:39 . 2009-08-14 20:58 355392 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-08-14 20:39 . 2009-08-14 20:43 457792 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2009-08-14 20:38 . 2009-08-14 20:38 -------- d-----w- c:\documents and settings\Ben\Local Settings\Application Data\PunkBuster
2009-08-14 20:38 . 2009-08-14 20:58 179264 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-08-14 20:38 . 2009-08-14 20:55 57344 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-08-14 20:38 . 2009-08-14 20:55 874660 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-08-14 20:38 . 2009-08-14 20:55 2661440 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-08-14 17:18 . 2009-08-14 17:18 -------- d-----w- c:\documents and settings\Ben\Application Data\id Software
2009-08-14 17:18 . 2009-08-14 20:55 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-14 17:18 . 2009-08-14 17:18 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-14 17:18 . 2009-08-14 17:18 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-08-14 17:18 . 2009-08-14 17:18 -------- d-----w- c:\windows\system32\LogFiles
2009-08-14 17:18 . 2009-08-14 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-08-14 17:17 . 2009-08-14 17:17 3987968 ----a-w- c:\temp\QuakeLiveNP.msi
2009-08-12 18:53 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 22:55 . 2009-08-05 22:55 625728 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-25 17:15 . 2008-12-06 18:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-25 16:49 . 2007-11-06 19:24 169936 ----a-w- c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\l2c10be6.default\FlashGot.exe
2009-08-20 16:38 . 2009-06-05 20:15 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-20 16:31 . 2009-06-05 20:16 38208 ----a-w- c:\documents and settings\Ben\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-15 17:00 . 2005-07-18 19:48 -------- d-----w- c:\program files\NavNT
2009-08-05 09:01 . 2004-08-10 11:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 16:33 . 2009-07-26 16:33 -------- d-----w- c:\program files\Coupon Printer
2009-07-26 16:33 . 2009-07-26 16:33 31 ---ha-w- c:\windows\UKCpInfo.sys
2009-07-17 19:01 . 2004-08-10 11:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 09:08 . 2004-08-10 11:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 13:01 . 2009-07-06 13:01 2373712 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\pbsvc.exe
2009-06-30 17:02 . 2007-06-28 21:07 1878984 ----a-w- c:\documents and settings\Ben\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-29 16:12 . 2004-08-10 11:51 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 11:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 11:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2004-08-10 11:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 11:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-10 11:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-10 11:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2004-08-10 12:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-10 11:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-10 11:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-12-27 22:10 . 2005-12-27 22:10 97 ----a-w- c:\program files\WS_FTP.LOG
2005-12-27 22:08 . 2005-12-27 22:08 153991 ----a-w- c:\program files\Ws-ftp.zip
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
"Google Update"="c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-15 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-20 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-13 155648]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-19 136600]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-22 1181064]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\STSYSTRA.EXE [2005-03-22 339968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
c:\documents and settings\Ben\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-8-16 95744]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-13 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ws-ftp\\ws_ftp32.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/08/2009 13:39 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [15/08/2009 14:25 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [15/08/2009 14:25 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [15/08/2009 13:40 159600]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/08/2009 13:39 348752]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [15/08/2009 13:39 64392]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [15/08/2009 14:25 33056]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 usbsnoop;USB Snoopy Filter Driver Service;c:\windows\system32\drivers\USBSnoop.sys [07/04/2006 14:29 23972]
S3 usbsnpys;USB Snoopy Driver Exposer Service;c:\windows\system32\drivers\USBSnpys.sys [07/04/2006 14:29 92544]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1833754385-3838629134-3540252015-1006Core.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 16:18]
2009-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1833754385-3838629134-3540252015-1006UA.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 16:18]
2005-07-12 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
2009-08-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\l2c10be6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-25 18:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
c:\program files\Spyware Doctor\TFEngine\TFNI.dll
c:\windows\system32\NavLogon.dll
- - - - - - - > 'lsass.exe'(736)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
.
Completion time: 2009-08-25 18:41
ComboFix-quarantined-files.txt 2009-08-25 17:41
ComboFix2.txt 2009-08-24 21:40
Pre-Run: 54,433,660,928 bytes free
Post-Run: 54,385,008,640 bytes free
264 --- E O F --- 2009-08-14 09:41
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, August 26, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, August 25, 2009 21:21:21
Records in database: 2687527
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
F:\
G:\
H:\
I:\
Scan statistics:
Objects scanned: 112553
Threats found: 9
Infected objects found: 18
Suspicious objects found: 0
Scan duration: 02:18:51
File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03E40000.VBN Infected: Trojan-Downloader.Win32.Agent.acd 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB00000.VBN Infected: Trojan-Downloader.Java.OpenStream.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB00000.VBN Infected: Trojan.Java.ClassLoader.h 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB00000.VBN Infected: Trojan.Java.ClassLoader.d 1
C:\Documents and Settings\Ben\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Downloader.Win32.Agent.yu 1
C:\Documents and Settings\Ben\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Sober.y 6
C:\Program Files\Mozilla Firefox\temp.exe Infected: Trojan.Win32.Delf.omp 1
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll Infected: not-a-virus:AdWare.Win32.MyWay.v 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ws2_32.dll.vir Infected: Trojan.Win32.Patched.hg 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1477\A0088868.exe Infected: Trojan.Win32.Delf.omp 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1477\A0088991.dll Infected: Trojan.Win32.Patched.hg 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1477\A0088992.dll Infected: Trojan.Win32.Patched.hg 1
C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll Infected: Trojan.Win32.Patched.hg 1
Selected area has been scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:02:19, on 26/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Ben\Local Settings\Temp\jkos-Ben\binaries\ScanningProcess.exe
C:\Documents and Settings\Ben\Local Settings\Temp\jkos-Ben\binaries\ScanningProcess.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223713212125
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 10823 bytes
Please run this cfscript:
File::
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03E40000.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB00000.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB00000.VBN
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB00000.VBN
C:\Program Files\Mozilla Firefox\temp.exe
Folder::
C:\Program Files\MyWaySA
C:\Program Files\BitComet
FCopy::
c:\windows\system32\ws2_32.dll | C:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
Post back a fresh combofix log and a fresh HijackThis log, please
ComboFix 09-08-26.03 - Ben 26/08/2009 18:21.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.658 [GMT 1:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ben\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FILE ::
"c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03E40000.VBN"
"c:\documents and settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AB00000.VBN"
"c:\program files\Mozilla Firefox\temp.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\BitComet
c:\program files\BitComet\BitComet.exe
c:\program files\BitComet\BitComet.url
c:\program files\BitComet\BitComet.xml
c:\program files\BitComet\cache\post_info.xml
c:\program files\BitComet\cache\rss_index.xml
c:\program files\BitComet\ChangeLog.txt
c:\program files\BitComet\CrashReport.exe
c:\program files\BitComet\dbghelp.dll
c:\program files\BitComet\Downloads.xml
c:\program files\BitComet\fav\ad\artow.gif
c:\program files\BitComet\fav\ad\previewdlg_en_us.htm
c:\program files\BitComet\fav\ad\previewdlg_zh_cn.htm
c:\program files\BitComet\fav\ad\previewwnd_en_us.htm
c:\program files\BitComet\fav\ad\previewwnd_en_us.htm.bak
c:\program files\BitComet\fav\ad\previewwnd_zh_cn.htm
c:\program files\BitComet\fav\ad\pv_dlg.swf
c:\program files\BitComet\fav\ad\pv_wnd.swf
c:\program files\BitComet\fav\ad\pv_wnd_us.swf
c:\program files\BitComet\fav\ad\pv_wnd_us1.swf
c:\program files\BitComet\fav\ad\pv_wnd_us2.swf
c:\program files\BitComet\fav\download-complete.wav
c:\program files\BitComet\fav\fav_bg_bg.xml
c:\program files\BitComet\fav\fav_ca_es.xml
c:\program files\BitComet\fav\fav_de_de.xml
c:\program files\BitComet\fav\fav_el_gr.xml
c:\program files\BitComet\fav\fav_en_us.xml
c:\program files\BitComet\fav\fav_en_us.xml.bak
c:\program files\BitComet\fav\fav_es_es.xml
c:\program files\BitComet\fav\fav_fi_fi.xml
c:\program files\BitComet\fav\fav_he_il.xml
c:\program files\BitComet\fav\fav_hu_hu.xml
c:\program files\BitComet\fav\fav_it_it.xml
c:\program files\BitComet\fav\fav_jp_jp.xml
c:\program files\BitComet\fav\fav_ko_kr.xml
c:\program files\BitComet\fav\fav_lv_lv.xml
c:\program files\BitComet\fav\fav_nl_nl.xml
c:\program files\BitComet\fav\fav_pl_pl.xml
c:\program files\BitComet\fav\fav_pt_br.xml
c:\program files\BitComet\fav\fav_pt_pt.xml
c:\program files\BitComet\fav\fav_ru_ru.xml
c:\program files\BitComet\fav\fav_sl_si.xml
c:\program files\BitComet\fav\fav_th_th.xml
c:\program files\BitComet\fav\fav_uk_ua.xml
c:\program files\BitComet\fav\fav_va_es.xml
c:\program files\BitComet\fav\fav_vi_vn.xml
c:\program files\BitComet\fav\fav_zh_cn.xml
c:\program files\BitComet\fav\fav_zh_tw.xml
c:\program files\BitComet\fav\HowTo-AddYourSite.txt
c:\program files\BitComet\fav\introduce_zh_cn.mht
c:\program files\BitComet\fav\passport_info_en_us.mht
c:\program files\BitComet\fav\passport_info_en_us.mht.bak
c:\program files\BitComet\fav\passport_info_zh_cn.mht
c:\program files\BitComet\fav\passport_info_zh_tw.mht
c:\program files\BitComet\fav\passport_login_en_us.mht
c:\program files\BitComet\fav\passport_login_zh_cn.mht
c:\program files\BitComet\fav\passport_login_zh_tw.mht
c:\program files\BitComet\fav\search_el_gr.mht
c:\program files\BitComet\fav\search_en_us.mht
c:\program files\BitComet\fav\search_en_us.mht.bak
c:\program files\BitComet\fav\search_uk_ua.mht
c:\program files\BitComet\fav\search_zh_cn.mht
c:\program files\BitComet\Favourite.xml
c:\program files\BitComet\lang\HowTo-Translate.txt
c:\program files\BitComet\lang\lang_ar_ae.xml
c:\program files\BitComet\lang\lang_ba_ba.xml
c:\program files\BitComet\lang\lang_ba_eu.xml
c:\program files\BitComet\lang\lang_bg_bg.xml
c:\program files\BitComet\lang\lang_ca_es.xml
c:\program files\BitComet\lang\lang_cz_cz.xml
c:\program files\BitComet\lang\lang_da_dk.xml
c:\program files\BitComet\lang\lang_de_de.xml
c:\program files\BitComet\lang\lang_el_gr.xml
c:\program files\BitComet\lang\lang_en_us.xml
c:\program files\BitComet\lang\lang_es_ar.xml
c:\program files\BitComet\lang\lang_es_es.xml
c:\program files\BitComet\lang\lang_et_ee.xml
c:\program files\BitComet\lang\lang_fi_fi.xml
c:\program files\BitComet\lang\lang_fr_fr.xml
c:\program files\BitComet\lang\lang_gl_es.xml
c:\program files\BitComet\lang\lang_he_il.xml
c:\program files\BitComet\lang\lang_hr_hr.xml
c:\program files\BitComet\lang\lang_hu_hu.xml
c:\program files\BitComet\lang\lang_it_it.xml
c:\program files\BitComet\lang\lang_jp_jp.xml
c:\program files\BitComet\lang\lang_ko_kr.xml
c:\program files\BitComet\lang\lang_lt_lt.xml
c:\program files\BitComet\lang\lang_lv_lv.xml
c:\program files\BitComet\lang\lang_nb_no.xml
c:\program files\BitComet\lang\lang_nl_nl.xml
c:\program files\BitComet\lang\lang_pl_pl.xml
c:\program files\BitComet\lang\lang_pt_br.xml
c:\program files\BitComet\lang\lang_pt_pt.xml
c:\program files\BitComet\lang\lang_ro_ro.xml
c:\program files\BitComet\lang\lang_ru_ru.xml
c:\program files\BitComet\lang\lang_sk_sk.xml
c:\program files\BitComet\lang\lang_sl_si.xml
c:\program files\BitComet\lang\lang_sq_al.xml
c:\program files\BitComet\lang\lang_sr_sr.xml
c:\program files\BitComet\lang\lang_sv_se.xml
c:\program files\BitComet\lang\lang_th_th.xml
c:\program files\BitComet\lang\lang_tr_tr.xml
c:\program files\BitComet\lang\lang_uk_ua.xml
c:\program files\BitComet\lang\lang_va_es.xml
c:\program files\BitComet\lang\lang_vi_vn.xml
c:\program files\BitComet\lang\lang_zh_cn.xml
c:\program files\BitComet\lang\lang_zh_tw.xml
c:\program files\BitComet\License.txt
c:\program files\BitComet\ReadMe.txt
c:\program files\BitComet\rules\blocklist.dat
c:\program files\BitComet\rules\dhtnodes.dat
c:\program files\BitComet\rules\tracker.dat
c:\program files\BitComet\scripts\cookie.lua
c:\program files\BitComet\scripts\flv_15150.lua
c:\program files\BitComet\scripts\flv_155.lua
c:\program files\BitComet\scripts\flv_163888.lua
c:\program files\BitComet\scripts\flv_17173.lua
c:\program files\BitComet\scripts\flv_1ting.lua
c:\program files\BitComet\scripts\flv_21gt.lua
c:\program files\BitComet\scripts\flv_516.lua
c:\program files\BitComet\scripts\flv_51tv.lua
c:\program files\BitComet\scripts\flv_56.lua
c:\program files\BitComet\scripts\flv_5show.lua
c:\program files\BitComet\scripts\flv_5t.lua
c:\program files\BitComet\scripts\flv_6rooms.lua
c:\program files\BitComet\scripts\flv_91vc.lua
c:\program files\BitComet\scripts\flv_9you.lua
c:\program files\BitComet\scripts\flv_bebo.lua
c:\program files\BitComet\scripts\flv_blip.lua
c:\program files\BitComet\scripts\flv_cnboo.lua
c:\program files\BitComet\scripts\flv_collegehumor.lua
c:\program files\BitComet\scripts\flv_dailymotion.lua
c:\program files\BitComet\scripts\flv_dumpalink.lua
c:\program files\BitComet\scripts\flv_dusee.lua
c:\program files\BitComet\scripts\flv_einhand.lua
c:\program files\BitComet\scripts\flv_feesee.lua
c:\program files\BitComet\scripts\flv_gameklip.lua
c:\program files\BitComet\scripts\flv_glumbert.lua
c:\program files\BitComet\scripts\flv_googlevideo.lua
c:\program files\BitComet\scripts\flv_guba.lua
c:\program files\BitComet\scripts\flv_iask.lua
c:\program files\BitComet\scripts\flv_ifilm.lua
c:\program files\BitComet\scripts\flv_kubao.lua
c:\program files\BitComet\scripts\flv_maidee.lua
c:\program files\BitComet\scripts\flv_metacafe.lua
c:\program files\BitComet\scripts\flv_mop.lua
c:\program files\BitComet\scripts\flv_quxiu.lua
c:\program files\BitComet\scripts\flv_tudou.lua
c:\program files\BitComet\scripts\flv_tvix.lua
c:\program files\BitComet\scripts\flv_uume.lua
c:\program files\BitComet\scripts\flv_vwangyou.lua
c:\program files\BitComet\scripts\flv_yijian.lua
c:\program files\BitComet\scripts\flv_yoqoo.lua
c:\program files\BitComet\scripts\flv_youtube.lua
c:\program files\BitComet\scripts\mp3_baidu.lua
c:\program files\BitComet\scripts\mp3_didai.lua
c:\program files\BitComet\scripts\mp3_iask.lua
c:\program files\BitComet\scripts\mp3_qihoo.lua
c:\program files\BitComet\scripts\mp3_sogou.lua
c:\program files\BitComet\scripts\mp3_sogua.lua
c:\program files\BitComet\scripts\mp3_yahoo.lua
c:\program files\BitComet\scripts\mp3_zhongsou.lua
c:\program files\BitComet\scripts\refer_crsky.lua
c:\program files\BitComet\scripts\refer_newhua.lua
c:\program files\BitComet\scripts\refer_pchome.lua
c:\program files\BitComet\scripts\refer_skycn.lua
c:\program files\BitComet\scripts\refer_sourceforge.lua
c:\program files\BitComet\scripts\soft_2118.lua
c:\program files\BitComet\scripts\soft_21cn.lua
c:\program files\BitComet\scripts\soft_ddooo.lua
c:\program files\BitComet\scripts\soft_duote.lua
c:\program files\BitComet\scripts\soft_it_com_cn.lua
c:\program files\BitComet\scripts\soft_mydown.lua
c:\program files\BitComet\scripts\soft_mydrivers.lua
c:\program files\BitComet\scripts\soft_newhua.lua
c:\program files\BitComet\scripts\soft_pchome.lua
c:\program files\BitComet\scripts\soft_pconline.lua
c:\program files\BitComet\scripts\soft_sina.lua
c:\program files\BitComet\scripts\soft_skycn.lua
c:\program files\BitComet\scripts\soft_sohu.lua
c:\program files\BitComet\scripts\soft_zol.lua
c:\program files\BitComet\share\my_shares.xml
c:\program files\BitComet\tools\BitCometAgent_1.2.1.30.dll
c:\program files\BitComet\tools\BitCometBHO_1.2.2.28.dll
c:\program files\BitComet\tools\CometBrowser.exe
c:\program files\BitComet\tools\curl.exe
c:\program files\BitComet\tools\FlvPlayer.exe
c:\program files\BitComet\tools\RealMediaSplitter.ax
c:\program files\BitComet\tools\UPNP.exe
c:\program files\BitComet\tools\VideoSnapshot.exe
c:\program files\BitComet\tools\VistaTcpPatch.exe
c:\program files\BitComet\torrents\Dirk_Gently's_Holistic_Detective_Agency_BBC_E01.mp3.torrent
c:\program files\BitComet\torrents\Dirk_Gently's_Holistic_Detective_Agency_BBC_E02.mp3.torrent
c:\program files\BitComet\torrents\Dirk_Gently's_Holistic_Detective_Agency_BBC_E03.mp3.torrent
c:\program files\BitComet\torrents\Dirk_Gently's_Holistic_Detective_Agency_BBC_E04.mp3.torrent
c:\program files\BitComet\torrents\Douglas Adams - Dirk Gently's Holistic Detective Agency - AUDIOBOOK (2007).torrent
c:\program files\BitComet\torrents\NHBC Standards 2007.nrg.torrent
c:\program files\BitComet\torrents\NHBC Standards 2007.nrg.xml
c:\program files\BitComet\uninst.exe
c:\program files\Mozilla Firefox\temp.exe
c:\program files\MyWaySA
c:\program files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
.
--------------- FCopy ---------------
c:\windows\system32\ws2_32.dll --> c:\windows\ServicePackFiles\i386\ws2_32.dll
.
((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.
2009-08-24 17:46 . 2009-08-24 17:48 -------- d-----w- c:\documents and settings\Ben\Application Data\FileZilla
2009-08-24 17:45 . 2009-08-24 17:45 -------- d-----w- c:\program files\FileZilla FTP Client
2009-08-24 17:45 . 2009-08-24 17:45 4076719 ----a-w- c:\temp\FileZilla_3.2.7.1_win32-setup.exe
2009-08-20 20:17 . 2009-08-20 20:17 -------- d-----w- c:\program files\Trend Micro
2009-08-20 20:16 . 2009-08-20 20:16 812344 ----a-w- c:\temp\HJTInstall.exe
2009-08-20 20:13 . 2009-08-20 20:13 -------- d-----w- c:\program files\ERUNT
2009-08-20 20:12 . 2009-08-20 20:12 791393 ----a-w- c:\temp\erunt-setup.exe
2009-08-16 15:01 . 2009-08-16 15:02 -------- d-----w- c:\program files\BBC iPlayer Desktop
2009-08-15 16:20 . 2009-08-15 16:21 -------- d-----w- c:\documents and settings\Ben\Local Settings\Application Data\Temp
2009-08-15 13:25 . 2009-03-31 10:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-08-15 13:25 . 2009-03-31 10:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-08-15 13:25 . 2009-03-31 10:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-08-15 13:25 . 2009-03-31 10:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-08-15 12:40 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-15 12:39 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-15 12:39 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-15 12:39 . 2009-08-15 12:40 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-15 12:39 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-15 12:39 . 2009-08-26 17:10 -------- d-----w- c:\program files\Spyware Doctor
2009-08-15 12:39 . 2009-08-15 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-15 12:39 . 2009-08-15 12:39 -------- d-----w- c:\documents and settings\Ben\Application Data\PC Tools
2009-08-15 11:39 . 2009-08-15 11:39 36864 ----a-w- c:\temp\setup.exe
2009-08-15 08:38 . 2009-08-15 08:38 -------- d-----w- c:\temp\PGXTF10021_all
2009-08-15 08:37 . 2009-08-15 08:37 1464319 ----a-w- c:\temp\PGXTF10021_all.zip
2009-08-14 20:55 . 2009-08-14 20:55 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-14 20:39 . 2009-08-14 20:58 355392 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-08-14 20:39 . 2009-08-14 20:43 457792 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2009-08-14 20:38 . 2009-08-14 20:38 -------- d-----w- c:\documents and settings\Ben\Local Settings\Application Data\PunkBuster
2009-08-14 20:38 . 2009-08-14 20:58 179264 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-08-14 20:38 . 2009-08-14 20:55 57344 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-08-14 20:38 . 2009-08-14 20:55 874660 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-08-14 20:38 . 2009-08-14 20:55 2661440 ----a-w- c:\documents and settings\Ben\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-08-14 17:18 . 2009-08-14 17:18 -------- d-----w- c:\documents and settings\Ben\Application Data\id Software
2009-08-14 17:18 . 2009-08-14 20:55 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-14 17:18 . 2009-08-14 17:18 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-14 17:18 . 2009-08-14 17:18 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-08-14 17:18 . 2009-08-14 17:18 -------- d-----w- c:\windows\system32\LogFiles
2009-08-14 17:18 . 2009-08-14 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-08-14 17:17 . 2009-08-14 17:17 3987968 ----a-w- c:\temp\QuakeLiveNP.msi
2009-08-12 18:53 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 22:55 . 2009-08-05 22:55 625728 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 17:13 . 2008-12-06 18:07 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-26 16:46 . 2007-11-06 19:24 169936 ----a-w- c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\l2c10be6.default\FlashGot.exe
2009-08-20 16:38 . 2009-06-05 20:15 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-20 16:31 . 2009-06-05 20:16 38208 ----a-w- c:\documents and settings\Ben\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-15 17:00 . 2005-07-18 19:48 -------- d-----w- c:\program files\NavNT
2009-08-05 09:01 . 2004-08-10 11:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-26 16:33 . 2009-07-26 16:33 -------- d-----w- c:\program files\Coupon Printer
2009-07-26 16:33 . 2009-07-26 16:33 31 ---ha-w- c:\windows\UKCpInfo.sys
2009-07-17 19:01 . 2004-08-10 11:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 09:08 . 2004-08-10 11:51 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 13:01 . 2009-07-06 13:01 2373712 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\pbsvc.exe
2009-06-30 17:02 . 2007-06-28 21:07 1878984 ----a-w- c:\documents and settings\Ben\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-29 16:12 . 2004-08-10 11:51 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 11:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 11:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2004-08-10 11:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 11:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2004-08-10 11:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-10 11:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2004-08-10 12:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-10 11:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2004-08-10 11:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-12-27 22:10 . 2005-12-27 22:10 97 ----a-w- c:\program files\WS_FTP.LOG
2005-12-27 22:08 . 2005-12-27 22:08 153991 ----a-w- c:\program files\Ws-ftp.zip
.
((((((((((((((((((((((((((((( SnapShot@2009-08-24_21.33.44 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
"Google Update"="c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-15 133104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Lexmark X5100 Series"="c:\program files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 86100]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-20 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-13 155648]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-03-23 227328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-19 136600]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-22 1181064]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\STSYSTRA.EXE [2005-03-22 339968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 1744896]
c:\documents and settings\Ben\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-8-16 95744]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-13 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ws-ftp\\ws_ftp32.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [15/08/2009 13:39 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [15/08/2009 14:25 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [15/08/2009 14:25 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [15/08/2009 13:40 159600]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [15/08/2009 13:39 348752]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [15/08/2009 13:39 64392]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [15/08/2009 14:25 33056]
R3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S3 usbsnoop;USB Snoopy Filter Driver Service;c:\windows\system32\drivers\USBSnoop.sys [07/04/2006 14:29 23972]
S3 usbsnpys;USB Snoopy Driver Exposer Service;c:\windows\system32\drivers\USBSnpys.sys [07/04/2006 14:29 92544]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1833754385-3838629134-3540252015-1006Core.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 16:18]
2009-08-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1833754385-3838629134-3540252015-1006UA.job
- c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-15 16:18]
2005-07-12 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
2009-08-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.co.uk/myway
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Ben\Application Data\Mozilla\Firefox\Profiles\l2c10be6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\Ben\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 18:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
c:\program files\Spyware Doctor\TFEngine\TFNI.dll
c:\windows\system32\NavLogon.dll
- - - - - - - > 'lsass.exe'(736)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\program files\Spyware Doctor\TFEngine\TFWAH.dll
.
Completion time: 2009-08-26 18:39
ComboFix-quarantined-files.txt 2009-08-26 17:39
ComboFix2.txt 2009-08-25 17:41
ComboFix3.txt 2009-08-24 21:40
Pre-Run: 54,336,557,056 bytes free
Post-Run: 54,366,572,544 bytes free
472 --- E O F --- 2009-08-14 09:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:41:23, on 26/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ben\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-1007\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Bev')
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Bev')
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Bev')
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-1007\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" (User 'Bev')
O4 - HKUS\S-1-5-21-1833754385-3838629134-3540252015-500\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: BBC iPlayer Desktop.lnk = C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223713212125
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 11101 bytes
I haven't noticed any problems since the last but one scan. The PC is now running much faster with firefox opening very quickly. IE also seems ok.
Thankyou very much for your help. I will be more careful in future.
Ben
Then before final instructions I have to ask that have you uninstalled Norton?
I have not uninstalled Norton, but it is switched off.
I see.
Are both Spyware Doctor and Norton up-to-date?
Spyware doctor is up to date. I was never sure that Norton was updating properly or doing a good job.
OK.
Which version that Norton is?
It is Norton Antivirus Corporate Edition 7.60.926
So then I'm wondering why corporate edition is in home pc?
Ah, because my wife's work offer their virus protection to employees so that it is safer to work from home.
OK :)
Please download and run this (http://www.softpedia.com/get/Tweak/Uninstallers/Norton-Removal-Tool.shtml) (if you want to remove Norton; either Norton or Spyware Doctor needs to be uninstalled because only one antivirus should be used).
Post back a fresh HijackThis log afterwards, please.
I have tried to run 'Norton removal tool' and it told me that the version had expired. I then went to the directed website (http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2006050909471013) and downloaded a later version that gave me the same error.
I see.
Please download the Registry Search tool by clicking on the "hard drive" icon halfway down this page:
http://www.billsway.com/vbspage/
Save it to the desktop and run it. If you get an alert from your antivirus about scripting, choose to allow the script to run. Search for Norton and click OK. Post the logfile from the tool here for me.
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "Norton" 31/08/2009 15:52:52
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{142FB276-7C38-4BB4-B475-3F9233B3EFF8}\LocalServer32]
@="\"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\navapsvc.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F743EA98-42BD-4E2C-A221-3F7B646748C7}\1.0\HELPDIR]
@="C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibility\NortonSystemInfo]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\Norton Internet Security\\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\Savrt\\"="1"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NAVAPSVC\0000]
"DeviceDesc"="Norton AntiVirus Auto-Protect Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\navapsvc]
"EventMessageFile"="\"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\navapsvc.exe\""
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\navapsvc]
"DisplayName"="Norton AntiVirus Auto-Protect Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\navapsvc]
"Description"="Handles Norton AntiVirus Auto-Protect events."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSB8.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSB8.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSBB.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSBB.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC0.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC0.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC6.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC6.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD4.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD4.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD9.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD9.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSF3.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSF3.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS1C.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS1C.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS3E.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS3E.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NAVAPSVC\0000]
"DeviceDesc"="Norton AntiVirus Auto-Protect Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\navapsvc]
"EventMessageFile"="\"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\navapsvc.exe\""
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\navapsvc]
"DisplayName"="Norton AntiVirus Auto-Protect Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\navapsvc]
"Description"="Handles Norton AntiVirus Auto-Protect events."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSB8.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSB8.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSBB.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSBB.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC0.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC0.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC6.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC6.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD4.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD4.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD9.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD9.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSF3.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSF3.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NAVAPSVC\0000]
"DeviceDesc"="Norton AntiVirus Auto-Protect Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\navapsvc]
"EventMessageFile"="\"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\navapsvc.exe\""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\navapsvc]
"DisplayName"="Norton AntiVirus Auto-Protect Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\navapsvc]
"Description"="Handles Norton AntiVirus Auto-Protect events."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSB8.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSB8.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSBB.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSBB.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC0.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC0.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC6.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC6.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD4.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD4.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD9.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD9.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSF3.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSF3.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS1C.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS1C.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS3E.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS3E.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"c"="C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool.exe"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"f"="C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool.exe"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Norton AntiVirus Corporate Edition]
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool.exe"="Norton Removal Tool"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool(2).exe"="Norton Removal Tool"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\NavNT\\vptray.exe"="Norton AntiVirus"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Symantec\Norton AntiVirus]
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\navapsvc.exe"="Norton AntiVirus Auto-Protect Service"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\cfgwiz.exe"="Symantec Internal Component"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"="URL Check List"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"="Norton Security Center Helper"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\BootWarn.exe"="Norton AntiVirus Boot Warning"
Please do same search for Symantec and post back results :)
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "Symantec" 31/08/2009 18:32:39
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03E0E6C2-363B-11D3-B536-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03E0E6C2-363B-11D3-B536-00902771A435}\ProgID]
@="Symantec.stCheckForUpdates.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03E0E6C2-363B-11D3-B536-00902771A435}\VersionIndependentProgID]
@="Symantec.stCheckForUpdates"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A577C17-24F8-11D3-B530-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A577C17-24F8-11D3-B530-00902771A435}\ProgID]
@="Symantec.stInetTransferItem.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A577C17-24F8-11D3-B530-00902771A435}\VersionIndependentProgID]
@="Symantec.stInetTransferItem"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A577C19-24F8-11D3-B530-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A577C19-24F8-11D3-B530-00902771A435}\ProgID]
@="Symantec.stInetBatchGet.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A577C19-24F8-11D3-B530-00902771A435}\VersionIndependentProgID]
@="Symantec.stInetBatchGet"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4C11A1-6BD0-11D3-B542-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4C11A1-6BD0-11D3-B542-00902771A435}\ProgID]
@="Symantec.stLUProgressCallback.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4C11A1-6BD0-11D3-B542-00902771A435}\VersionIndependentProgID]
@="Symantec.stLUProgressCallback"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4C11A3-6BD0-11D3-B542-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4C11A3-6BD0-11D3-B542-00902771A435}\ProgID]
@="Symantec.stCallbackManager.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4C11A3-6BD0-11D3-B542-00902771A435}\VersionIndependentProgID]
@="Symantec.stCallbackManager"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED40800-D38D-11D3-B562-00902771A435}\InProcServer32]
@="C:\\Program Files\\Symantec\\LiveUpdate\\LuComServerPS.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED40801-D38D-11D3-B562-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED40801-D38D-11D3-B562-00902771A435}\ProgID]
@="Symantec.stLog.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED40801-D38D-11D3-B562-00902771A435}\VersionIndependentProgID]
@="Symantec.stLog"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17580E5F-7B07-11D2-BF1F-00A024D73444}\InprocServer32]
@="C:\\Program Files\\Symantec\\LiveUpdate\\ProductRegCom.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17580E5F-7B07-11D2-BF1F-00A024D73444}\ProgID]
@="Symantec.luProductReg.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17580E5F-7B07-11D2-BF1F-00A024D73444}\VersionIndependentProgID]
@="Symantec.luProductReg"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1CEFD16C-91C2-4953-986E-EE77DE2DCF94}\InprocServer32]
@="C:\\Program Files\\Symantec\\LiveUpdate\\NetDetectController.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2045EFE5-99CF-11D2-B40A-00600831DD76}\InprocServer32]
@="C:\\Program Files\\Symantec\\LiveUpdate\\ProductRegCom.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2045EFE5-99CF-11D2-B40A-00600831DD76}\ProgID]
@="Symantec.luGroup.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2045EFE5-99CF-11D2-B40A-00600831DD76}\VersionIndependentProgID]
@="Symantec.luGroup"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B83B324-49FD-11D3-B538-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B83B324-49FD-11D3-B538-00902771A435}\ProgID]
@="Symantec.stSettings.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B83B324-49FD-11D3-B538-00902771A435}\VersionIndependentProgID]
@="Symantec.stSettings"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C5B6502-5731-11D3-B53D-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C5B6502-5731-11D3-B53D-00902771A435}\ProgID]
@="Symantec.stHostCatalog.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C5B6502-5731-11D3-B53D-00902771A435}\VersionIndependentProgID]
@="Symantec.stHostCatalog"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44990301-3c9d-426d-81df-aab636fa4345}]
@="Symantec Script Runner Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C2714F-4478-11D3-B537-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C2714F-4478-11D3-B537-00902771A435}\ProgID]
@="Symantec.stPatchCatalog.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C2714F-4478-11D3-B537-00902771A435}\VersionIndependentProgID]
@="Symantec.stPatchCatalog"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C27151-4478-11D3-B537-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C27151-4478-11D3-B537-00902771A435}\ProgID]
@="Symantec.stPatch.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C27151-4478-11D3-B537-00902771A435}\VersionIndependentProgID]
@="Symantec.stPatch"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87D37EC8-8342-11D3-B54C-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87D37EC8-8342-11D3-B54C-00902771A435}\ProgID]
@="Symantec.stDisScriptEngine.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87D37EC8-8342-11D3-B54C-00902771A435}\VersionIndependentProgID]
@="Symantec.stDisScriptEngine"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91581CB1-0E7B-11D1-9D93-00A0C95C1762}\ToolboxBitmap32]
@="C:\\Program Files\\Common Files\\Symantec Shared\\SSC\\webshell.dll, 1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C10E2CC6-1525-11D3-B527-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C10E2CC6-1525-11D3-B527-00902771A435}\ProgID]
@="Symantec.stInetGetFile.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C10E2CC6-1525-11D3-B527-00902771A435}\VersionIndependentProgID]
@="Symantec.stInetGetFile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8E2BDBE-5723-11D3-B53D-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8E2BDBE-5723-11D3-B53D-00902771A435}\ProgID]
@="Symantec.stHost.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8E2BDBE-5723-11D3-B53D-00902771A435}\VersionIndependentProgID]
@="Symantec.stHost"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE207EB8-122B-11D3-B527-00902771A435}\LocalServer32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE207EB8-122B-11D3-B527-00902771A435}\ProgID]
@="Symantec.stInetConnParms.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE207EB8-122B-11D3-B527-00902771A435}\VersionIndependentProgID]
@="Symantec.stInetConnParms"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiveupdateFile\DefaultIcon]
@="C:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup\CurVer]
@="Symantec.luGroup.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luProductReg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luProductReg\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luProductReg\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luProductReg\CurVer]
@="Symantec.luProductReg.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luProductReg.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luProductReg.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCallbackManager]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCallbackManager\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCallbackManager\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCallbackManager\CurVer]
@="Symantec.stCallbackManager.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCallbackManager.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCallbackManager.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCheckForUpdates]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCheckForUpdates\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCheckForUpdates\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCheckForUpdates\CurVer]
@="Symantec.stCheckForUpdates.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCheckForUpdates.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCheckForUpdates.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stDisScriptEngine]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stDisScriptEngine\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stDisScriptEngine\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stDisScriptEngine\CurVer]
@="Symantec.stDisScriptEngine.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stDisScriptEngine.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stDisScriptEngine.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHost]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHost\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHost\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHost\CurVer]
@="Symantec.stHost.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHost.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHost.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHostCatalog]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHostCatalog\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHostCatalog\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHostCatalog\CurVer]
@="Symantec.stHostCatalog.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHostCatalog.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHostCatalog.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetBatchGet]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetBatchGet\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetBatchGet\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetBatchGet\CurVer]
@="Symantec.stInetBatchGet.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetBatchGet.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetBatchGet.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetConnParms]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetConnParms\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetConnParms\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetConnParms\CurVer]
@="Symantec.stInetConnParms.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetConnParms.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetConnParms.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetGetFile]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetGetFile\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetGetFile\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetGetFile\CurVer]
@="Symantec.stInetGetFile.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetGetFile.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetGetFile.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetTransferItem]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetTransferItem\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetTransferItem\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetTransferItem\CurVer]
@="Symantec.stInetTransferItem.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetTransferItem.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetTransferItem.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLog]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLog\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLog\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLog\CurVer]
@="Symantec.stLog.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLog.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLog.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLUProgressCallback]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLUProgressCallback\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLUProgressCallback\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLUProgressCallback\CurVer]
@="Symantec.stLUProgressCallback.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLUProgressCallback.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLUProgressCallback.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatch]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatch\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatch\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatch\CurVer]
@="Symantec.stPatch.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatch.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatch.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatchCatalog]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatchCatalog\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatchCatalog\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatchCatalog\CurVer]
@="Symantec.stPatchCatalog.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatchCatalog.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatchCatalog.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stSettings]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stSettings\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stSettings\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stSettings\CurVer]
@="Symantec.stSettings.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stSettings.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stSettings.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYMC.ScriptRunner]
@="Symantec Script Runner Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYMC.ScriptRunner.1]
@="Symantec Script Runner Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{17580E52-7B07-11D2-BF1F-00A024D73444}\1.0\0\win32]
@="C:\\Program Files\\Symantec\\LiveUpdate\\ProductRegCom.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{17580E52-7B07-11D2-BF1F-00A024D73444}\1.0\HELPDIR]
@="C:\\Program Files\\Symantec\\LiveUpdate\\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{51B9BCA6-4A06-11D3-B538-00902771A435}\1.0\0\win32]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\LUCOMS~1.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{51B9BCA6-4A06-11D3-B538-00902771A435}\1.0\HELPDIR]
@="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6F952B50-BCEE-11D1-82D6-00A0C9749EEF}\1.0\0\win32]
@="C:\\Program Files\\Common Files\\Symantec Shared\\SSC\\vpshell2.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6F952B50-BCEE-11D1-82D6-00A0C9749EEF}\1.0\HELPDIR]
@="C:\\Program Files\\Common Files\\Symantec Shared\\SSC\\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C546DD23-7302-4E47-A4C1-E8417AD4243F}\1.0\0\win32]
@="C:\\Program Files\\Symantec\\LiveUpdate\\NetDetectController.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C546DD23-7302-4E47-A4C1-E8417AD4243F}\1.0\HELPDIR]
@="C:\\Program Files\\Symantec\\LiveUpdate\\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FAD5CC54-0E68-11D1-9D91-00A0C95C1762}\1.0\0\win32]
@="C:\\Program Files\\Common Files\\Symantec Shared\\SSC\\webshell.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FAD5CC54-0E68-11D1-9D91-00A0C95C1762}\1.0\HELPDIR]
@="C:\\Program Files\\Common Files\\Symantec Shared\\SSC\\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{44990301-3C9D-426D-81DF-AAB636FA4345}\DownloadInformation]
"CODEBASE"="https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\LUALL.EXE]
@="C:\\Program Files\\Symantec\\LiveUpdate\\LUALL.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\LUALL.EXE]
"Path"="C:\\Program Files\\Symantec\\LiveUpdate"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Documents and Settings\\All Users\\Application Data\\Symantec\\"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Documents and Settings\\All Users\\Application Data\\Symantec\\Common Client\\"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\Common Files\\Symantec Shared\\VirusDefs\\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2E53A294F83182D45A3785356A851754]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\ccInst.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\31C0682E3111780479067E7CB3B8DBB4]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\ccCharCv.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3DEE68F0FC3313E4CAD8E4C3EBCBEC40]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2Text.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3E81A4DC21026924FB5FAF933085D236]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\ccVrTrst.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50BBD0A1CB1FD3648A16157120DF2829]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2TNEF.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50C154874C6F14B48AE0F5068BC7E626]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\DefUtDCD.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50E357748DE0DD840851872431DDB49B]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2RTF.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53DE6260589A37946977BC82BB681915]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\ccL35.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6925106EE9D0AF740BCCD43F8907862F]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2TAR.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6EEA3CF07EBD65C48A3FE380BC2FF61E]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2LZ.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\91F31ECC41B96D243A45422551C96C23]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2Zip.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\956B95676BE85A84DA3C38A66DE87EF4]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2RAR.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A8DC89FAF3F52B3448C6E06B118C405E]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2AMG.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AE842139D531885469A1CDC35A26B1F4]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\DecSDK.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BB26CE3D008E2FA499FDEE6A7A5B9335]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2CAB.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BE6AEA47C44CE854791235345CE87CE6]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2LHA.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C1AC78A74A3296B4BA739BA5E5766344]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2SS.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C1D015D543A678D4088D751CA77430A5]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2ARJ.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D2EEB513BDC48C443B0FFC4606A08DFF]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2ID.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DE6692E1170B7234EB5CFD71486A1C3F]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2GZIP.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F42B98E5315CA254F98CB0E739C7CEA1]
"00000000000000000000000000000000"="C:\\Program Files\\Common Files\\Symantec Shared\\Decomposers\\Dec2.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Symantec\\S32EVNT1.DLL"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Symantec\\SYMEVENT.SYS"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Common Files\\Symantec Shared\\SEVINST.EXE"=dword:000001f4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Symantec\\LiveUpdate\\S32LIVE1.DLL"=dword:00000064
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Symantec\\LiveUpdate\\S32LUIS1.DLL"=dword:00000064
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate1.6]
"UninstallString"="C:\\Program Files\\Symantec\\LiveUpdate\\LSETUP.EXE /U"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate1.6]
"DisplayName"="LiveUpdate 1.6 (Symantec Corporation)"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate1.6]
"InstallLocation"="C:\\Program Files\\Symantec\\LiveUpdate"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate1.6]
"Publisher"="Symantec Corporation"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst]
"QuietUninstallString"="C:\\Program Files\\Common Files\\Symantec Shared\\SEVINST.EXE /U /Q"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{503AA035-41E2-4858-B31F-1E49AC66C309}]
"DisplayIcon"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\SymWSC.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveUpdate]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveUpdate\1.5]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveUpdate\1.5\RegisteredProducts]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveUpdate\1.5\RegisteredProducts\{6E34DCC1-B194-11d2-A11E-00409500AD7D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveUpdate\1.5\RegisteredProducts\{DE907F20-A4A0-11d2-A985-00104B70545A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveUpdate\Sequences]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveUpdate\Sequences\SYMEVENT INSTALLER]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveUpdate\Sequences\SYMEVENT INSTALLER\10.3]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\LiveUpdate\Sequences\SYMEVENT INSTALLER\10.3\ENGLISH]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedUsage]
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedUsage]
"LiveUpdate1"="C:\\Program Files\\Symantec\\LiveUpdate"
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SharedUsage]
"LiveUpdate"="C:\\Program Files\\Symantec\\LiveUpdate"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Control Panel\MMCPL]
"SYMLIVE"="C:\\Program Files\\Symantec\\LiveUpdate\\S32LUCP1.CPL"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Internet Explorer\TypedURLs]
"url1"="http://www.symantec.com/nrtexpired"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSB8.tmp\\SymNRT.exe"="Symantec Removal Utility"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSBB.tmp\\SymNRT.exe"="Symantec Removal Utility"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSC0.tmp\\SymNRT.exe"="Symantec Removal Utility"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSC6.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSD4.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSD9.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSF3.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zS1C.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zS3E.tmp\\SymNRT.exe"="Symantec Removal Utility"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Symantec]
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Symantec\Internet Security]
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Symantec\Norton AntiVirus]
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Symantec\Shared Technology]
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Symantec\Shared Technology\LiveReg]
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Symantec\Shared Technology\LiveReg]
"Store Root"="C:\\Documents and Settings\\Owner\\Application Data\\Symantec"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\LiveReg\\IRALRSHL.EXE"="LiveReg Components"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"="Symantec User Session"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\cfgwiz.exe"="Symantec Internal Component"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"="Norton Security Center Helper"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Symantec]
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Symantec\Shared Technology]
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Symantec\Shared Technology\LiveReg]
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Symantec\Shared Technology\LiveReg]
"Store Root"="C:\\Documents and Settings\\Owner\\Application Data\\Symantec"
Please use the following link to download ERUNT (http://aumha.org/downloads/erunt-setup.exe)
Use the setup program to install ERUNT on your computer
Click Erunt.exe to backup your registry to the folder of your choice.
Note:to restore your registry, go to the folder and start ERDNT.exe
Open Notepad and copy the contents of the following box to a new file.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{142FB276-7C38-4BB4-B475-3F9233B3EFF8}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F743EA98-42BD-4E2C-A221-3F7B646748C7}\1.0\HELPDIR]
@=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\Compatibility\NortonSystemInfo]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\Norton Internet Security\\"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\Savrt\\"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\navapsvc]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSB8.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSBB.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC0.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC6.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD4.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD9.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSF3.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS1C.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS3E.tmp\\SymNRT.exe"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\navapsvc]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSB8.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSBB.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC0.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC6.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD4.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD9.tmp\\SymNRT.exe"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\navapsvc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSB8.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSBB.tmp\\SymNRT.exe"=-"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC0.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSC6.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD4.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSD9.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSF3.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS1C.tmp\\SymNRT.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zS3E.tmp\\SymNRT.exe"=-
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]
"f"=-
[-HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Norton AntiVirus Corporate Edition]
[-HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Symantec\Norton AntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03E0E6C2-363B-11D3-B536-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03E0E6C2-363B-11D3-B536-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03E0E6C2-363B-11D3-B536-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A577C17-24F8-11D3-B530-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A577C17-24F8-11D3-B530-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A577C17-24F8-11D3-B530-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A577C19-24F8-11D3-B530-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A577C19-24F8-11D3-B530-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A577C19-24F8-11D3-B530-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4C11A1-6BD0-11D3-B542-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4C11A1-6BD0-11D3-B542-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4C11A1-6BD0-11D3-B542-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4C11A3-6BD0-11D3-B542-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4C11A3-6BD0-11D3-B542-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D4C11A3-6BD0-11D3-B542-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED40800-D38D-11D3-B562-00902771A435}\InProcServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED40801-D38D-11D3-B562-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED40801-D38D-11D3-B562-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ED40801-D38D-11D3-B562-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17580E5F-7B07-11D2-BF1F-00A024D73444}\InprocServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17580E5F-7B07-11D2-BF1F-00A024D73444}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17580E5F-7B07-11D2-BF1F-00A024D73444}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1CEFD16C-91C2-4953-986E-EE77DE2DCF94}\InprocServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2045EFE5-99CF-11D2-B40A-00600831DD76}\InprocServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2045EFE5-99CF-11D2-B40A-00600831DD76}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2045EFE5-99CF-11D2-B40A-00600831DD76}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B83B324-49FD-11D3-B538-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B83B324-49FD-11D3-B538-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2B83B324-49FD-11D3-B538-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C5B6502-5731-11D3-B53D-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C5B6502-5731-11D3-B53D-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C5B6502-5731-11D3-B53D-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44990301-3c9d-426d-81df-aab636fa4345}]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C2714F-4478-11D3-B537-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C2714F-4478-11D3-B537-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C2714F-4478-11D3-B537-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C27151-4478-11D3-B537-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C27151-4478-11D3-B537-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C27151-4478-11D3-B537-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87D37EC8-8342-11D3-B54C-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87D37EC8-8342-11D3-B54C-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87D37EC8-8342-11D3-B54C-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{91581CB1-0E7B-11D1-9D93-00A0C95C1762}\ToolboxBitmap32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C10E2CC6-1525-11D3-B527-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C10E2CC6-1525-11D3-B527-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C10E2CC6-1525-11D3-B527-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8E2BDBE-5723-11D3-B53D-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8E2BDBE-5723-11D3-B53D-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F8E2BDBE-5723-11D3-B53D-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE207EB8-122B-11D3-B527-00902771A435}\LocalServer32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE207EB8-122B-11D3-B527-00902771A435}\ProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FE207EB8-122B-11D3-B527-00902771A435}\VersionIndependentProgID]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiveupdateFile\DefaultIcon]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luProductReg]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luProductReg.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCallbackManager]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCallbackManager.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCheckForUpdates]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stCheckForUpdates.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stDisScriptEngine]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stDisScriptEngine.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHost]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHost.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHostCatalog]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stHostCatalog.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetBatchGet]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetBatchGet.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetConnParms]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetConnParms.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetGetFile]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetTransferItem]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetTransferItem.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLog]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLog.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLUProgressCallback]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stLUProgressCallback.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatch]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatch.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatchCatalog]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stPatchCatalog.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stSettings]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stSettings.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYMC.ScriptRunner]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SYMC.ScriptRunner.1]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{17580E52-7B07-11D2-BF1F-00A024D73444}\1.0\0\win32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{17580E52-7B07-11D2-BF1F-00A024D73444}\1.0\HELPDIR]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{51B9BCA6-4A06-11D3-B538-00902771A435}\1.0\0\win32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{51B9BCA6-4A06-11D3-B538-00902771A435}\1.0\HELPDIR]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6F952B50-BCEE-11D1-82D6-00A0C9749EEF}\1.0\0\win32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6F952B50-BCEE-11D1-82D6-00A0C9749EEF}\1.0\HELPDIR]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C546DD23-7302-4E47-A4C1-E8417AD4243F}\1.0\0\win32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C546DD23-7302-4E47-A4C1-E8417AD4243F}\1.0\HELPDIR]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FAD5CC54-0E68-11D1-9D91-00A0C95C1762}\1.0\0\win32]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{FAD5CC54-0E68-11D1-9D91-00A0C95C1762}\1.0\HELPDIR]
@=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{44990301-3C9D-426D-81DF-AAB636FA4345}\DownloadInformation]
"CODEBASE"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\LUALL.EXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Documents and Settings\\All Users\\Application Data\\Symantec\\"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Documents and Settings\\All Users\\Application Data\\Symantec\\Common Client\\"="-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Program Files\\Common Files\\Symantec Shared\\VirusDefs\\"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2E53A294F83182D45A3785356A851754]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\31C0682E3111780479067E7CB3B8DBB4]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3DEE68F0FC3313E4CAD8E4C3EBCBEC40]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3E81A4DC21026924FB5FAF933085D236]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50BBD0A1CB1FD3648A16157120DF2829]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50C154874C6F14B48AE0F5068BC7E626]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50E357748DE0DD840851872431DDB49B]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53DE6260589A37946977BC82BB681915]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6925106EE9D0AF740BCCD43F8907862F]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6EEA3CF07EBD65C48A3FE380BC2FF61E]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\91F31ECC41B96D243A45422551C96C23]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\956B95676BE85A84DA3C38A66DE87EF4]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A8DC89FAF3F52B3448C6E06B118C405E]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AE842139D531885469A1CDC35A26B1F4]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BB26CE3D008E2FA499FDEE6A7A5B9335]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BE6AEA47C44CE854791235345CE87CE6]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C1AC78A74A3296B4BA739BA5E5766344]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C1D015D543A678D4088D751CA77430A5]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D2EEB513BDC48C443B0FFC4606A08DFF]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DE6692E1170B7234EB5CFD71486A1C3F]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F42B98E5315CA254F98CB0E739C7CEA1]
"00000000000000000000000000000000"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Symantec\\S32EVNT1.DLL"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Symantec\\SYMEVENT.SYS"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Common Files\\Symantec Shared\\SEVINST.EXE"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Symantec\\LiveUpdate\\S32LIVE1.DLL"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls]
"C:\\Program Files\\Symantec\\LiveUpdate\\S32LUIS1.DLL"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate1.6]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst]
"QuietUninstallString"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{503AA035-41E2-4858-B31F-1E49AC66C309}]
"DisplayIcon"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Symantec]
[-HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Symantec]
[-HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Symantec]
Save it as fix.reg (save type: "All files" (*.*)) to your desktop.
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Go to Desktop, double-click fix.reg and merge the infomation with the registry.
Reboot.
Do another search for norton and symantec and post back results, please.
Norton:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "Norton" 31/08/2009 20:23:43
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NAVAPSVC\0000]
"DeviceDesc"="Norton AntiVirus Auto-Protect Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NAVAPSVC\0000]
"DeviceDesc"="Norton AntiVirus Auto-Protect Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSF3.tmp\\SymNRT.exe"="C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSF3.tmp\\SymNRT.exe:*:Enabled:Norton Removal Tool"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NAVAPSVC\0000]
"DeviceDesc"="Norton AntiVirus Auto-Protect Service"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"c"="C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool.exe"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool.exe"="Norton Removal Tool"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool(2).exe"="Norton Removal Tool"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\NavNT\\vptray.exe"="Norton AntiVirus"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\navapsvc.exe"="Norton AntiVirus Auto-Protect Service"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\cfgwiz.exe"="Symantec Internal Component"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"="URL Check List"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"="Norton Security Center Helper"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\BootWarn.exe"="Norton AntiVirus Boot Warning"
symantec:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "symantec" 31/08/2009 20:26:20
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup\CurVer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup\CurVer]
@="Symantec.luGroup.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetGetFile.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetGetFile.1\CLSID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Documents and Settings\\All Users\\Application Data\\Symantec\\Common Client\\"="1"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Control Panel\MMCPL]
"SYMLIVE"="C:\\Program Files\\Symantec\\LiveUpdate\\S32LUCP1.CPL"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Internet Explorer\TypedURLs]
"url1"="http://www.symantec.com/nrtexpired"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSB8.tmp\\SymNRT.exe"="Symantec Removal Utility"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSBB.tmp\\SymNRT.exe"="Symantec Removal Utility"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSC0.tmp\\SymNRT.exe"="Symantec Removal Utility"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSC6.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSD4.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSD9.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSF3.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zS1C.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zS3E.tmp\\SymNRT.exe"="Symantec Removal Utility"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\LiveReg\\IRALRSHL.EXE"="LiveReg Components"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"="Symantec User Session"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\cfgwiz.exe"="Symantec Internal Component"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"="Norton Security Center Helper"
Better :)
Open Notepad and copy the contents of the following box to a new file.
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.luGroup]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Symantec.stInetGetFile.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\\Documents and Settings\\All Users\\Application Data\\Symantec\\Common Client\\"=-
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Control Panel\MMCPL]
"SYMLIVE"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ben\\Local Settings\\Temp\\7zSF3.tmp\\SymNRT.exe"=-
Save it as fix2.reg (save type: "All files" (*.*)) to your desktop.
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Go to Desktop, double-click fix2.reg and merge the infomation with the registry.
Reboot.
Download RegASSASSIN by malwarebytes.org from here (http://www.malwarebytes.org/RegASSASSIN.exe)
Double-click on RegASSASSIN.exe to start RegASSASSIN
Copy and paste the below into the white box one at a time.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NAVAPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NAVAPSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NAVAPSVC
Click Delete
Answer Yes to any prompts
Do another search for norton and symantec and post back results, please.
Regassassin could not delete the three keys:
Here are the search results:
Norton:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "norton" 02/09/2009 18:29:55
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NAVAPSVC\0000]
"DeviceDesc"="Norton AntiVirus Auto-Protect Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NAVAPSVC\0000]
"DeviceDesc"="Norton AntiVirus Auto-Protect Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NAVAPSVC\0000]
"DeviceDesc"="Norton AntiVirus Auto-Protect Service"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"c"="C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool.exe"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool.exe"="Norton Removal Tool"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool(2).exe"="Norton Removal Tool"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\NavNT\\vptray.exe"="Norton AntiVirus"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\navapsvc.exe"="Norton AntiVirus Auto-Protect Service"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\cfgwiz.exe"="Symantec Internal Component"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"="URL Check List"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"="Norton Security Center Helper"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\BootWarn.exe"="Norton AntiVirus Boot Warning"
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "symantec" 02/09/2009 18:31:20
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Internet Explorer\TypedURLs]
"url1"="http://www.symantec.com/nrtexpired"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSB8.tmp\\SymNRT.exe"="Symantec Removal Utility"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSBB.tmp\\SymNRT.exe"="Symantec Removal Utility"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSC0.tmp\\SymNRT.exe"="Symantec Removal Utility"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSC6.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSD4.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSD9.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zSF3.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zS1C.tmp\\SymNRT.exe"="Symantec Removal Utility"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\DOCUME~1\\Ben\\LOCALS~1\\Temp\\7zS3E.tmp\\SymNRT.exe"="Symantec Removal Utility"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\LiveReg\\IRALRSHL.EXE"="LiveReg Components"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"="Symantec User Session"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\cfgwiz.exe"="Symantec Internal Component"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"="Norton Security Center Helper"
Go here (http://www.microsoft.com/downloads/details.aspx?familyid=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en) and download subinacl.msi
Double click on subinacl.msi to start the installation of Subinacl
Click Next>
Select I accept and click Next>
Click browse
From the drop down menu select C:\
Double click on WINDOWS and then system32
Click OK
Click Install now
Click Finish
Then:
Save text below as remnorton.bat
@echo off
FOR %%R IN (
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NAVAPSVC"
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NAVAPSVC"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NAVAPSVC"
) Do (
subinacl.exe /subkeyreg %%R /setowner=%username% /grant=%username%=F
reg delete %%R /f
)
Doubleclick it, reboot and do another search for Norton, please.
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "norton" 02/09/2009 19:50:41
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"c"="C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool.exe"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"i"="C:\\Documents and Settings\\Ben\\Desktop\\remnorton.bat"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bat]
"a"="C:\\Documents and Settings\\Ben\\Desktop\\remnorton.bat"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool.exe"="Norton Removal Tool"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Documents and Settings\\Ben\\Desktop\\Norton_Removal_Tool(2).exe"="Norton Removal Tool"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\Documents and Settings\\Ben\\Local Settings\\Temporary Internet Files\\Content.IE5\\7GNCCPNX\\Norton_Removal_Tool[1].exe"="Norton Removal Tool"
"C:\\Documents and Settings\\Ben\\Desktop\\remnorton.bat"="remnorton"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-1007\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\NavNT\\vptray.exe"="Norton AntiVirus"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\navapsvc.exe"="Norton AntiVirus Auto-Protect Service"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\cfgwiz.exe"="Symantec Internal Component"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"="URL Check List"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"="Norton Security Center Helper"
[HKEY_USERS\S-1-5-21-1833754385-3838629134-3540252015-500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\BootWarn.exe"="Norton AntiVirus Boot Warning"
I'm sorry, I have missed this one.
Still some issues?
Due to the lack of feedback this Topic is closed.
If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.