View Full Version : MyWay.MyWebSearch virus in the Locked Registry Keys
I would appreciate your help in removing the MyWay.MyWebSearch from the Locked Registry Keys section of my Registry.
Spybot found it at HKEY_USERS\S-1-5-21 section and Combofix confirmed the (3) lines at the address found by Spybot were in the Locked Registry Keys.
(Malwarebytes found no problems).
I have given myself full administators permissions, after downloading Microsofts SubinACL program to reset the permissions, but still cannot delete the 3 lines in the registry. When I use Regedit and right click on the 3 lines I get "cannot open" or "cannot delete" error messages.
I am obviously doing some thing wrong with the Permissions but I am not sure what.
I attach the Trend Micro HijackThis Log.
Can you please tell me what I should do next?
Thanks vey much.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:46 PM, on 1/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\Astsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\HijackThis.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\WINDOWS\system32\wscntfy.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk.disabled
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165022501781
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://interactivebrokers.webex.com/client/T26L/event/ieatgpc.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AST Service - Nalpeiron Ltd. - C:\WINDOWS\system32\Astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
--
End of file - 8293 bytes
Hi condor
Sorry for the delay , if you still need help post a new hjt log
Thanks peku006
I really appreciate your help with this.
Thanks.
Here is the HJT Log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:26 AM, on 1/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\Astsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Speaking Clock Deluxe] "C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk.disabled
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165022501781
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://interactivebrokers.webex.com/client/T26L/event/ieatgpc.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AST Service - Nalpeiron Ltd. - C:\WINDOWS\system32\Astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
--
End of file - 8966 bytes
Hi condor
1 - download and run RSIT
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)
2 - Status Check
Please reply with
1.the logs from RSIT (log.txt ,info.txt)
Thanks peku006
Logfile of random's system information tool 1.06 (written by random/random)
Run by Admin at 2010-01-17 10:27:43
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 111 GB (72%) free of 153 GB
Total RAM: 2046 MB (71% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:28:53 AM, on 1/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\Astsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\4Y6O0887\RSIT[1].exe
C:\Admin.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Speaking Clock Deluxe] "C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk.disabled
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165022501781
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://interactivebrokers.webex.com/client/T26L/event/ieatgpc.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AST Service - Nalpeiron Ltd. - C:\WINDOWS\system32\Astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
--
End of file - 8972 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1326574676-725345543-1004Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1326574676-725345543-1004UA.job
C:\WINDOWS\tasks\ParetoLogic Privacy Controls_{25B399F8-F410-11DE-82C1-0016761CF813}.job
C:\WINDOWS\tasks\ParetoLogic Registration3.job
C:\WINDOWS\tasks\ParetoLogic Update Version3.job
C:\WINDOWS\tasks\XoftSpySE.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}]
HelperObject Class - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll [2005-10-14 49152]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2009-08-07 138608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18 403840]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
MSN Toolbar BHO - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll [2009-08-09 502624]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-04 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-04 73728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - SnagIt - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll [2005-10-14 131072]
{8dcb7100-df86-4384-8842-8fa844297b3f} - MSN Toolbar - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll [2009-08-09 502624]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-10-14 14864384]
"MXOBG"=C:\WINDOWS\MXOALDR.EXE [2007-06-16 94208]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2008-05-16 13529088]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2010-01-04 149280]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2010-01-12 198160]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Speaking Clock Deluxe"=C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe [2009-06-30 2350592]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
APC UPS Status.lnk - C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
C:\Documents and Settings\Admin\Start Menu\Programs\Startup
Check for TWS Updates.lnk - C:\Jts\WiseUpdt.exe
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE
OpenOffice.org 3.1.lnk.disabled - C:\Program Files\OpenOffice.org 3\program\quickstart.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-02-21 61440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoResolveSearch"=
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\javaw.exe"="C:\WINDOWS\system32\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary"
"C:\Program Files\Atomic Clock Sync\Atomic.exe"="C:\Program Files\Atomic Clock Sync\Atomic.exe:*:Enabled:Atomic Clock Sync (2)"
"C:\FTGT\ftgt4.exe"="C:\FTGT\ftgt4.exe:*:Enabled:Fibonacci Galactic Trader 4"
"C:\Jts\WiseUpdt.exe"="C:\Jts\WiseUpdt.exe:*:Enabled:Check for TWS Updates"
"C:\Program Files\Outlook Express\msimn.exe"="C:\Program Files\Outlook Express\msimn.exe:*:Enabled:Outlook Express"
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe:*:Enabled:Spybot - Search & Destroy"
"C:\SierraChart\SierraChart.exe"="C:\SierraChart\SierraChart.exe:*:Enabled:Sierra Chart"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\Trading Rooms Technologies, Inc\TradingRooms\Avx\TradingRooms.exe"="C:\Program Files\Trading Rooms Technologies, Inc\TradingRooms\Avx\TradingRooms.exe:*:Enabled:TradingRooms"
"C:\Ensign\Ensign.exe"="C:\Ensign\Ensign.exe:*:Enabled:Ensign Windows"
"C:\Program Files\Conference\Conference.dll"="C:\Program Files\Conference\Conference.dll:*:Enabled:Audio/Video Conference by KIOSK Team"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"C:\Program Files\Foxmail\Foxmail.exe"="C:\Program Files\Foxmail\Foxmail.exe:*:Enabled:Foxmail"
"C:\Program Files\Real Time Software Engineering\MetaServer RT 3.2 for TWS\msrt.exe"="C:\Program Files\Real Time Software Engineering\MetaServer RT 3.2 for TWS\msrt.exe:*:Enabled:MetaServer RT 3.2"
"C:\Program Files\NinjaTrader 6.5\bin\NinjaTrader.exe"="C:\Program Files\NinjaTrader 6.5\bin\NinjaTrader.exe:*:Enabled:NinjaTrader application"
"C:\MTP6RTData\MTPDataServer.exe"="C:\MTP6RTData\MTPDataServer.exe:*:Enabled:Real-Time Data Server for MTPredictor"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
======List of files/folders created in the last 1 months======
2010-01-17 10:27:45 ----A---- C:\Admin.exe
2010-01-17 10:27:43 ----D---- C:\rsit
2010-01-17 10:06:47 ----A---- C:\RSIT.exe
2010-01-15 21:45:50 ----A---- C:\WINDOWS\Active Setup Log.txt
2010-01-15 21:00:57 ----D---- C:\Documents and Settings\All Users\Application Data\Motive
2010-01-14 13:04:04 ----D---- C:\Program Files\Registry Search
2010-01-13 07:49:15 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-01-13 07:48:29 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-01-12 15:33:35 ----D---- C:\Documents and Settings\All Users\Application Data\Real
2010-01-12 15:32:20 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2010-01-12 15:31:17 ----A---- C:\WINDOWS\system32\pndx5032.dll
2010-01-12 15:31:17 ----A---- C:\WINDOWS\system32\pndx5016.dll
2010-01-12 15:31:08 ----D---- C:\Program Files\Common Files\xing shared
2010-01-12 15:30:03 ----A---- C:\WINDOWS\system32\pncrt.dll
2010-01-09 11:16:34 ----D---- C:\Documents and Settings\Admin\Application Data\CyberLink
2010-01-05 18:20:54 ----SHD---- C:\RECYCLER
2010-01-04 20:59:15 ----A---- C:\ComboFix.txt
2010-01-04 12:58:44 ----A---- C:\WINDOWS\Progs_.ini
2010-01-04 12:58:27 ----D---- C:\Program Files\Speaking Clock Deluxe
2010-01-04 08:18:48 ----A---- C:\WINDOWS\system32\javaws.exe
2010-01-04 08:18:48 ----A---- C:\WINDOWS\system32\javaw.exe
2010-01-04 08:18:48 ----A---- C:\WINDOWS\system32\java.exe
2010-01-04 08:11:12 ----D---- C:\Program Files\Windows Installer Clean Up
2010-01-03 11:20:40 ----D---- C:\Documents and Settings\All Users\Application Data\McAfee
2010-01-03 10:54:42 ----D---- C:\Program Files\Other Kaspersky uninstall Tools
2010-01-02 14:35:05 ----D---- C:\Program Files\VS Revo Group
2010-01-01 13:54:09 ----D---- C:\Program Files\Windows Resource Kits
2010-01-01 12:10:57 ----D---- C:\Documents and Settings\Admin\Application Data\Safer Networking
2010-01-01 11:46:07 ----D---- C:\Program Files\Aezay Productions
2010-01-01 10:48:45 ----A---- C:\HijackThis.exe
2009-12-31 22:09:02 ----D---- C:\Program Files\ERUNT
2009-12-31 08:29:56 ----RASHD---- C:\cmdcons
2009-12-30 20:11:49 ----D---- C:\Program Files\Safer Networking
2009-12-29 21:56:50 ----D---- C:\EnsignBackup
2009-12-29 12:55:07 ----D---- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2009-12-29 12:54:55 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-12-29 12:54:52 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-28 19:21:43 ----D---- C:\Program Files\ParetoLogic
2009-12-25 08:16:35 ----D---- C:\Backups_Ensign
2009-12-24 15:38:41 ----D---- C:\Program Files\Avira
2009-12-24 15:38:41 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-12-24 13:50:01 ----D---- C:\WINDOWS\temp
2009-12-23 15:00:15 ----D---- C:\Program Files\jv16 PowerTools 2009
2009-12-21 21:04:36 ----A---- C:\Boot.bak
2009-12-21 21:02:35 ----A---- C:\WINDOWS\zip.exe
2009-12-21 21:02:35 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-12-21 21:02:35 ----A---- C:\WINDOWS\SWSC.exe
2009-12-21 21:02:35 ----A---- C:\WINDOWS\SWREG.exe
2009-12-21 21:02:35 ----A---- C:\WINDOWS\sed.exe
2009-12-21 21:02:35 ----A---- C:\WINDOWS\PEV.exe
2009-12-21 21:02:35 ----A---- C:\WINDOWS\NIRCMD.exe
2009-12-21 21:02:35 ----A---- C:\WINDOWS\MBR.exe
2009-12-21 21:02:35 ----A---- C:\WINDOWS\grep.exe
2009-12-21 21:02:09 ----D---- C:\WINDOWS\ERDNT
2009-12-21 21:01:40 ----AD---- C:\Qoobox
======List of files/folders modified in the last 1 months======
2010-01-17 10:27:40 ----D---- C:\WINDOWS\Prefetch
2010-01-17 10:13:55 ----D---- C:\WINDOWS\system32\CatRoot2
2010-01-17 10:12:55 ----D---- C:\WINDOWS\system32\Lang
2010-01-17 09:59:34 ----A---- C:\WINDOWS\ntbtlog.txt
2010-01-17 09:55:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-01-17 08:58:03 ----D---- C:\SFDeluxe
2010-01-17 08:58:03 ----A---- C:\WINDOWS\solfire6.ini
2010-01-16 19:00:17 ----D---- C:\PINNACLE
2010-01-16 16:29:16 ----AD---- C:\WINDOWS
2010-01-16 08:50:05 ----A---- C:\WINDOWS\cdplayer.ini
2010-01-16 07:42:05 ----SHD---- C:\WINDOWS\Installer
2010-01-16 07:42:05 ----D---- C:\Config.Msi
2010-01-16 07:41:50 ----A---- C:\WINDOWS\ODBC.INI
2010-01-16 07:41:21 ----HD---- C:\WINDOWS\inf
2010-01-16 07:41:18 ----D---- C:\Program Files\Common Files
2010-01-16 07:41:12 ----A---- C:\WINDOWS\win.ini
2010-01-16 07:39:59 ----HD---- C:\WINDOWS\ShellNew
2010-01-15 21:36:01 ----D---- C:\Program Files\Mozilla Thunderbird
2010-01-15 21:05:39 ----AD---- C:\WINDOWS\system32
2010-01-15 17:31:04 ----SHD---- C:\System Volume Information
2010-01-15 17:30:57 ----D---- C:\WINDOWS\Registration
2010-01-15 15:57:55 ----D---- C:\Ensign
2010-01-15 06:53:28 ----D---- C:\Jts
2010-01-15 06:43:49 ----D---- C:\WINDOWS\Debug
2010-01-14 13:04:18 ----RD---- C:\Program Files
2010-01-14 07:02:11 ----D---- C:\WINDOWS\AppPatch
2010-01-13 07:49:23 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-01-13 07:48:49 ----HD---- C:\WINDOWS\$hf_mig$
2010-01-13 07:48:43 ----A---- C:\WINDOWS\imsins.BAK
2010-01-12 15:33:34 ----D---- C:\Documents and Settings\Admin\Application Data\Real
2010-01-12 15:32:27 ----D---- C:\Program Files\Common Files\Real
2010-01-12 15:29:58 ----D---- C:\Program Files\Real
2010-01-12 12:52:10 ----D---- C:\Program Files\Microsoft Office
2010-01-12 10:55:37 ----D---- C:\WINDOWS\system32\drivers
2010-01-08 20:52:48 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2010-01-08 16:01:04 ----A---- C:\WINDOWS\FTGTLogStart.TXT
2010-01-08 16:01:04 ----A---- C:\WINDOWS\FTGT32.INI
2010-01-08 08:16:03 ----A---- C:\WINDOWS\KADJISYS.INI
2010-01-08 07:57:54 ----A---- C:\WINDOWS\FTROBOT.INI
2010-01-06 14:57:33 ----D---- C:\WINDOWS\WinSxS
2010-01-06 14:54:23 ----D---- C:\SierraChart
2010-01-06 11:25:09 ----D---- C:\Program Files\World Time
2010-01-06 09:59:48 ----D---- C:\Download Files
2010-01-05 19:42:24 ----D---- C:\My Download Files
2010-01-05 17:51:13 ----A---- C:\WINDOWS\ib.ini
2010-01-04 20:53:29 ----A---- C:\WINDOWS\system.ini
2010-01-04 19:17:46 ----A---- C:\WINDOWS\system32\MRT.exe
2010-01-04 16:09:10 ----D---- C:\Program Files\databull
2010-01-04 14:56:54 ----D---- C:\Program Files\AmiBroker
2010-01-04 08:18:13 ----A---- C:\WINDOWS\system32\deploytk.dll
2010-01-04 08:18:09 ----D---- C:\Program Files\Java
2010-01-04 08:10:38 ----D---- C:\Program Files\MSECache
2010-01-04 07:02:41 ----D---- C:\WINDOWS\system32\config
2010-01-04 07:02:21 ----D---- C:\WINDOWS\system32\wbem
2010-01-03 19:29:50 ----D---- C:\Program Files\Foxmail
2010-01-03 10:59:55 ----D---- C:\Program Files\GRETECH
2010-01-03 10:57:02 ----A---- C:\WINDOWS\NeroDigital.ini
2010-01-03 08:16:15 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-01-03 08:15:45 ----D---- C:\Program Files\Common Files\Adobe
2010-01-03 08:15:45 ----D---- C:\Program Files\Adobe
2010-01-02 11:04:52 ----A---- C:\WINDOWS\astros.ini
2010-01-02 09:29:08 ----D---- C:\FTGT
2010-01-01 12:07:40 ----RD---- C:\WINDOWS\Web
2009-12-31 18:49:07 ----RASH---- C:\boot.ini
2009-12-31 18:10:45 ----D---- C:\Program Files\Mozilla Firefox
2009-12-31 16:33:39 ----SD---- C:\WINDOWS\Tasks
2009-12-31 14:39:31 ----D---- C:\Documents and Settings\All Users\Application Data\RetroExp
2009-12-31 09:00:01 ----D---- C:\WINDOWS\Help
2009-12-29 17:09:55 ----D---- C:\WINDOWS\OPTIONS
2009-12-25 12:17:23 ----D---- C:\Program Files\Keyfinder
2009-12-24 15:23:48 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-12-24 14:32:10 ----D---- C:\WINDOWS\pss
2009-12-24 13:28:00 ----D---- C:\WINDOWS\system32\Restore
2009-12-24 13:17:05 ----D---- C:\Documents and Settings
2009-12-23 16:55:48 ----D---- C:\Program Files\jv16 PowerTools 2008
2009-12-23 15:36:59 ----HD---- C:\WINDOWS\msdownld.tmp
2009-12-23 15:36:55 ----D---- C:\Program Files\Internet Explorer
2009-12-23 07:52:40 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-12-20 10:32:32 ----D---- C:\Program Files\Wave59 RT
2009-12-20 10:06:31 ----D---- C:\Program Files\Droid Informatica
2009-12-19 14:09:16 ----D---- C:\Program Files\Carbonite
2009-12-19 09:30:39 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-12-18 14:01:04 ----D---- C:\Program Files\NinjaTrader 6.5
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-12-25 96104]
R1 GearAspiWDM;GearAspiWDM; C:\WINDOWS\system32\drivers\GearAspiWDM.sys [2005-09-09 14408]
R1 InCDPass;InCDPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys [2005-07-08 29696]
R1 incdrm;InCD Reader; C:\WINDOWS\system32\drivers\incdrm.sys [2005-07-08 28672]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 is-7P51Bdrv;is-7P51Bdrv; C:\WINDOWS\system32\DRIVERS\48164237.sys [2008-07-08 148496]
R1 is-80PSPdrv;is-80PSPdrv; C:\WINDOWS\system32\DRIVERS\47602119.sys [2008-07-08 148496]
R1 is-FTVCUdrv;is-FTVCUdrv; C:\WINDOWS\system32\DRIVERS\88850112.sys [2008-07-08 148496]
R1 is-G4K5Edrv;is-G4K5Edrv; C:\WINDOWS\system32\DRIVERS\45373222.sys [2008-07-08 148496]
R1 is-O3HS5drv;is-O3HS5drv; C:\WINDOWS\system32\drivers\61826897.sys [2008-03-05 148496]
R1 is-RFAT4drv;is-RFAT4drv; C:\WINDOWS\system32\drivers\10536068.sys [2008-03-05 148496]
R1 is-U2OSHdrv;is-U2OSHdrv; C:\WINDOWS\system32\DRIVERS\09870117.sys [2008-07-08 148496]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-12-25 28520]
R1 V2IMount;V2IMount; C:\WINDOWS\system32\drivers\V2IMount.sys [2007-04-10 56192]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-12-25 56816]
R2 MapMemP;MapMemP; \??\C:\WINDOWS\SYSTEM32\Drivers\MapMemP.sys []
R2 Sentinel;Sentinel; C:\WINDOWS\System32\Drivers\SENTINEL.SYS [2001-06-21 73728]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-02-21 1505792]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-10-18 4034048]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-05-16 6557408]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys [2005-07-08 99584]
S1 is-0SG48drv;is-0SG48drv; C:\WINDOWS\system32\DRIVERS\28882349.sys [2008-07-08 148496]
S1 is-1LOSJdrv;is-1LOSJdrv; C:\WINDOWS\system32\DRIVERS\20878151.sys []
S1 is-76QSDdrv;is-76QSDdrv; C:\WINDOWS\system32\drivers\20051819.sys []
S1 is-AU098drv;is-AU098drv; C:\WINDOWS\system32\DRIVERS\64293220.sys [2008-07-08 148496]
S1 is-HH2HKdrv;is-HH2HKdrv; C:\WINDOWS\system32\drivers\83042734.sys [2008-03-05 148496]
S1 is-O1MK8drv;is-O1MK8drv; C:\WINDOWS\system32\DRIVERS\73001606.sys [2008-07-08 148496]
S1 is-QA78Mdrv;is-QA78Mdrv; C:\WINDOWS\system32\DRIVERS\60464396.sys [2008-07-08 148496]
S1 is-SP0JEdrv;is-SP0JEdrv; C:\WINDOWS\system32\drivers\93704403.sys [2008-03-05 148496]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 catchme;catchme; \??\C:\DOCUME~1\Admin\LOCALS~1\Temp\catchme.sys []
S3 HidBatt;HID UPS Battery Driver; C:\WINDOWS\system32\DRIVERS\HidBatt.sys [2008-04-13 20352]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
S3 MXOFX;USB Storage Adapter FX (MXO); C:\WINDOWS\system32\DRIVERS\MXOFX.SYS [2003-10-10 32640]
S3 MXOPSWD;Maxtor OneTouch Security Driver; C:\WINDOWS\system32\DRIVERS\mxopswd.sys [2004-10-07 15360]
S3 NtApm;NT Apm/Legacy Interface Driver; C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 9344]
S3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2005-08-24 74752]
S3 Sntnlusb;Rainbow USB SuperPro; C:\WINDOWS\system32\DRIVERS\SNTNLUSB.SYS [2001-06-21 20032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 RxFilter;RxFilter; C:\WINDOWS\system32\DRIVERS\RxFilter.sys [2006-12-02 50688]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-12-25 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-12-25 185089]
R2 APC UPS Service;APC UPS Service; C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe [2005-12-12 176193]
R2 AST Service;AST Service; C:\WINDOWS\system32\Astsrv.exe [2007-02-16 57344]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2007-01-09 198248]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2007-01-09 181864]
R2 FreeAgentGoNext Service;Seagate Service; C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-25 189736]
R2 GEARSecurity;GEARSecurity; C:\WINDOWS\System32\GEARSec.exe [2005-09-09 53248]
R2 InCDsrv;InCD Helper; C:\Program Files\Ahead\InCD\InCDsrv.exe [2005-07-08 871424]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-01-04 153376]
R2 Norton Ghost;Norton Ghost; C:\Program Files\Norton Ghost\Agent\VProSvc.exe [2007-04-10 2066024]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2008-05-16 159812]
R2 RetroExpLauncher;Retrospect Express HD Launcher; C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe [2004-07-30 69632]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-08-07 242048]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2007-06-16 822424]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-08-18 1529728]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-02-21 405504]
S2 Roxio Upnp Server 9;Roxio Upnp Server 9; C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe [2006-12-13 294912]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2007-01-09 79464]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Roxio UPnP Renderer 9;Roxio UPnP Renderer 9; C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe [2006-12-13 57344]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-01-16 880640]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-01-15 73728]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S3 XoftSpyService;XoftSpyService; C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe [2009-10-23 582424]
S4 is-76QSD;is-76QSD; C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-76QSD\is-76QSD.exe -r []
S4 is-HH2HK;is-HH2HK; C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-HH2HK\is-HH2HK.exe -r []
S4 is-O3HS5;is-O3HS5; C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-O3HS5\is-O3HS5.exe -r []
S4 is-RFAT4;is-RFAT4; C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\is-RFAT4\is-RFAT4.exe -r []
S4 is-SP0JE;is-SP0JE; C:\Program Files\Kaspersky Lab Tool\is-SP0JE\is-SP0JE.exe -r []
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------
info.txt logfile of random's system information tool 1.06 2010-01-17 10:29:11
======Uninstall list======
-->MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
-->MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
-->MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
-->MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACS PC Atlas-->C:\WINDOWS\IsUninst.exe -fC:\PCATLAS\UninPCAt.isu
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe® Photoshop® Album Starter Edition 3.2-->MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Advanced GET-->C:\WINDOWS\IsUninst.exe -fC:\GET\Uninst.isu
Advanced SystemCare 3-->"C:\Program Files\IObit\Advanced SystemCare 3\unins000.exe"
Advanced Timer 1.11.16 By: Ice Blue-->C:\WINDOWS\st6unst.exe -n "C:\Program Files\Advanced Timer\ST6UNST.LOG"
AmiBroker 5.20-->"C:\Program Files\AmiBroker\unins000.exe"
APC PowerChute Personal Edition-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5A0C892E-FD1C-4203-941E-0956AED20A6A}\Setup.exe" -l0x9
API Switcher 061208-->"C:\Program Files\Bracket Trader\API Switcher\unins000.exe"
AstroTrader Time and Price Wheel-->C:\WINDOWS\iun6002.exe "C:\Program Files\AstroTrader Time and Price Wheel\irunin.ini"
ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Atomic Clock Sync-->C:\PROGRA~1\ATOMIC~1\UNWISE.EXE C:\PROGRA~1\ATOMIC~1\INSTALL.LOG
Audio Flash 1.2-->C:\WINDOWS\system32\ss2uinst.exe "C:\Program Files\Audio Flash\ss2uinst.dat"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Bracket Trader 07.0130a78-->"C:\Program Files\Bracket Trader\unins000.exe"
ContinuumClient-->C:\PROGRA~1\Quote.com\ContinuumClient\UNWISE.EXE C:\PROGRA~1\Quote.com\ContinuumClient\INSTALL.LOG
DAK Wave and MP3 Editor v4.2b-->MsiExec.exe /I{52752228-7A33-43C4-A2B6-028992E5CB13}
DataBull 4.9.4-->"C:\Program Files\databull\unins000.exe"
DataSharks Downloader 3.04-->"C:\Program Files\DataSharks\Downloader EOD\unins000.exe"
DePopper 2.x-->"C:\WINDOWS\undrnstl.exe" "C:\Program Files\Droid Informatica\DePopper2\uninst.dru"
DIY Deck Designer 6.5.4 - The Home Depot-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D5A4789E-C361-4B46-933D-6E15044CCF40}
DVD Solution-->"C:\Program Files\Uninstall_CDS.exe"
Dynamic Traders Group, Inc. DT4 .64-->C:\WINDOWS\UnDeploy.exe "C:\Program Files\DT4\\Deploy.log"
eChat-->C:\Ensign\eChat\UNWISE.EXE C:\Ensign\eChat\INSTALL.LOG
Ensign Windows-->C:\Ensign\UNWISE.EXE C:\Ensign\INSTALL.LOG
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Fibonacci/Galactic Trader 4-->C:\WINDOWS\IsUninst.exe -fC:\FTGT\Uninst.isu
Foxmail 5.0-->"C:\Program Files\Foxmail\unins000.exe"
HijackThis 2.0.2-->"C:\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
HQuote-->C:\Program Files\HQuote\uninstall.exe
InCD-->C:\WINDOWS\NuNInst.exe /UNINSTALL
InvestorLink Databoss version 4.62-->"C:\Program Files\InvestorLink\unins000.exe"
IrfanView (remove only)-->C:\Program Files\IrfanView\iv_uninstall.exe
IZArc 3.81-->"C:\Program Files\IZArc\unins000.exe"
Java(TM) 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
jv16 PowerTools 2008-->"C:\Program Files\jv16 PowerTools 2008\unins000.exe"
LindXpress Version 6.2.4-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Lind\LindXpress624\Uninst.isu"
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VCSETUP.EXE /REMOVE
LiveUpdate 2.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Loan Calculator! Plus v2.5-->C:\PROGRA~1\LOANCA~1\UNWISE.EXE C:\PROGRA~1\LOANCA~1\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MetaServer RT 3.2 for TWS Demo-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC51931F-543E-41C3-8553-F8F110C4AF08}\Setup.exe" -l0x9
MetaServer RT 3.2 for TWS-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC0DF648-EF30-4CE3-AE73-FDF31B653C6F}\Setup.exe" -l0x9
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Default Manager-->MsiExec.exe /X{61BEA823-ECAF-49F1-8378-A59B3B8AD247}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 Small Business-->MsiExec.exe /I{00030409-78E1-11D2-B60F-006097C998E7}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Search Enhancement Pack-->MsiExec.exe /X{F8A3C1B6-D2E0-4CE1-80A2-555D6F71C639}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Mozilla Firefox (3.0.16)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.22)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSN Toolbar Platform-->MsiExec.exe /I{547C4A03-8402-49E9-9E94-112929185B1E}
MSN Toolbar-->C:\Program Files\MSN Toolbar Installer\InstallManager.exe /UNINSTALL
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
MTPDataServer-->MsiExec.exe /I{4C859089-D2A5-4486-B826-E2B2576BD514}
MTPredictor End Of Day-->MsiExec.exe /I{7B062ED8-0D43-43E1-A6AB-9979BA5C560E}
MTPredictor6-->MsiExec.exe /X{7823AE39-410B-4C73-8206-0715FB1B9E7E}
Multimedia Launcher-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
muvee Reveal Seagate Edition-->MsiExec.exe /X{78E9A751-5616-233F-1249-16AC5758C646}
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NinjaTrader 6.5-->MsiExec.exe /I{19C2EC4E-2EC4-46E6-B838-0F8C6BD87E6B}
Norton Ghost 10.0-->MsiExec.exe /X{32F720F5-2D0D-4245-A2B0-9EB3CECF8101}
NSIS FreePOPs (remove only)-->"C:\Program Files\FreePOPs\uninstall.exe"
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OpenOffice.org 3.1-->MsiExec.exe /I{A16B3EA2-8798-4960-8D8B-18D3149AD617}
ParetoLogic Privacy Controls-->C:\Program Files\ParetoLogic\Privacy Controls\uninstaller.exe
Pegasus Mail-->C:\PMAIL\Programs\DeSetup.exe C:\PMAIL\Programs
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QFeed ActiveX Components-->C:\PROGRA~1\COMMON~1\QUOTE.COM\UNWISE.EXE C:\PROGRA~1\COMMON~1\QUOTE.COM\INSTALL.LOG
QuickTax 2006-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FAFDA89B-1031-4BDB-8619-DE20CBDEDF32}\isetup.ex_" -l0x9 -uninst
QuickTax 2007-->MsiExec.exe /X{22EC35BD-F8F2-45EB-8DCB-1C7FB65D0A71}
QuickTax 2008-->MsiExec.exe /X{AA0D2D5F-612B-45D3-8759-DA87206E5CC9}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
REALTEK Gigabit and Fast Ethernet NIC Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Realtek High Definition Audio Driver-->RtlUpd.exe -r
RegAlyzer-->"C:\Program Files\Safer Networking\RegAlyzer\unins000.exe"
Retrospect Express HD 1.0-->MsiExec.exe /I{1E88F516-C8AA-4D17-9A54-8AB0768F34C1}
Rhapsody Player Engine-->MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Roxio Easy CD and DVD Burning-->MsiExec.exe /I{6599091B-D42D-4765-ABC3-8B25E844C746}
RunAlyzer-->"C:\Program Files\Safer Networking\RunAlyzer\unins000.exe"
Seagate Manager Installer-->"C:\Program Files\InstallShield Installation Information\{2A30052B-831C-41D3-8044-3C0388066350}\setup.exe" -runfromtemp -l0x0409 -removeonly
Seagate Manager Installer-->MsiExec.exe /X{2A30052B-831C-41D3-8044-3C0388066350}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB969897)-->"C:\WINDOWS\ie8updates\KB969897-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB972260)-->"C:\WINDOWS\ie8updates\KB972260-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Sentinel System Driver-->C:\WINDOWS\SYSTEM32\RNBOSENT\SETUPX86.EXE /U /q
Sizer (remove only)-->C:\Program Files\Sizer\Uninstall.exe
SnagIt 5-->C:\Program Files\TechSmith\SnagIt\SIUNINST.EXE
SnagIt 7-->MsiExec.exe /I{4360BB46-507E-4361-8DCB-4FF9BDC9907B}
Solar Fire 5 Goodies-->"C:\SOLFIRE5\IsStub32.exe" -fC:\SOLFIRE5\DeIsL5.isu -cC:\SOLFIRE5\_ISREG32.DLL
Solar Fire Deluxe-->MsiExec.exe /X{6EE4648E-8FFC-4DB5-8A61-BF5D99940884}
Speaking Clock Deluxe 3.62-->"C:\Program Files\Speaking Clock Deluxe\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins001.exe"
SubliminalEzy-->C:\WINDOWS\GPInstall.exe "/UNINST=C:\Program Files\SubliminalEzy\UnInst.log" "/APPNAME=SubliminalEzy"
SWF Opener-->"C:\Program Files\UnH Solutions\SWF Opener\unins000.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"
Trader Workstation 4.0-->C:\Jts\UNWISE.EXE C:\Jts\INSTALL.LOG
Trading Rooms Technologies, Inc TradingRooms Application-->C:\Program Files\Trading Rooms Technologies, Inc\TradingRooms\Avx\Uninstall\SETUP.EXE
TWS Interoperability Components-->C:\Jts\UNWISE.EXE C:\Jts\INSTALL.LOG
Universal Viewer-->"C:\Program Files\Universal Viewer\Uninstall.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB968220)-->"C:\WINDOWS\ie8updates\KB968220-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
URGE-->MsiExec.exe /I{8BBF6DFD-0AD9-43A7-9FBD-BF065E3866AF}
USB Storage Adapter FX (MXO)-->MXOun.exe MXOFX
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
VeryPDF PDFcamp Printer v2.1-->"C:\Program Files\VeryPDF PDFcamp Printer v2.1\unins000.exe"
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Installer Clean Up-->MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live ID Sign-in Assistant-->MsiExec.exe /X{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Resource Kit Tools - SubInAcl.exe-->MsiExec.exe /X{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinSplit Revolution (v9.02)-->C:\Program Files\WinSplit Revolution\Uninstall.exe
WoodieSwitchInstall-->MsiExec.exe /I{59C77A5E-7E33-4A7F-8B11-337D7CC8E5CB}
XoftSpySE-->C:\Program Files\XoftSpySE6\uninstall.exe
======Hosts File======
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
======Security center information======
AV: AntiVir Desktop
======System event log======
Computer Name: AL-BF3E369F3453
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 30499
Source Name: Service Control Manager
Time Written: 20091220094841.000000-300
Event Type: error
User:
Computer Name: AL-BF3E369F3453
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 30496
Source Name: Service Control Manager
Time Written: 20091220094841.000000-300
Event Type: error
User:
Computer Name: AL-BF3E369F3453
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 30493
Source Name: Service Control Manager
Time Written: 20091220094841.000000-300
Event Type: error
User:
Computer Name: AL-BF3E369F3453
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 30489
Source Name: Service Control Manager
Time Written: 20091220094841.000000-300
Event Type: error
User:
Computer Name: AL-BF3E369F3453
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 30487
Source Name: Service Control Manager
Time Written: 20091220094840.000000-300
Event Type: error
User:
=====Application event log=====
Computer Name: AL-BF3E369F3453
Event Code: 1000
Message: Faulting application ensign.exe, version 2009.7.10.0, faulting module unknown, version 0.0.0.0, fault address 0x00002000.
Record Number: 5443
Source Name: Application Error
Time Written: 20090810162654.000000-240
Event Type: error
User:
Computer Name: AL-BF3E369F3453
Event Code: 100
Message: Description: Error EC8F17B7: Cannot create recovery points for job: Complete System Backup. Error EC8F03ED: Cannot create the recovery point. Error E0BB0004: Function Create Image argument Filename is invalid. Error E7D10026: Unable to get attributes for 'E:/'. Error EBAB03F1: The system cannot find the path specified.
Details: 0xE0BB0004
Source: Norton Ghost
Record Number: 5415
Source Name: Norton Ghost
Time Written: 20090807173004.000000-240
Event Type: error
User:
Computer Name: AL-BF3E369F3453
Event Code: 100
Message: Description: Error EC8F17B7: Cannot create recovery points for job: Complete System Backup. Error EC8F03ED: Cannot create the recovery point. Error E0BB0004: Function Create Image argument Filename is invalid. Error E7D10026: Unable to get attributes for 'E:/'. Error EBAB03F1: The system cannot find the path specified.
Details: 0xE0BB0004
Source: Norton Ghost
Record Number: 5402
Source Name: Norton Ghost
Time Written: 20090806173009.000000-240
Event Type: error
User:
Computer Name: AL-BF3E369F3453
Event Code: 2004
Message: Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.
Record Number: 5398
Source Name: PerfNet
Time Written: 20090806070054.000000-240
Event Type: error
User:
Computer Name: AL-BF3E369F3453
Event Code: 0
Message: Configuration section system.serviceModel.activation already exists in c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\machine.config.
Record Number: 5382
Source Name: System.ServiceModel.Install 3.0.0.0
Time Written: 20090805201842.000000-240
Event Type: warning
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;%CommonProgramFiles%\Microsoft Shared\Windows Live;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 4, GenuineIntel
"PROCESSOR_REVISION"=0404
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
-----------------EOF-----------------
Hi condor
Please reply with
the ComboFix log(C:\ComboFix.txt)
Thanks peku006
Hi peku006,
Here is the ComboFix log.
Thanks
condor
ComboFix 10-01-16.04 - Admin 01/17/2010 12:53:07.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1481 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.
2010-01-17 15:27 . 2010-01-01 15:48 401720 ----a-w- C:\Admin.exe
2010-01-17 15:27 . 2010-01-17 15:29 -------- d-----w- C:\rsit
2010-01-17 15:06 . 2010-01-17 14:38 278487 ----a-w- C:\RSIT.exe
2010-01-16 02:00 . 2010-01-16 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-01-14 18:04 . 2010-01-14 20:12 -------- d-----w- c:\program files\Registry Search
2010-01-13 12:15 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 20:31 . 2010-01-12 20:31 -------- d-----w- c:\program files\Common Files\xing shared
2010-01-09 16:16 . 2010-01-09 16:16 -------- d-----w- c:\documents and settings\Admin\Application Data\CyberLink
2010-01-07 02:41 . 2010-01-12 15:55 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-04 17:58 . 2010-01-04 17:58 -------- d-----w- c:\program files\Speaking Clock Deluxe
2010-01-04 13:11 . 2010-01-04 13:11 3584 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-01-04 13:11 . 2010-01-04 13:11 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-01-04 12:02 . 2010-01-04 12:02 -------- d-----w- c:\windows\system32\wbem\Repository
2010-01-03 16:20 . 2010-01-03 16:20 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-01-03 16:09 . 2010-01-04 13:17 152576 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-03 16:09 . 2010-01-04 12:33 79488 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-03 15:54 . 2010-01-03 19:00 -------- d-----w- c:\program files\Other Kaspersky uninstall Tools
2010-01-02 19:35 . 2010-01-02 19:35 -------- d-----w- c:\program files\VS Revo Group
2010-01-01 18:54 . 2010-01-01 18:54 -------- d-----w- c:\program files\Windows Resource Kits
2010-01-01 17:10 . 2010-01-01 17:10 -------- d-----w- c:\documents and settings\Admin\Application Data\Safer Networking
2010-01-01 16:46 . 2010-01-01 16:46 -------- d-----w- c:\program files\Aezay Productions
2010-01-01 15:48 . 2010-01-01 15:48 401720 ----a-w- C:\HijackThis.exe
2010-01-01 03:09 . 2010-01-01 03:09 -------- d-----w- c:\program files\ERUNT
2009-12-31 16:16 . 2009-12-31 16:16 87680 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 15:10 . 2009-12-31 15:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Safer Networking
2009-12-31 14:50 . 2009-12-31 14:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-31 01:11 . 2009-12-31 01:14 -------- d-----w- c:\program files\Safer Networking
2009-12-30 02:56 . 2010-01-04 02:55 -------- d-----w- C:\EnsignBackup
2009-12-29 17:55 . 2009-12-29 17:55 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-12-29 17:54 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-29 17:54 . 2009-12-29 17:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-29 17:54 . 2010-01-12 15:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-29 17:54 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-29 00:21 . 2009-12-29 00:21 -------- d-----w- c:\program files\ParetoLogic
2009-12-25 13:16 . 2009-12-25 13:18 -------- d-----w- C:\Backups_Ensign
2009-12-24 20:38 . 2009-12-25 12:05 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-12-24 20:38 . 2009-12-25 12:05 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-24 20:38 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-12-24 20:38 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-12-24 20:38 . 2009-12-24 20:38 -------- d-----w- c:\program files\Avira
2009-12-24 20:38 . 2009-12-24 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-12-24 18:18 . 2009-12-24 18:18 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-12-23 20:00 . 2009-12-23 20:25 -------- d-----w- c:\program files\jv16 PowerTools 2009
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 18:07 . 2009-02-24 15:36 1511931936 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-17 14:57 . 2009-02-24 15:36 17716160 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-01-17 00:04 . 2009-07-06 00:53 1 ----a-w- c:\documents and settings\Admin\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-16 12:41 . 2009-05-10 00:32 5058 ----a-w- c:\windows\Help\hhcolreg.dat
2010-01-16 02:36 . 2009-04-23 23:58 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-01-12 20:32 . 2006-10-14 00:33 -------- d-----w- c:\program files\Common Files\Real
2010-01-12 20:29 . 2006-10-14 00:33 -------- d-----w- c:\program files\Real
2010-01-06 16:25 . 2007-12-03 23:56 -------- d-----w- c:\program files\World Time
2010-01-04 21:09 . 2008-07-04 15:19 -------- d-----w- c:\program files\databull
2010-01-04 19:56 . 2008-11-29 18:27 -------- d-----w- c:\program files\AmiBroker
2010-01-04 13:18 . 2008-12-05 21:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-04 13:18 . 2006-04-06 14:32 -------- d-----w- c:\program files\Java
2010-01-04 13:10 . 2008-03-03 17:44 -------- d-----w- c:\program files\MSECache
2010-01-04 00:29 . 2009-07-19 00:42 -------- d-----w- c:\program files\Foxmail
2010-01-03 15:59 . 2009-06-23 16:22 -------- d-----w- c:\program files\GRETECH
2010-01-03 13:15 . 2006-04-06 02:38 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-02 23:21 . 2006-04-06 02:19 87680 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-31 19:39 . 2007-06-16 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\RetroExp
2009-12-29 00:20 . 2009-12-09 02:07 1977368 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Privacy Controls\Temp\Update.exe
2009-12-25 17:17 . 2008-07-12 12:50 -------- d-----w- c:\program files\Keyfinder
2009-12-24 20:23 . 2008-09-14 01:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-24 18:17 . 2009-12-24 18:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-12-23 21:55 . 2008-07-12 00:20 -------- d-----w- c:\program files\jv16 PowerTools 2008
2009-12-20 15:32 . 2009-05-18 18:13 -------- d-----w- c:\program files\Wave59 RT
2009-12-20 15:06 . 2007-09-13 18:22 -------- d-----w- c:\program files\Droid Informatica
2009-12-19 19:09 . 2009-12-17 15:43 -------- d-----w- c:\program files\Carbonite
2009-12-19 14:30 . 2006-12-06 13:01 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-18 19:01 . 2008-12-03 19:26 -------- d-----w- c:\program files\NinjaTrader 6.5
2009-12-18 01:29 . 2009-12-17 19:33 10134 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{4C859089-D2A5-4486-B826-E2B2576BD514}\_D63846598E61DA9099F189.exe
2009-12-18 01:29 . 2009-12-17 19:33 10134 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{4C859089-D2A5-4486-B826-E2B2576BD514}\_A0FAE5B980A735637E2FF7.exe
2009-12-17 15:45 . 2006-04-06 02:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-17 15:45 . 2009-12-17 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2009-12-17 15:45 . 2009-12-17 15:41 -------- d-----w- c:\program files\Seagate
2009-12-17 15:42 . 2009-12-17 15:41 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-12-16 21:24 . 2009-12-16 21:24 -------- d-----w- c:\program files\MTPredictor6
2009-12-09 11:24 . 2009-12-09 11:24 98304 ----a-w- c:\windows\system32\NtDirect.dll
2009-12-02 01:21 . 2009-12-02 01:21 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2009-11-30 13:22 . 2009-11-30 13:22 -------- d-----w- c:\documents and settings\Admin\Application Data\ParetoLogic
2009-11-30 13:21 . 2009-11-30 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-11-30 13:21 . 2009-11-30 12:34 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-11-30 13:21 . 2009-11-30 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-11-30 12:34 . 2009-11-30 12:34 -------- d-----w- c:\program files\XoftSpySE6
2009-11-30 12:34 . 2009-11-30 12:34 -------- d-----w- c:\program files\Common Files\XoftSpySE
2009-11-29 18:18 . 2009-11-29 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-11-21 18:24 . 2009-11-21 18:24 -------- d-----w- c:\documents and settings\Admin\Application Data\teamspeak2
2009-11-21 18:24 . 2009-11-21 18:23 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-11-21 15:51 . 2004-08-04 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2007-03-17 14:55 . 2007-03-17 14:55 513 ----a-w- c:\program files\Shortcut to Microsoft Office.lnk
2004-10-01 19:00 . 2006-04-06 02:35 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2008-07-12 00:20 . 2008-07-12 00:20 23 --sha-w- c:\windows\system32\abaecdfdee_z.dll
2008-12-29 17:53 . 2008-12-29 17:53 6144 --sha-w- c:\windows\system32\ss.drv
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speaking Clock Deluxe"="c:\program files\Speaking Clock Deluxe\SpClDlx.exe" [2009-06-30 2350592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-10-15 14864384]
"MXOBG"="c:\windows\MXOALDR.EXE" [2007-06-16 94208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-04 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-01-12 198160]
c:\documents and settings\Admin\Start Menu\Programs\Startup\
Check for TWS Updates.lnk - c:\jts\WiseUpdt.exe [2006-4-6 194775]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
OpenOffice.org 3.1.lnk.disabled [2009-7-5 870]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-11-16 221247]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Norton Ghost 10.0"=c:\program files\Norton Ghost\Agent\GhostTray.exe
"RetroExpress"=c:\progra~1\Dantz\RETROS~1\RetroExpress.exe /h
"Speaking Clock Lite"=c:\program files\Speaking Clock\SpClock.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" /min
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0205.2\mswinext.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Atomic Clock Sync\\Atomic.exe"=
"c:\\FTGT\\ftgt4.exe"=
"c:\\Jts\\WiseUpdt.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\SierraChart\\SierraChart.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Trading Rooms Technologies, Inc\\TradingRooms\\Avx\\TradingRooms.exe"=
"c:\\Ensign\\Ensign.exe"=
"c:\\Program Files\\Conference\\Conference.dll"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Foxmail\\Foxmail.exe"=
"c:\\Program Files\\Real Time Software Engineering\\MetaServer RT 3.2 for TWS\\msrt.exe"=
"c:\\Program Files\\NinjaTrader 6.5\\bin\\NinjaTrader.exe"=
"c:\\MTP6RTData\\MTPDataServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
R1 is-7P51Bdrv;is-7P51Bdrv;c:\windows\system32\drivers\48164237.sys [2/24/2009 11:32 AM 148496]
R1 is-80PSPdrv;is-80PSPdrv;c:\windows\system32\drivers\47602119.sys [11/20/2008 4:26 PM 148496]
R1 is-FTVCUdrv;is-FTVCUdrv;c:\windows\system32\drivers\88850112.sys [10/18/2008 7:38 AM 148496]
R1 is-G4K5Edrv;is-G4K5Edrv;c:\windows\system32\drivers\45373222.sys [9/13/2008 3:39 PM 148496]
R1 is-O3HS5drv;is-O3HS5drv;c:\windows\system32\drivers\61826897.sys [8/1/2008 5:07 PM 148496]
R1 is-RFAT4drv;is-RFAT4drv;c:\windows\system32\drivers\10536068.sys [8/16/2008 6:26 AM 148496]
R1 is-U2OSHdrv;is-U2OSHdrv;c:\windows\system32\drivers\09870117.sys [9/7/2008 11:13 AM 148496]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/24/2009 3:38 PM 108289]
R2 AST Service;AST Service;c:\windows\system32\AstSrv.exe [2/16/2007 11:08 AM 57344]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]
R2 MapMemP;MapMemP;c:\windows\system32\drivers\MAPMEMP.SYS [4/6/2006 8:57 AM 63080]
S1 is-0SG48drv;is-0SG48drv;c:\windows\system32\drivers\28882349.sys [12/31/2008 10:17 PM 148496]
S1 is-1LOSJdrv;is-1LOSJdrv;c:\windows\system32\DRIVERS\20878151.sys --> c:\windows\system32\DRIVERS\20878151.sys [?]
S1 is-76QSDdrv;is-76QSDdrv;c:\windows\system32\drivers\20051819.sys --> c:\windows\system32\drivers\20051819.sys [?]
S1 is-AU098drv;is-AU098drv;c:\windows\system32\drivers\64293220.sys [12/19/2008 7:21 PM 148496]
S1 is-HH2HKdrv;is-HH2HKdrv;c:\windows\system32\drivers\83042734.sys [7/23/2008 5:43 AM 148496]
S1 is-O1MK8drv;is-O1MK8drv;c:\windows\system32\drivers\73001606.sys [6/20/2009 6:00 PM 148496]
S1 is-QA78Mdrv;is-QA78Mdrv;c:\windows\system32\drivers\60464396.sys [4/12/2009 6:12 PM 148496]
S1 is-SP0JEdrv;is-SP0JEdrv;c:\windows\system32\drivers\93704403.sys [7/10/2008 11:13 AM 148496]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [11/11/2008 2:33 PM 9344]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [10/23/2009 4:58 PM 582424]
S4 is-76QSD;is-76QSD;"c:\documents and settings\All Users\Desktop\Kaspersky Lab Tool\is-76QSD\is-76QSD.exe" -r --> c:\documents and settings\All Users\Desktop\Kaspersky Lab Tool\is-76QSD\is-76QSD.exe [?]
S4 is-HH2HK;is-HH2HK;"c:\documents and settings\All Users\Desktop\Kaspersky Lab Tool\is-HH2HK\is-HH2HK.exe" -r --> c:\documents and settings\All Users\Desktop\Kaspersky Lab Tool\is-HH2HK\is-HH2HK.exe [?]
S4 is-O3HS5;is-O3HS5;"c:\documents and settings\All Users\Desktop\Kaspersky Lab Tool\is-O3HS5\is-O3HS5.exe" -r --> c:\documents and settings\All Users\Desktop\Kaspersky Lab Tool\is-O3HS5\is-O3HS5.exe [?]
S4 is-RFAT4;is-RFAT4;"c:\documents and settings\All Users\Desktop\Kaspersky Lab Tool\is-RFAT4\is-RFAT4.exe" -r --> c:\documents and settings\All Users\Desktop\Kaspersky Lab Tool\is-RFAT4\is-RFAT4.exe [?]
S4 is-SP0JE;is-SP0JE;"c:\program files\Kaspersky Lab Tool\is-SP0JE\is-SP0JE.exe" -r --> c:\program files\Kaspersky Lab Tool\is-SP0JE\is-SP0JE.exe [?]
.
Contents of the 'Scheduled Tasks' folder
2010-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1326574676-725345543-1004Core.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-30 17:08]
2010-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1326574676-725345543-1004UA.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-30 17:08]
2009-12-29 c:\windows\Tasks\ParetoLogic Privacy Controls_{25B399F8-F410-11DE-82C1-0016761CF813}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2009-12-02 00:46]
2010-01-16 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-23 21:58]
2009-11-30 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-23 21:58]
2010-01-06 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE6\XoftSpySELauncher.exe [2009-10-23 21:58]
.
.
------- Supplementary Scan -------
.
Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\4f99sura.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\components\SEPsearchhelperff.dll
FF - plugin: c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 13:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0044EC92-5F02-7234-9024-721274839705}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jboakhelckochlnfpokdfajobdamgmalnchlmpgjmnbfkechpgoh"=hex:6c,61,6f,61,70,67,
62,6f,69,62,6d,65,6d,64,64,6a,6c,62,63,69,65,62,65,67,00,31
"hboakhelckochlnfpokdfajocdllmammilcapoaahimbhodb"=hex:6e,62,70,70,62,67,68,6c,
6c,69,67,66,6c,6d,69,68,6a,69,69,62,66,6c,69,62,66,67,65,70,70,6f,65,6e,6e,\
[HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6D4317B5-05CE-8C0A-C4F2-3316A1122410}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D0DDAE33-57C3-6CA1-75B1-54DD1ABBBEB0}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3452)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-17 13:12:36
ComboFix-quarantined-files.txt 2010-01-17 18:12
ComboFix2.txt 2010-01-05 01:59
ComboFix3.txt 2010-01-03 18:53
ComboFix4.txt 2010-01-03 03:17
ComboFix5.txt 2010-01-17 17:51
Pre-Run: 115,850,489,856 bytes free
Post-Run: 115,850,637,312 bytes free
- - End Of File - - 4782DD96C11AA978FA92F87EDC7497E2
Hi condor
SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:regfind
MyWebSearch
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
Thanks peku006
Hi peku006
Here's the SystemLook log. Looks like we found something!
Thanks
condor
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 14:08 on 17/01/2010 by Admin (Administrator - Elevation successful)
========== regfind ==========
Searching for "MyWebSearch"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\mywebsearch.net]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net]
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\mywebsearch.net]
[HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net]
-=End Of File=-
Hi condor
Download and run OTM
Download OTM (http://oldtimer.geekstogo.com/OTM.exe) by Old Timer and save it to your Desktop.
Double-click OTM.exe to run it.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area. Do not include the word Code.
:Reg
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\mywebsearch.net]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net]
[-HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[-HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[-HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\mywebsearch.net]
[-HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[-HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net
:Commands
[emptytemp]
Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Thanks peku006
Hi peku006,
That was great to see those nasties go!
Here is the OTM log.
Thanks very much!
condor
All processes killed
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\mywebsearch.net\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net\ deleted successfully.
Registry key HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net\ deleted successfully.
Registry key HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\mywebsearch.net\ not found.
Registry key HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net\ not found.
Registry key HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.net\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mywebsearch.net\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\mywebsearch.ne\ not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: Admin
->Temp folder emptied: 31523 bytes
->Temporary Internet Files folder emptied: 14245927 bytes
->Java cache emptied: 1685611 bytes
->FireFox cache emptied: 41487700 bytes
->Google Chrome cache emptied: 0 bytes
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: All Users
User: Allan
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 9030437 bytes
%systemroot%\System32 .tmp files removed: 348160 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34318 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 64.00 mb
OTM by OldTimer - Version 3.1.6.0 log created on 01182010_073556
Files moved on Reboot...
Registry entries deleted on Reboot...
Hi condor
looks good, but we can check again
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:regfind
MyWebSearch
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
Thanks peku006
Hi peku006,
Here is the log.
This has been a great learning experience for me seeing how you work with these kind of issues. Without your help I would probably be re-formatting my drive now!
Thank you so much.
condor
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:22 on 18/01/2010 by Admin (Administrator - Elevation successful)
========== regfind ==========
Searching for "MyWebSearch"
No data found.
-=End Of File=-
Hi condor
I would probably be re-formatting my drive now!
"re-formatting" is always the last option ,"MyWebSearch" is easy to remove :whistle:
logs looks good but ,we will run one online scan to be sure that there is nothing left......
1 - Eset online scannner
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.
2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad
3- Status Check
Please reply with
1. the Eset online scannner report
2. a fresh HijackThis log
Thanks peku006
Hi Peku006,
I can only get Eset to run 20% of the scan. I have deleted folders that it was stopping at in Documents and Settings/Admin/ Application Data, i.e. 3 previous versions of Java, Thunderbird Mail. After re-booting and re-starting the scan I still stop at 20% of the scan, just at a later folder each time.
Is there another scanner I could use perhaps?
Thanks
condor
Here is the ESET log file.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=89ec57b264976e4392090b9f159b5a89
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-18 03:42:07
# local_time=2010-01-18 10:42:07 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775125 100 100 0 39324205 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=18189
# found=0
# cleaned=0
# scan_time=2768
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=89ec57b264976e4392090b9f159b5a89
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-18 03:44:55
# local_time=2010-01-18 10:44:55 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 100 0 39327092 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=10222
# found=0
# cleaned=0
# scan_time=48
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=89ec57b264976e4392090b9f159b5a89
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-18 04:02:07
# local_time=2010-01-18 11:02:07 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 100 0 39327189 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=18189
# found=0
# cleaned=0
# scan_time=983
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=89ec57b264976e4392090b9f159b5a89
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-18 04:05:59
# local_time=2010-01-18 11:05:59 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 100 0 39328218 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=18188
# found=0
# cleaned=0
# scan_time=185
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=89ec57b264976e4392090b9f159b5a89
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-18 04:13:43
# local_time=2010-01-18 11:13:43 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 100 0 39328637 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=18187
# found=0
# cleaned=0
# scan_time=230
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=89ec57b264976e4392090b9f159b5a89
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-18 04:20:54
# local_time=2010-01-18 11:20:54 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 100 0 39329124 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=18187
# found=0
# cleaned=0
# scan_time=176
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=89ec57b264976e4392090b9f159b5a89
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-18 04:28:03
# local_time=2010-01-18 11:28:03 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 100 0 39329487 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=18181
# found=0
# cleaned=0
# scan_time=241
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=89ec57b264976e4392090b9f159b5a89
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-18 04:39:07
# local_time=2010-01-18 11:39:07 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 100 0 39329798 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=19680
# found=0
# cleaned=0
# scan_time=593
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=89ec57b264976e4392090b9f159b5a89
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-18 05:07:35
# local_time=2010-01-18 12:07:35 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 100 0 39330993 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=19680
# found=0
# cleaned=0
# scan_time=1107
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=89ec57b264976e4392090b9f159b5a89
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-01-18 05:32:36
# local_time=2010-01-18 12:32:36 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1797 16775141 100 100 0 39332845 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=19680
# found=0
# cleaned=0
# scan_time=755
Hi condor
Ok,let´s try this
Kaspersky Online Scan
You can use either Internet Explorer or Mozilla FireFox for this scan.
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.
peku006
Hi peku006,
Here are the 2 text files Kaspersky and HJT.
Kaspersky Online Scanner 7 No threats found
System information
Update
Scan
Critical areas
My Computer
Folder...
File...
Report
Support
Help
SettingsUpdateNew viruses, Trojans and other malware appear in the world every
day; therefore, it is extremely important to keep the databases
up-to-date.Database information
Database date:09.21.2010 21:01:00
Records in database:3330776
Program download and update (100%)
Size of updates:1 KB
Downloaded:1 KB
Program work files are loaded. The program is started.
Database update (100%)
Size of updates:632 KB
Downloaded:176 KB
Last start:04.38.2010 16:01:265
Status:completed successfully
The program is starting. Please wait...
Updates source is selected: http://www.kaspersky.com
File download: packages/kos-extras.jar
The program is started.
Updating the anti-virus database. Please wait...
Updates source is selected: http://dnl-06.geo.kaspersky.com/
File download: index/master.xml.klz
File download: diffs/bases/five/avc/kavset.xml.fzb
File download: bases/five/avc/kavset.xml.klz
File download: diffs/bases/five/avc/krnjava.avc.py-
File download: bases/five/avc/krnjava.avc
File download: diffs/bases/five/avc/krnengn.avc.amk
File download: bases/five/avc/krnengn.avc
File download: diffs/bases/five/avc/fa001.avc.oio
File download: diffs/bases/five/avc/dailyc.avc.skj
File download: diffs/bases/five/avc/daily-ec.avc.qyn
File download: diffs/bases/five/avc/daily.avc.rvi
File download: diffs/bases/five/avc/avp.klb.ndj
Update completed. The program is ready to scan your computer.Scan - My
ComputerScan statistics
Objects scanned:170348
Threats found:0
Infected objects found:0
Suspicious objects found:0
Scan duration:02:40:26
Scan beginning
Scanning in progress (94%)
Select the area for scanning in the Scan section of the left window part.
Last start:04.39.2010 16:01:953
Status:completed successfully
Please wait, scanning can take some time depending upon the size of the
area to scan. You can continue work with other browser windows.
Scanning:01182010_073556.res
Path:C:\_OTM\MovedFiles
Configure | View report | Stop scanning
Attention! Anti-virus scanning may be unavailable if your computer already has
another anti-virus application installed and running. Please deactivate the
anti-virus software installed on your computer and start Kaspersky Online
Scanner 7.0 again from the web site of Kaspersky Lab. ReportThe report contains
information about threats detected on your computer.
To go to the Virus Encyclopedia web site, please disable pop-up blocking in your
browser.
- infected object - suspicious object
InformationWelcome to Kaspersky Online Scanner 7.0! You can use this application
to check your computer for the presence of viruses and other malicious programs
for free.SupportIf you have questions, comments or suggestions regarding
Kaspersky Online Scanner 7.0, please contact us.About Kaspersky Online Scanner
7.0
Version:7.0.26.13
Database date:09.21.2010 21:01:00
Operating system:Microsoft Windows XP Home Edition Service Pack 3 (build
2600)
Community forum
Go to the web forum of Kaspersky Lab.
Virus Encyclopedia
News and detailed information about threats are available at
Viruslist.com.
View information
Attention!
Kaspersky Online Scanner 7.0 is already started on this computer.
SettingsScan computer for the presence of these threats:
Viruses, worms, Trojans, rootkits
Spyware, adware, dialers and other riskware
Scan compound objects (not applicable for single files selected
individually):
Archives
E-mail databases
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:53 PM, on 1/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\Astsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Speaking Clock Deluxe] "C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk.disabled
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165022501781
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://interactivebrokers.webex.com/client/T26L/event/ieatgpc.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AST Service - Nalpeiron Ltd. - C:\WINDOWS\system32\Astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
--
End of file - 9035 bytes
Hi condor
excellent work :bigthumb:
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
all logs are ok,we can check if some software needs updating
Security Check
Please download Security Check (http://screen317.spywareinfoforum.org/SecurityCheck.exe) ... by screen317. Save it to your desktop.
Alternate download site: Link 2 (http://screen317.changelog.fr/SecurityCheck.exe)
Double click the SecurityCheck.exe icon to begin.
Press the Space Bar when you see the "press any key to continue..." message.
A Notepad results file will open automatically called checkup.txt
Save "checkup.txt" to your desktop. (This output file is NOT automatically saved!)
Please copy/paste the entire contents of the checkup.txt file into your next reply.
Thanks peku006
Hi peku006,
HJT fixed the 2 items. Here is the Security Check log.
Regards
condor
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Avira updated!
``````````````````````````````
Anti-malware/Other Utilities Check:
XoftSpySE
Spybot - Search & Destroy
Norton Ghost 10.0
HijackThis 2.0.2
Java(TM) 6 Update 17
Adobe Flash Player 10
Adobe Reader 8.1.3
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
Hi condor
It looks like your version of Adobe Reader is out of date and you're vulnarable for infections.
Please download the newest version here:
http://www.adobe.com/products/acrobat/readstep2_servefile.html?option=full&order=1&type=&language=English&platform=WinXPSP2&esdcanbeused=0&esdcanhandle=0&hasjavascript=1&dlm=nos
Install it, then go to Add Remove Programs and remove any older versions that may remain.
Please reply with
a fresh HijackThis log
Thanks peku006
Hi peku006,
Seems we still have a problem! I ran Spybot and it shows MyWay.MyWebSearch in the HKEY_USERS\S-1-5-21 Registry area.
Abobe has been taken care of.
Here is the HJT log.
Thanks
condor
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:10 AM, on 1/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\Astsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Speaking Clock Deluxe] "C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk.disabled
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165022501781
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://interactivebrokers.webex.com/client/T26L/event/ieatgpc.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AST Service - Nalpeiron Ltd. - C:\WINDOWS\system32\Astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
--
End of file - 9337 bytes
Hi condor
Run SpyBot check for problems, fix all red items, when its finished right click and choose copy results (not full report) to clipboard and paste that back here please.
Thanks peku006
Hi peku006,
I am typing this from my Snagit save from the earlier scan.
(Spybot has corrected the problem, but in the past it has always came re-invected & come back).
[SBI $B267ADF3] IE toolbar
HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
I am re-running Spybot again now.
Thanks
condor
Hi condor
this is not "MyWebSearch" it´s belong to ZoneAlarm Spy Blocker or ASK Toolbar
HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
peku006
Hi peku006,
Interesting.
On the second run the same "MyWay.MyWebSearch" showed up again.
After having Spybot delete the problem, here is the "Results.txt" from Spybot's second run.
Thanks
condor
MyWay.MyWebSearch: [SBI $B267ADF3] IE toolbar (Registry value, fixed)
HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-07 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2006-10-20 unins000.exe (51.41.0.0)
2009-02-24 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2009-10-08 Includes\Adware.sbi (*)
2010-01-12 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-01-12 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-01-12 Includes\HijackersC.sbi (*)
2009-12-15 Includes\Keyloggers.sbi (*)
2010-01-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-12-30 Includes\Malware.sbi (*)
2010-01-12 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2010-01-12 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-01-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-11-03 Includes\Spyware.sbi (*)
2010-01-12 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-12-08 Includes\Trojans.sbi (*)
2010-01-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Hi condor
Please read this What is Mway.MywebSearch? (http://forums.spybot.info/showthread.php?t=41149&highlight=switchman05)
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:regfind
MyWebSearch
Fun Web
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
Thanks peku006
Sorry peku006,
My apologies for wasting your time like that. I see now how I managed to re-infect the computer myself. Won't do that again.
I have deleted the two items you indicated with HJT.
Here is the SystemLook.txt.
Thank you
condor
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:09 on 19/01/2010 by Admin (Administrator - Elevation successful)
========== regfind ==========
Searching for "MyWebSearch"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp]
"a"="C:\Documents and Settings\Admin\My Documents\MyWay.MyWebSearch_Sagit_Jan19_2010.bmp"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp]
"a"="C:\Documents and Settings\Admin\My Documents\MyWay.MyWebSearch_Sagit_Jan19_2010.bmp"
[HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp]
"a"="C:\Documents and Settings\Admin\My Documents\MyWay.MyWebSearch_Sagit_Jan19_2010.bmp"
[HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp]
"a"="C:\Documents and Settings\Admin\My Documents\MyWay.MyWebSearch_Sagit_Jan19_2010.bmp"
Searching for "Fun Web"
No data found.
-=End Of File=-
Hi condor
You are not wasted my time,you've done everything I asked and it's the main thing that your problem is gone
Your log now appears to be clean. Congratulations! :yahoo:
To remove all of the tools we used and the files and folders they created do the following:
Delete Security Check and SystemLook from your desktop.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.
Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:
Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)
Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Here are some things that I think are worth having a look at if you don't already know a bout them:.
Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)
FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)
MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm
Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)
Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.
I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
Happy safe surfing! :bigthumb:
peku006
Hi peku006,
I am glad everything went well.
Many thanks for your clear instructions and your patience in guiding me through the process.
I ran Spybot twice this morning and "MyWebSearch" is indeed, thankfully, gone.
I have completed the clean up process and downloaded the recommended programs. So hopefully I should be well protected going forward.
I do have a question, if you have time? What are those restricted "read only" code lines in the Locked Registry? I thought they were the problem, but it seems that this was only the area where the virus was hiding?
Anyway, thanks for all your help. You were great!
Much appreciated.
condor
Hi condor
What are those restricted "read only" code lines in the Locked Registry? I thought they were the problem, but it seems that this was only the area where the virus was hiding?
as the name says :"read only" it means that you can not make changes,but it can be easily removed if it is not "locked"
it is not necessarily malicious software which makes it ("read only")
Windows Registry (http://en.wikipedia.org/wiki/Windows_Registry)
Thanks peku006
Hi Peku006,
When I ran Spybot now it picked up "MyWebSearch" as still there.
I am attaching the Spybot log and HJT.
Could you please have a look when you get a chance?
Thanks again
condor
--- Search result list ---
MyWay.MyWebSearch: [SBI $B267ADF3] IE toolbar (Registry value, fixed)
HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-07 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2006-10-20 unins000.exe (51.41.0.0)
2009-02-24 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2009-10-08 Includes\Adware.sbi (*)
2010-01-19 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-01-19 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-01-19 Includes\HijackersC.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2010-01-19 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-01-19 Includes\Malware.sbi (*)
2010-01-19 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2010-01-19 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-01-19 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-11-03 Includes\Spyware.sbi (*)
2010-01-19 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-12-08 Includes\Trojans.sbi (*)
2010-01-19 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Security Update (KB953297)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB973688)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player: Security Update for Windows Media Player (KB954155)
/ Windows Media Player: Security Update for Windows Media Player (KB968816)
/ Windows Media Player: Security Update for Windows Media Player (KB973540)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB936782)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127-v2)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB958215)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB960714)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB961260)
/ Windows XP / SP0: Update for Windows Internet Explorer 8 (KB968220)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB969897)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB971961)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB972260)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB974455)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB976325)
/ Windows XP / SP0: Update for Windows Internet Explorer 8 (KB976749)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB978207)
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB923561)
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB938464-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Security Update for Windows XP (KB952004)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB953838)
/ Windows XP / SP4: Security Update for Windows XP (KB953839)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955759)
/ Windows XP / SP4: Update for Windows XP (KB955839)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956572)
/ Windows XP / SP4: Security Update for Windows XP (KB956744)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB956844)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB958690)
/ Windows XP / SP4: Security Update for Windows XP (KB958869)
/ Windows XP / SP4: Security Update for Windows XP (KB959426)
/ Windows XP / SP4: Security Update for Windows XP (KB960225)
/ Windows XP / SP4: Security Update for Windows XP (KB960715)
/ Windows XP / SP4: Security Update for Windows XP (KB960803)
/ Windows XP / SP4: Security Update for Windows XP (KB960859)
/ Windows XP / SP4: Hotfix for Windows XP (KB961118)
/ Windows XP / SP4: Security Update for Windows XP (KB961371)
/ Windows XP / SP4: Security Update for Windows XP (KB961373)
/ Windows XP / SP4: Security Update for Windows XP (KB961501)
/ Windows XP / SP4: Update for Windows XP (KB967715)
/ Windows XP / SP4: Update for Windows XP (KB968389)
/ Windows XP / SP4: Security Update for Windows XP (KB968537)
/ Windows XP / SP4: Security Update for Windows XP (KB969059)
/ Windows XP / SP4: Security Update for Windows XP (KB969898)
/ Windows XP / SP4: Security Update for Windows XP (KB969947)
/ Windows XP / SP4: Security Update for Windows XP (KB970238)
/ Windows XP / SP4: Security Update for Windows XP (KB970430)
/ Windows XP / SP4: Hotfix for Windows XP (KB970653-v3)
/ Windows XP / SP4: Security Update for Windows XP (KB971486)
/ Windows XP / SP4: Security Update for Windows XP (KB971557)
/ Windows XP / SP4: Security Update for Windows XP (KB971633)
/ Windows XP / SP4: Security Update for Windows XP (KB971657)
/ Windows XP / SP4: Update for Windows XP (KB971737)
/ Windows XP / SP4: Security Update for Windows XP (KB972270)
/ Windows XP / SP4: Security Update for Windows XP (KB973346)
/ Windows XP / SP4: Security Update for Windows XP (KB973354)
/ Windows XP / SP4: Security Update for Windows XP (KB973507)
/ Windows XP / SP4: Security Update for Windows XP (KB973525)
/ Windows XP / SP4: Update for Windows XP (KB973687)
/ Windows XP / SP4: Update for Windows XP (KB973815)
/ Windows XP / SP4: Security Update for Windows XP (KB973869)
/ Windows XP / SP4: Security Update for Windows XP (KB973904)
/ Windows XP / SP4: Security Update for Windows XP (KB974112)
/ Windows XP / SP4: Security Update for Windows XP (KB974318)
/ Windows XP / SP4: Security Update for Windows XP (KB974392)
/ Windows XP / SP4: Security Update for Windows XP (KB974571)
/ Windows XP / SP4: Security Update for Windows XP (KB975025)
/ Windows XP / SP4: Security Update for Windows XP (KB975467)
/ Windows XP / SP4: Hotfix for Windows XP (KB976098-v2)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0
--- Startup entries list ---
Located: HK_LM:Run, Adobe ARM
command: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
file: C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
size: 948672
MD5: 73BB442A717B9BB0097C243374C14A3E
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
size: 35760
MD5: 466CE40EAA865752F4930A472563E4E1
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 58992
MD5: 84EC0B55BCBE872F999ACDCE58E3F67D
Located: HK_LM:Run, MXOBG
command: C:\WINDOWS\MXOALDR.EXE
file: C:\WINDOWS\MXOALDR.EXE
size: 94208
MD5: A6B33A9B1452178AA7968EFFEF266A1D
Located: HK_LM:Run, Norton Ghost 10.0
command: "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
file: C:\Program Files\Norton Ghost\Agent\GhostTray.exe
size: 1537648
MD5: 5F8BDC81AC2063C1C4BBAFB23F219B90
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\NvCpl.dll
size: 13529088
MD5: 4D8E9C2FB7E234A7FDFA6EC54794217F
Located: HK_LM:Run, RTHDCPL
command: RTHDCPL.EXE
file: C:\WINDOWS\RTHDCPL.EXE
size: 14864384
MD5: 569DDC03B8FEA3936731CAE99DD95FA5
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre6\bin\jusched.exe"
file: C:\Program Files\Java\jre6\bin\jusched.exe
size: 149280
MD5: 3A0647BDED81DBE0BCBB51D70B22C9E0
Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 198160
MD5: 29BE51557A3E686B297BE273EB17CA67
Located: HK_LM:Run, WinPatrol
command: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
file: C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
size: 320832
MD5: 5F53750CEA64C8D5882D808718A7074A
Located: HK_LM:Run, avgnt (DISABLED)
command: "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
file: C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
size: 209153
MD5: 29680A793F690EEF4AAA68479D2A6DF8
Located: HK_LM:Run, MaxMenuMgr (DISABLED)
command: "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
file: C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
size: 185640
MD5: 473E323057CF9893D7E8C1E2D0CCED23
Located: HK_LM:Run, Microsoft Default Manager (DISABLED)
command: "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
file: C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
size: 288080
MD5: F8B91C91225E5CAA2B2F0370201021C0
Located: HK_LM:Run, MSN Toolbar (DISABLED)
command: "C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\mswinext.exe"
file: C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\mswinext.exe
size: 239456
MD5: FB4C2A7FF1B6F78395760319B8CD48F2
Located: HK_LM:Run, NvCplDaemon (DISABLED)
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\NvCpl.dll
size: 13529088
MD5: 4D8E9C2FB7E234A7FDFA6EC54794217F
Located: HK_LM:Run, NvMediaCenter (DISABLED)
command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\NvMcTray.dll
size: 86016
MD5: 3BC7B677094A2EF0BDDC3A9375E1F8A2
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1844237615-1326574676-725345543-1004...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, Speaking Clock Deluxe
where: S-1-5-21-1844237615-1326574676-725345543-1004...
command: "C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe"
file: C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe
size: 2350592
MD5: B967DC47D7A432C95BA048EE168E1875
Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-1844237615-1326574676-725345543-1004...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887
Located: HK_CU:RunOnce, FlashPlayerUpdate
where: S-1-5-21-1844237615-1326574676-725345543-1004...
command: C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe
file: C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_CU:Run, ctfmon.exe (DISABLED)
where: S-1-5-21-1844237615-1326574676-725345543-1004...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
Located: HK_CU:Run, Norton Ghost 10.0 (DISABLED)
where: S-1-5-21-1844237615-1326574676-725345543-1004...
command: C:\Program Files\Norton Ghost\Agent\GhostTray.exe
file: C:\Program Files\Norton Ghost\Agent\GhostTray.exe
size: 1537648
MD5: 5F8BDC81AC2063C1C4BBAFB23F219B90
Located: HK_CU:Run, RetroExpress (DISABLED)
where: S-1-5-21-1844237615-1326574676-725345543-1004...
command: C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
file: C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
size: 6946816
MD5: BFBBD64C1CF253183C20BCE6EA8D4E45
Located: HK_CU:Run, Speaking Clock Lite (DISABLED)
where: S-1-5-21-1844237615-1326574676-725345543-1004...
command: C:\Program Files\Speaking Clock\SpClock.exe
file: C:\Program Files\Speaking Clock\SpClock.exe
size: 845824
MD5: 76B56FB8C1ADC6616E6300E9F2D273FB
Located: Startup (common), APC UPS Status.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
file: C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe
size: 221247
MD5: 0B81AFF779A259847351DFE2C9856785
Located: Startup (common), Microsoft Office.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office\OSA9.EXE
file: C:\Program Files\Microsoft Office\Office\OSA9.EXE
size: 65588
MD5: 57CB86B1CDD77EB5138BA05D1F193463
Located: Startup (user), Check for TWS Updates.lnk
where: C:\Documents and Settings\Admin\Start Menu\Programs\Startup...
command: C:\Jts\WiseUpdt.exe
file: C:\Jts\WiseUpdt.exe
size: 194775
MD5: F28139405132E8106398A389E91FA034
Located: Startup (user), ERUNT AutoBackup.lnk
where: C:\Documents and Settings\Admin\Start Menu\Programs\Startup...
command: C:\Program Files\ERUNT\AUTOBACK.EXE
file: C:\Program Files\ERUNT\AUTOBACK.EXE
size: 38912
MD5: E00DE20F0F6BED5CD2160247DDC9443B
Located: Startup (user), OpenOffice.org 3.1.lnk (DISABLED)
where: C:\Documents and Settings\Admin\Start Menu\Programs\Startup...
command: C:\Program Files\OpenOffice.org 3\program\quickstart.exe
file: C:\Program Files\OpenOffice.org 3\program\quickstart.exe
size: 384000
MD5: C1CF9F3B71E02F06F761021A466518A3
Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{00C6482D-C502-44C8-8409-FCE54AD9C208} (HelperObject Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: HelperObject Class
description: SnagIt
classification: Legitimate
known filename: SnagItBHO.dll
info link: http://www.techsmith.com/products/snagit/default.asp
info source: TonyKlein
Path: C:\Program Files\TechSmith\SnagIt 7\
Long name: SnagItBHO.dll
Short name: SNA335~1.DLL
Date (created): 10/14/2005 6:25:00 AM
Date (last access): 6/28/2008 2:29:58 PM
Date (last write): 10/14/2005 6:25:00 AM
Filesize: 49152
Attributes: archive
MD5: 6AE7D64380CD65BF4C1B637A0E55CD10
CRC32: A536FC51
Version: 1.0.1.0
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name: ACROIE~2.DLL
Date (created): 12/21/2009 6:27:44 PM
Date (last access): 1/19/2010 9:21:20 AM
Date (last write): 12/21/2009 6:27:44 PM
Filesize: 75200
Attributes: archive
MD5: DC1E56092CC57FB4605B088D3DCCBF7A
CRC32: FF82C62B
Version: 9.3.0.148
{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 8/8/2008 6:22:16 PM
Date (last access): 2/24/2009 11:17:02 AM
Date (last write): 1/26/2009 3:31:02 PM
Filesize: 1879896
Attributes: archive
MD5: 022C2F6DCCDFA0AD73024D254E62AFAC
CRC32: 5BA24007
Version: 1.6.2.14
{6EBF7485-159F-4bff-A14F-B9E3AAC4465B} (Search Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Search Helper
CLSID name: Search Helper
Path: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\
Long name: SEPsearchhelperie.dll
Short name:
Date (created): 8/7/2009 5:15:06 PM
Date (last access): 11/1/2009 11:21:30 AM
Date (last write): 8/7/2009 5:15:06 PM
Filesize: 138608
Attributes: archive
MD5: 09F3D779638216DBB6B8D4C1075D6A8F
CRC32: 9CD33635
Version: 2.0.264.0
{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live ID Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live ID Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name:
Date (created): 8/18/2009 11:32:12 AM
Date (last access): 11/1/2009 11:20:18 AM
Date (last write): 8/18/2009 11:32:12 AM
Filesize: 403840
Attributes: archive
MD5: D46ED7D33E847CD9E78E9F02910536B5
CRC32: A5B7CE0C
Version: 6.500.3165.0
{d2ce3e00-f94a-4740-988e-03dc2f38c34f} (MSN Toolbar BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: MSN Toolbar BHO
Path: C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\
Long name: npwinext.dll
Short name:
Date (created): 8/9/2009 10:08:46 PM
Date (last access): 11/1/2009 11:21:26 AM
Date (last write): 8/9/2009 10:08:46 PM
Filesize: 502624
Attributes: archive
MD5: 624A57138BA05FC42BEE1861E1A54FC0
CRC32: 4DAC0139
Version: 4.0.205.2
{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 1/4/2010 8:18:16 AM
Date (last access): 1/4/2010 8:18:16 AM
Date (last write): 1/4/2010 8:18:16 AM
Filesize: 41760
Attributes: archive
MD5: C9EDE29F223A27873E187D9FB6045EA6
CRC32: 5951C3E0
Version: 6.0.170.4
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: JQSIEStartDetectorImpl
CLSID name: JQSIEStartDetectorImpl Class
Path: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\
Long name: jqs_plugin.dll
Short name: JQS_PL~1.DLL
Date (created): 1/4/2010 8:18:18 AM
Date (last access): 1/4/2010 8:18:18 AM
Date (last write): 1/4/2010 8:18:18 AM
Filesize: 73728
Attributes: archive
MD5: DEE8F03D1EACE0C8F914A2C76568EA32
CRC32: 53F8F67C
Version: 6.0.170.4
--- ActiveX list ---
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer:
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165022501781
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 5/26/2005 4:19:32 AM
Date (last access): 11/1/2009 6:54:08 PM
Date (last write): 8/6/2009 7:23:46 PM
Filesize: 215920
Attributes: archive
MD5: A1350D646EF6E57E8F4F33EBE7320D08
CRC32: AB3CA24F
Version: 7.4.7600.226
{7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control)
DPF name:
CLSID name: OnlineScanner Control
Installer:
Codebase: http://download.eset.com/special/eos/OnlineScanner.cab
Path: C:\PROGRA~1\ESET\ESETON~1\
Long name: OnlineScanner.ocx
Short name: ONLINE~1.OCX
Date (created): 1/18/2010 9:51:46 AM
Date (last access): 1/18/2010 9:51:46 AM
Date (last write): 10/26/2009 3:45:44 PM
Filesize: 3356232
Attributes: archive
MD5: B933ED3DB918479B8AB39BDD445DB37B
CRC32: 7376E693
Version: 1.0.0.6211
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_17
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_17.dll
Short name: NPJPI1~1.DLL
Date (created): 1/4/2010 8:18:16 AM
Date (last access): 1/4/2010 8:18:16 AM
Date (last write): 1/4/2010 8:18:16 AM
Filesize: 136992
Attributes: archive
MD5: 3D58770680F268A23A8CE1F14B49AA2F
CRC32: 6091A816
Version: 6.0.170.4
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} ()
DPF name:
CLSID name:
Installer:
Codebase:
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_17
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_17.dll
Short name: NPJPI1~1.DLL
Date (created): 1/4/2010 8:18:16 AM
Date (last access): 1/4/2010 8:18:16 AM
Date (last write): 1/4/2010 8:18:16 AM
Filesize: 136992
Attributes: archive
MD5: 3D58770680F268A23A8CE1F14B49AA2F
CRC32: 6091A816
Version: 6.0.170.4
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_17
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_17.dll
Short name: NPJPI1~1.DLL
Date (created): 1/4/2010 8:18:16 AM
Date (last access): 1/4/2010 8:18:16 AM
Date (last write): 1/4/2010 8:18:16 AM
Filesize: 136992
Attributes: archive
MD5: 3D58770680F268A23A8CE1F14B49AA2F
CRC32: 6091A816
Version: 6.0.170.4
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer:
Codebase: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash10c.ocx
Short name:
Date (created): 7/17/2009 10:12:12 PM
Date (last access): 8/18/2009 6:19:30 AM
Date (last write): 7/17/2009 10:12:12 PM
Filesize: 3979680
Attributes: readonly archive
MD5: 43C6ACDFB92A18C3E516E6BD5F1ACD51
CRC32: D6F40D46
Version: 10.0.32.18
{E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class)
DPF name:
CLSID name: GpcContainer Class
Installer:
Codebase: https://interactivebrokers.webex.com/client/T26L/event/ieatgpc.cab
description:
classification: Legitimate
known filename: ieatgpc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ieatgpc.dll
--- Process list ---
PID: 0 ( 0) [System]
PID: 548 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 628 ( 548) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 656 ( 548) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 700 ( 656) C:\WINDOWS\system32\services.exe
size: 110592
MD5: 65DF52F5B8B6E9BBD183505225C37315
PID: 712 ( 656) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 900 ( 700) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 976 ( 700) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1060 ( 700) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1096 ( 700) C:\Program Files\Ahead\InCD\InCDsrv.exe
size: 871424
MD5: E9372A17C22FC4E5C9FD8798A97775FC
PID: 1276 ( 700) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1388 ( 700) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1496 ( 700) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
size: 165488
MD5: BB98479C3135C05291D54DEBD7B310D5
PID: 1564 ( 700) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
size: 198256
MD5: 69637EB41F3467DDA6CCCEBA7C320E0A
PID: 1572 (1504) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 1776 ( 700) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1824 ( 700) C:\Program Files\Avira\AntiVir Desktop\sched.exe
size: 108289
MD5: 9015BC03F62940527EC92D45EE89E46F
PID: 1968 ( 700) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 2024 ( 700) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
size: 185089
MD5: B8720A787C1223492E6F319465E996CE
PID: 2036 ( 700) C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
size: 176193
MD5: DC45AB27932447B598848B10650313C5
PID: 152 ( 700) C:\WINDOWS\system32\Astsrv.exe
size: 57344
MD5: 9559BF0A1D6DCAD83A316FA1E31A755B
PID: 172 ( 700) C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
size: 189736
MD5: 9513B437B7ADB1E6065B7F0D83D11ECF
PID: 276 ( 700) C:\WINDOWS\System32\GEARSec.exe
size: 53248
MD5: B6E01969246FCB67470E87E6957EE147
PID: 380 ( 700) C:\Program Files\Java\jre6\bin\jqs.exe
size: 153376
MD5: 39133291CB607BDD87CFC565A4A1E7A5
PID: 416 ( 700) C:\Program Files\Norton Ghost\Agent\VProSvc.exe
size: 2066024
MD5: 89573B6F88A851EBA44BABE98543C007
PID: 596 ( 700) C:\WINDOWS\system32\nvsvc32.exe
size: 159812
MD5: 0C41C4ACFE00D826DB479C40C1D9EDC8
PID: 620 ( 700) C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
size: 69632
MD5: DC544952B5F0299A5C5FBE1937242D25
PID: 844 ( 700) C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
size: 242048
MD5: CA7E42E0B8D117165ED553A7D681352A
PID: 1176 ( 700) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
size: 1529728
MD5: 5144AE67D60EC653F97DDF3FEED29E77
PID: 2264 ( 700) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
size: 822424
MD5: B6BF7DD619D045D0F999310882551B7D
PID: 2364 ( 700) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 2944 (1572) C:\WINDOWS\RTHDCPL.EXE
size: 14864384
MD5: 569DDC03B8FEA3936731CAE99DD95FA5
PID: 2968 (1572) C:\WINDOWS\MXOALDR.EXE
size: 94208
MD5: A6B33A9B1452178AA7968EFFEF266A1D
PID: 3024 (1572) C:\Program Files\Java\jre6\bin\jusched.exe
size: 149280
MD5: 3A0647BDED81DBE0BCBB51D70B22C9E0
PID: 3036 (1572) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 198160
MD5: 29BE51557A3E686B297BE273EB17CA67
PID: 3136 (1572) C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
size: 320832
MD5: 5F53750CEA64C8D5882D808718A7074A
PID: 3152 (1572) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 58992
MD5: 84EC0B55BCBE872F999ACDCE58E3F67D
PID: 3160 (1572) C:\Program Files\Norton Ghost\Agent\GhostTray.exe
size: 1537648
MD5: 5F8BDC81AC2063C1C4BBAFB23F219B90
PID: 3176 (1572) C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe
size: 2350592
MD5: B967DC47D7A432C95BA048EE168E1875
PID: 3204 (1572) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 3244 (1572) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887
PID: 3436 (1176) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
size: 183152
MD5: E91B5FA739CCF7F0CE3282B0FCFA5108
PID: 3664 (3308) C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
size: 417855
MD5: A9A5CDFDA52257DB4488F457C3F4022A
PID: 3396 (1572) C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
size: 2335880
MD5: B04CDA7A51B049A43CB7DBCC8FD0931C
PID: 1884 (1572) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 3044 (1572) C:\Program Files\internet explorer\iexplore.exe
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 2096 (3044) C:\Program Files\internet explorer\iexplore.exe
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 1996 ( 900) C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
size: 311152
MD5: 4717CC0CC613C56C9AB3AB19BC43BB74
PID: 3128 (3044) C:\Program Files\internet explorer\iexplore.exe
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 1/23/2010 9:17:23 AM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.msn.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6EB8A60A-4560-4CA1-8D06-1B736600D1D3}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 4: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6EB8A60A-4560-4CA1-8D06-1B736600D1D3}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CD50ABBE-91E6-4690-BF3A-8DAFB8A1935F}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CD50ABBE-91E6-4690-BF3A-8DAFB8A1935F}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8DA40E19-4E6F-4A3C-A962-7E084D29110D}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8DA40E19-4E6F-4A3C-A962-7E084D29110D}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 10: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
dLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:24 AM, on 1/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\Astsrv.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\clipbrd.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKCU\..\Run: [Speaking Clock Deluxe] "C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.1.lnk.disabled
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165022501781
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://interactivebrokers.webex.com/client/T26L/event/ieatgpc.cab
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AST Service - Nalpeiron Ltd. - C:\WINDOWS\system32\Astsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XoftSpyService - ParetoLogic Inc. - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe
--
End of file - 9873 bytes
Hi Appro
it is not there , registry value is fixed and does not appear in these logs
MyWay.MyWebSearch: [SBI $B267ADF3] IE toolbar (Registry value, fixed)
Thanks peku006
.
Hi Peku006,
Thank very much for your reply.
Yes. Spybot was able to correct the problem in the Registry, at least temporarily.
Unfortunately in the past, somehow it re-infects itself from who knows where?
Regards
condor
Hi condor
ok, once again :D:
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) by Oldtimer to your Desktop and double-click on it to extract the files.
NOTE: You must be logged on to the system with an account that has Administrator privileges to run this program.
Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
Click the Scan All Users checkbox on the toolbar.
Do not change any other settings.
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Close Notepad (saving the change if necessry).
Thanks peku006
Hi Peku006,
Yes. I thought we were done with this, but it seems determined to hang on.
I do appreciate your help.
Here is the OTS log. I have to send in 2 parts because of the size.
Thanks
condor
[code]
OTS logfile created on: 1/23/2010 12:27:10 PM - Run 1
OTS by OldTimer - Version 3.1.19.4 Folder = C:\Documents and Settings\Admin\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 69.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 111.56 Gb Free Space | 74.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: AL-BF3E369F3453
Current User Name: Admin
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
[Processes - Safe List]
ots.exe -> C:\Documents and Settings\Admin\Desktop\OTS.exe -> [2010/01/23 12:23:36 | 00,631,296 | ---- | M] (OldTimer Tools)
symlcsvc.exe -> C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -> [2010/01/20 19:36:21 | 00,822,424 | ---- | M] (Symantec Corporation)
realsched.exe -> C:\Program Files\Common Files\Real\Update_OB\realsched.exe -> [2010/01/12 15:29:55 | 00,198,160 | ---- | M] (RealNetworks, Inc.)
jusched.exe -> C:\Program Files\Java\jre6\bin\jusched.exe -> [2010/01/04 08:18:15 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.)
jqs.exe -> C:\Program Files\Java\jre6\bin\jqs.exe -> [2010/01/04 08:18:14 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.)
sched.exe -> C:\Program Files\Avira\AntiVir Desktop\sched.exe -> [2009/12/25 07:05:11 | 00,108,289 | ---- | M] (Avira GmbH)
avguard.exe -> C:\Program Files\Avira\AntiVir Desktop\avguard.exe -> [2009/12/25 07:05:09 | 00,185,089 | ---- | M] (Avira GmbH)
avcenter.exe -> C:\Program Files\Avira\AntiVir Desktop\avcenter.exe -> [2009/12/25 07:05:08 | 00,470,785 | ---- | M] (Avira GmbH)
awc.exe -> C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe -> [2009/11/20 13:51:34 | 02,335,880 | ---- | M] (IObit)
winpatrol.exe -> C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe -> [2009/10/10 16:07:08 | 00,320,832 | ---- | M] (BillP Studios)
freeagentservice.exe -> C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -> [2009/09/25 23:32:18 | 00,189,736 | ---- | M] (Seagate Technology LLC)
wlidsvc.exe -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -> [2009/08/18 11:29:22 | 01,529,728 | ---- | M] (Microsoft Corporation)
wlidsvcm.exe -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE -> [2009/08/18 11:29:22 | 00,183,152 | ---- | M] (Microsoft Corporation)
seaport.exe -> C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -> [2009/08/07 17:15:06 | 00,242,048 | ---- | M] (Microsoft Corporation)
spcldlx.exe -> C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe -> [2009/06/30 14:54:02 | 02,350,592 | ---- | M] (Lux Aeterna)
nvsvc32.exe -> C:\WINDOWS\system32\nvsvc32.exe -> [2008/05/16 13:01:00 | 00,159,812 | ---- | M] (NVIDIA Corporation)
wscntfy.exe -> C:\WINDOWS\system32\wscntfy.exe -> [2008/04/13 19:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation)
mxoaldr.exe -> C:\WINDOWS\MXOALDR.EXE -> [2007/06/16 16:44:35 | 00,094,208 | ---- | M] (Cypress Semiconductor)
astsrv.exe -> C:\WINDOWS\system32\AstSrv.exe -> [2007/02/16 19:08:14 | 00,057,344 | ---- | M] (Nalpeiron Ltd.)
apcsystray.exe -> C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe -> [2005/12/12 15:03:54 | 00,417,855 | ---- | M] (American Power Conversion Corporation)
mainserv.exe -> C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -> [2005/12/12 15:02:24 | 00,176,193 | ---- | M] (American Power Conversion Corporation)
rthdcpl.exe -> C:\WINDOWS\RTHDCPL.exe -> [2005/10/14 20:51:40 | 14,864,384 | R--- | M] (Realtek Semiconductor Corp.)
vprosvc.exe -> C:\Program Files\Norton Ghost\Agent\VProSvc.exe -> [2005/09/09 19:09:28 | 02,066,024 | ---- | M] (Symantec Corporation)
ghosttray.exe -> C:\Program Files\Norton Ghost\Agent\GhostTray.exe -> [2005/09/09 19:09:24 | 01,537,648 | ---- | M] (Symantec Corporation)
gearsec.exe -> C:\WINDOWS\system32\gearsec.exe -> [2005/09/09 19:09:10 | 00,053,248 | ---- | M] (GEAR Software)
incdsrv.exe -> C:\Program Files\Ahead\InCD\InCDsrv.exe -> [2005/07/08 16:24:46 | 00,871,424 | ---- | M] (Nero AG)
ccsetmgr.exe -> C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -> [2004/12/13 15:30:10 | 00,165,488 | ---- | M] (Symantec Corporation)
ccevtmgr.exe -> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -> [2004/12/13 15:30:04 | 00,198,256 | ---- | M] (Symantec Corporation)
ccapp.exe -> C:\Program Files\Common Files\Symantec Shared\ccApp.exe -> [2004/12/13 15:30:00 | 00,058,992 | ---- | M] (Symantec Corporation)
retrorun.exe -> C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe -> [2004/07/30 14:47:36 | 00,069,632 | ---- | M] (Dantz Development Corporation)
[Modules - Safe List]
ots.exe -> C:\Documents and Settings\Admin\Desktop\OTS.exe -> [2010/01/23 12:23:36 | 00,631,296 | ---- | M] (OldTimer Tools)
patrolpro.dll -> C:\Program Files\BillP Studios\WinPatrol\patrolpro.dll -> [2007/03/26 13:03:20 | 00,057,344 | ---- | M] (BillP Studios)
[Win32 Services - Safe List]
(is-SP0JE) is-SP0JE [Disabled | Stopped] -> -> File not found
(is-RFAT4) is-RFAT4 [Disabled | Stopped] -> -> File not found
(is-O3HS5) is-O3HS5 [Disabled | Stopped] -> -> File not found
(is-HH2HK) is-HH2HK [Disabled | Stopped] -> -> File not found
(is-76QSD) is-76QSD [Disabled | Stopped] -> -> File not found
(Symantec Core LC) Symantec Core LC [On_Demand | Running] -> C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -> [2010/01/20 19:36:21 | 00,822,424 | ---- | M] (Symantec Corporation)
(JavaQuickStarterService) Java Quick Starter [Auto | Running] -> C:\Program Files\Java\jre6\bin\jqs.exe -> [2010/01/04 08:18:14 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.)
(AntiVirSchedulerService) Avira AntiVir Scheduler [Auto | Running] -> C:\Program Files\Avira\AntiVir Desktop\sched.exe -> [2009/12/25 07:05:11 | 00,108,289 | ---- | M] (Avira GmbH)
(AntiVirService) Avira AntiVir Guard [Auto | Running] -> C:\Program Files\Avira\AntiVir Desktop\avguard.exe -> [2009/12/25 07:05:09 | 00,185,089 | ---- | M] (Avira GmbH)
(XoftSpyService) XoftSpyService [On_Demand | Stopped] -> C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe -> [2009/10/23 16:58:06 | 00,582,424 | ---- | M] (ParetoLogic Inc.)
(FreeAgentGoNext Service) Seagate Service [Auto | Running] -> C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -> [2009/09/25 23:32:18 | 00,189,736 | ---- | M] (Seagate Technology LLC)
(wlidsvc) Windows Live ID Sign-in Assistant [Auto | Running] -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -> [2009/08/18 11:29:22 | 01,529,728 | ---- | M] (Microsoft Corporation)
(SeaPort) SeaPort [Auto | Running] -> C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -> [2009/08/07 17:15:06 | 00,242,048 | ---- | M] (Microsoft Corporation)
(NVSvc) NVIDIA Display Driver Service [Auto | Running] -> C:\WINDOWS\system32\nvsvc32.exe -> [2008/05/16 13:01:00 | 00,159,812 | ---- | M] (NVIDIA Corporation)
(AST Service) AST Service [Auto | Running] -> C:\WINDOWS\system32\AstSrv.exe -> [2007/02/16 19:08:14 | 00,057,344 | ---- | M] (Nalpeiron Ltd.)
(RoxMediaDB9) RoxMediaDB9 [On_Demand | Stopped] -> C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -> [2007/01/16 12:44:48 | 00,880,640 | ---- | M] (Sonic Solutions)
(stllssvr) stllssvr [On_Demand | Stopped] -> C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -> [2007/01/15 08:05:30 | 00,073,728 | R--- | M] (MicroVision Development, Inc.)
(Roxio UPnP Renderer 9) Roxio UPnP Renderer 9 [On_Demand | Stopped] -> C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -> [2006/12/13 22:17:26 | 00,057,344 | ---- | M] (Sonic Solutions)
(Roxio Upnp Server 9) Roxio Upnp Server 9 [Auto | Stopped] -> C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -> [2006/12/13 22:17:02 | 00,294,912 | ---- | M] (Sonic Solutions)
(Ati HotKey Poller) Ati HotKey Poller [Auto | Stopped] -> C:\WINDOWS\system32\ati2evxx.exe -> [2006/02/21 20:39:16 | 00,405,504 | ---- | M] (ATI Technologies Inc.)
(APC UPS Service) APC UPS Service [Auto | Running] -> C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -> [2005/12/12 15:02:24 | 00,176,193 | ---- | M] (American Power Conversion Corporation)
(Norton Ghost) Norton Ghost [Auto | Running] -> C:\Program Files\Norton Ghost\Agent\VProSvc.exe -> [2005/09/09 19:09:28 | 02,066,024 | ---- | M] (Symantec Corporation)
(GEARSecurity) GEARSecurity [Auto | Running] -> C:\WINDOWS\system32\gearsec.exe -> [2005/09/09 19:09:10 | 00,053,248 | ---- | M] (GEAR Software)
(InCDsrv) InCD Helper [Auto | Running] -> C:\Program Files\Ahead\InCD\InCDsrv.exe -> [2005/07/08 16:24:46 | 00,871,424 | ---- | M] (Nero AG)
(ccSetMgr) Symantec Settings Manager [Auto | Running] -> C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -> [2004/12/13 15:30:10 | 00,165,488 | ---- | M] (Symantec Corporation)
(ccPwdSvc) Symantec Password Validation [On_Demand | Stopped] -> C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -> [2004/12/13 15:30:08 | 00,079,472 | ---- | M] (Symantec Corporation)
(ccEvtMgr) Symantec Event Manager [Auto | Running] -> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -> [2004/12/13 15:30:04 | 00,198,256 | ---- | M] (Symantec Corporation)
(IDriverT) InstallDriver Table Manager [On_Demand | Stopped] -> C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -> [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation)
(RetroExpLauncher) Retrospect Express HD Launcher [Auto | Running] -> C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe -> [2004/07/30 14:47:36 | 00,069,632 | ---- | M] (Dantz Development Corporation)
[Driver Services - Safe List]
(symlcbrd) symlcbrd [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\symlcbrd.sys -> [2010/01/20 19:36:22 | 00,004,608 | ---- | M] (Symantec Corporation)
(avipbb) avipbb [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\avipbb.sys -> [2009/12/25 07:05:12 | 00,096,104 | ---- | M] (Avira GmbH)
(avgntflt) avgntflt [File_System | Auto | Running] -> C:\WINDOWS\system32\drivers\avgntflt.sys -> [2009/12/25 07:05:12 | 00,056,816 | ---- | M] (Avira GmbH)
(ssmdrv) ssmdrv [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\ssmdrv.sys -> [2009/12/25 07:05:12 | 00,028,520 | ---- | M] (Avira GmbH)
(avgio) avgio [Kernel | System | Running] -> C:\Program Files\Avira\AntiVir Desktop\avgio.sys -> [2009/02/13 11:35:05 | 00,011,608 | ---- | M] (Avira GmbH)
(is-U2OSHdrv) is-U2OSHdrv [File_System | System | Running] -> C:\WINDOWS\system32\drivers\09870117.sys -> [2008/07/08 13:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab)
(is-QA78Mdrv) is-QA78Mdrv [File_System | System | Stopped] -> C:\WINDOWS\system32\drivers\60464396.sys -> [2008/07/08 13:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab)
(is-O1MK8drv) is-O1MK8drv [File_System | System | Stopped] -> C:\WINDOWS\system32\drivers\73001606.sys -> [2008/07/08 13:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab)
(is-G4K5Edrv) is-G4K5Edrv [File_System | System | Running] -> C:\WINDOWS\system32\drivers\45373222.sys -> [2008/07/08 13:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab)
(is-FTVCUdrv) is-FTVCUdrv [File_System | System | Running] -> C:\WINDOWS\system32\drivers\88850112.sys -> [2008/07/08 13:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab)
(is-AU098drv) is-AU098drv [File_System | System | Stopped] -> C:\WINDOWS\system32\drivers\64293220.sys -> [2008/07/08 13:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab)
(is-80PSPdrv) is-80PSPdrv [File_System | System | Running] -> C:\WINDOWS\system32\drivers\47602119.sys -> [2008/07/08 13:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab)
(is-7P51Bdrv) is-7P51Bdrv [File_System | System | Running] -> C:\WINDOWS\system32\drivers\48164237.sys -> [2008/07/08 13:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab)
(is-0SG48drv) is-0SG48drv [File_System | System | Stopped] -> C:\WINDOWS\system32\drivers\28882349.sys -> [2008/07/08 13:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab)
(nv) nv [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\nv4_mini.sys -> [2008/05/16 13:01:00 | 06,557,408 | ---- | M] (NVIDIA Corporation)
(HidBatt) HID UPS Battery Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\hidbatt.sys -> [2008/04/13 13:36:38 | 00,020,352 | ---- | M] (Microsoft Corporation)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\hdaudbus.sys -> [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(is-SP0JEdrv) is-SP0JEdrv [File_System | System | Stopped] -> C:\WINDOWS\system32\drivers\93704403.sys -> [2008/03/05 10:41:30 | 00,148,496 | ---- | M] (Kaspersky Lab)
(is-RFAT4drv) is-RFAT4drv [File_System | System | Running] -> C:\WINDOWS\system32\drivers\10536068.sys -> [2008/03/05 10:41:30 | 00,148,496 | ---- | M] (Kaspersky Lab)
(is-O3HS5drv) is-O3HS5drv [File_System | System | Running] -> C:\WINDOWS\system32\drivers\61826897.sys -> [2008/03/05 10:41:30 | 00,148,496 | ---- | M] (Kaspersky Lab)
(is-HH2HKdrv) is-HH2HKdrv [File_System | System | Stopped] -> C:\WINDOWS\system32\drivers\83042734.sys -> [2008/03/05 10:41:30 | 00,148,496 | ---- | M] (Kaspersky Lab)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\secdrv.sys -> [2007/11/13 03:47:45 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> C:\WINDOWS\System32\Drivers\PxHelp20.sys -> [2007/03/07 18:51:00 | 00,043,528 | ---- | M] (Sonic Solutions)
(RxFilter) RxFilter [File_System | Disabled | Stopped] -> C:\WINDOWS\system32\drivers\RxFilter.sys -> [2006/12/02 12:19:30 | 00,050,688 | ---- | M] (Sonic Solutions)
(ati2mtag) ati2mtag [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\ati2mtag.sys -> [2006/02/21 20:46:26 | 01,505,792 | ---- | M] (ATI Technologies Inc.)
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\RtkHDAud.Sys -> [2005/10/18 16:15:42 | 04,034,048 | R--- | M] (Realtek Semiconductor Corp.)
(SymSnap) SymSnap [File_System | Boot | Running] -> C:\WINDOWS\system32\drivers\SymSnap.sys -> [2005/09/09 19:09:20 | 00,144,832 | ---- | M] (StorageCraft)
(V2IMount) V2IMount [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\V2iMount.sys -> [2005/09/09 19:09:20 | 00,056,192 | ---- | M] (Symantec Corporation)
(GearAspiWDM) GearAspiWDM [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -> [2005/09/09 19:09:10 | 00,014,408 | ---- | M] (GEAR Software Inc.)
(RTL8023xp) Realtek 10/100/1000 NIC Family all in one NDIS XP Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\Rtnicxp.sys -> [2005/08/24 15:56:28 | 00,074,752 | ---- | M] (Realtek Semiconductor Corporation )
(InCDfs) InCD File System [File_System | Disabled | Running] -> C:\WINDOWS\system32\drivers\InCDfs.sys -> [2005/07/08 16:17:54 | 00,099,584 | ---- | M] (Nero AG)
(InCDPass) InCDPass [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\InCDpass.sys -> [2005/07/08 16:17:36 | 00,029,696 | ---- | M] (Nero AG)
(incdrm) InCD Reader [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\InCDrm.sys -> [2005/07/08 09:17:32 | 00,028,672 | ---- | M] (Nero AG)
(MXOPSWD) Maxtor OneTouch Security Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\mxopswd.sys -> [2004/10/07 09:21:22 | 00,015,360 | ---- | M] (Maxtor Corp.)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\ptilink.sys -> [2004/08/04 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\RTL8139.sys -> [2004/08/03 21:31:34 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation)
(pfc) Padus ASPI Shell [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\pfc.sys -> [2003/12/05 04:46:36 | 00,010,368 | ---- | M] (Padus, Inc.)
(MXOFX) USB Storage Adapter FX (MXO) [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\MXOFX.SYS -> [2003/10/10 03:23:48 | 00,032,640 | ---- | M] (Cypress Semiconductor)
(NtApm) NT Apm/Legacy Interface Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\NtApm.sys -> [2001/08/17 13:47:22 | 00,009,344 | ---- | M] (Microsoft Corporation)
(Sentinel) Sentinel [Kernel | Auto | Running] -> C:\WINDOWS\System32\Drivers\SENTINEL.SYS -> [2001/06/21 21:39:02 | 00,073,728 | ---- | M] (Rainbow Technologies, Inc.)
(Sntnlusb) Rainbow USB SuperPro [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\SNTNLUSB.SYS -> [2001/06/21 21:39:02 | 00,020,032 | R--- | M] (Rainbow Technologies Inc.)
(MapMemP) MapMemP [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\MAPMEMP.SYS -> [1998/10/26 12:31:12 | 00,063,080 | ---- | M] ()
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> ->
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> ->
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\] > -> ->
HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\: Main\\"Default_Secondary_Page_URL" -> www.live.com [binary data] ->
HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\: Main\\"SearchDefaultBranded" -> 1 ->
HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\: Main\\"Start Page" -> http://www.msn.com/ ->
HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\: "ProxyEnable" -> 0 ->
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Admin\Application Data\Mozilla\FireFox\Profiles\4f99sura.default\prefs.js ->
browser.search.defaultengine -> "Ask.com" ->
browser.search.defaultenginename -> "Ask.com" ->
browser.search.order.1 -> "Ask.com" ->
browser.search.selectedEngine -> "Ask.com" ->
browser.search.useDBForOrder -> true ->
browser.startup.homepage -> "http://www.msn.com" ->
extensions.enabledItems -> jqs@sun.com:1.0 ->
extensions.enabledItems -> msntoolbar@msn.com:4.0 ->
extensions.enabledItems -> {27182e60-b5f3-411c-b545-b44205977502}:1.0 ->
keyword.URL -> "" ->
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\extensions -> ->
HKLM\software\mozilla\Firefox\extensions\\msntoolbar@msn.com -> C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\Firefox [C:\PROGRAM FILES\MSN TOOLBAR\PLATFORM\4.0.0205.2\FIREFOX] -> [2009/11/01 11:21:24 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Firefox\extensions\\{27182e60-b5f3-411c-b545-b44205977502} -> C:\PROGRAM FILES\MICROSOFT\SEARCH ENHANCEMENT PACK\SEARCH HELPER\FIREFOXEXTENSION\SEARCHHELPEREXTENSION\ [C:\PROGRAM FILES\MICROSOFT\SEARCH ENHANCEMENT PACK\SEARCH HELPER\FIREFOXEXTENSION\SEARCHHELPEREXTENSION\] -> [2009/11/01 11:21:29 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions -> ->
HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components -> C:\Program Files\Mozilla Firefox\components [C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS] -> [2010/01/12 15:32:20 | 00,000,000 | ---D | M]
HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins -> C:\Program Files\Mozilla Firefox\plugins [C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS] -> [2010/01/19 09:21:37 | 00,000,000 | ---D | M]
< FireFox Extensions [User Folders] > ->
-> C:\Documents and Settings\Admin\Application Data\Mozilla\Extensions -> [2009/04/07 18:20:27 | 00,000,000 | ---D | M]
-> C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\4f99sura.default\extensions -> [2009/12/31 18:03:29 | 00,000,000 | ---D | M]
< FireFox SearchPlugins [User Folders] > ->
askcom.xml -> C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\4f99sura.default\searchplugins\askcom.xml -> [2009/12/18 18:32:17 | 00,002,236 | ---- | M] ()
< FireFox Extensions [Program Folders] > ->
-> C:\Program Files\Mozilla Firefox\extensions -> [2010/01/04 08:18:51 | 00,000,000 | ---D | M]
< HOSTS File > (619870 bytes and 16467 lines) -> C:\WINDOWS\system32\drivers\etc\HOSTS ->
First 25 entries...
Reset Hosts
127.0.0.1 localhost
127.0.0.1 fr.a2dfp.net
127.0.0.1 m.fr.a2dfp.net
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 adv.abv.bg
127.0.0.1 bimg.abv.bg
127.0.0.1 www2.a-counter.kiev.ua
127.0.0.1 track.acclaimnetwork.com
127.0.0.1 accuserveadsystem.com
127.0.0.1 www.accuserveadsystem.com
127.0.0.1 achmedia.com
127.0.0.1 aconti.net
127.0.0.1 secure.aconti.net
127.0.0.1 www.aconti.net #[Dialer.Aconti]
127.0.0.1 ads.active.com
127.0.0.1 am1.activemeter.com
127.0.0.1 www.activemeter.com #[Tracking.Cookie]
127.0.0.1 ads.activepower.net
127.0.0.1 data2.activshopper.com #[Trackware.ActivShopper]
127.0.0.1 stat.active24stats.nl #[Tracking.Cookie]
127.0.0.1 ad2games.com
127.0.0.1 cms.ad2click.nl
127.0.0.1 ads.ad2games.com
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{00C6482D-C502-44C8-8409-FCE54AD9C208} [HKLM] -> C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll [HelperObject Class] -> [2005/10/14 06:25:00 | 00,049,152 | ---- | M] (TechSmith Corporation)
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [Adobe PDF Link Helper] -> [2009/12/21 18:27:44 | 00,075,200 | ---- | M] (Adobe Systems Incorporated)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
{6EBF7485-159F-4bff-A14F-B9E3AAC4465B} [HKLM] -> C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [Search Helper] -> [2009/08/07 17:15:06 | 00,138,608 | ---- | M] (Microsoft Corporation)
{d2ce3e00-f94a-4740-988e-03dc2f38c34f} [HKLM] -> C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll [MSN Toolbar BHO] -> [2009/08/09 22:08:46 | 00,502,624 | ---- | M] (Microsoft Corporation)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2010/01/04 08:18:14 | 00,041,760 | ---- | M] (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} [HKLM] -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [JQSIEStartDetectorImpl Class] -> [2010/01/04 08:18:17 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
"{8dcb7100-df86-4384-8842-8fa844297b3f}" [HKLM] -> C:\Program Files\MSN Toolbar\Platform\4.0.0205.2\npwinext.dll [MSN Toolbar] -> [2009/08/09 22:08:46 | 00,502,624 | ---- | M] (Microsoft Corporation)
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" [HKLM] -> C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll [SnagIt] -> [2005/10/14 06:25:00 | 00,131,072 | ---- | M] (TechSmith Corporation)
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\] > -> HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\"{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"Adobe ARM" -> C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe ["C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"] -> [2009/12/11 15:57:56 | 00,948,672 | R--- | M] (Adobe Systems Incorporated)
"Adobe Reader Speed Launcher" -> C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe ["C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"] -> [2009/12/22 01:57:28 | 00,035,760 | ---- | M] (Adobe Systems Incorporated)
"ccApp" -> C:\Program Files\Common Files\Symantec Shared\ccApp.exe ["C:\Program Files\Common Files\Symantec Shared\ccApp.exe"] -> [2004/12/13 15:30:00 | 00,058,992 | ---- | M] (Symantec Corporation)
"MXOBG" -> C:\WINDOWS\MXOALDR.EXE [C:\WINDOWS\MXOALDR.EXE] -> [2007/06/16 16:44:35 | 00,094,208 | ---- | M] (Cypress Semiconductor)
"Norton Ghost 10.0" -> C:\Program Files\Norton Ghost\Agent\GhostTray.exe ["C:\Program Files\Norton Ghost\Agent\GhostTray.exe"] -> [2005/09/09 19:09:24 | 01,537,648 | ---- | M] (Symantec Corporation)
"NvCplDaemon" -> C:\WINDOWS\System32\NvCpl.DLL [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> [2008/05/16 13:01:00 | 13,529,088 | ---- | M] (NVIDIA Corporation)
"RTHDCPL" -> C:\WINDOWS\RTHDCPL.exe [RTHDCPL.EXE] -> [2005/10/14 20:51:40 | 14,864,384 | R--- | M] (Realtek Semiconductor Corp.)
"SunJavaUpdateSched" -> C:\Program Files\Java\jre6\bin\jusched.exe ["C:\Program Files\Java\jre6\bin\jusched.exe"] -> [2010/01/04 08:18:15 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.)
"TkBellExe" -> C:\Program Files\Common Files\Real\Update_OB\realsched.exe ["C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot] -> [2010/01/12 15:29:55 | 00,198,160 | ---- | M] (RealNetworks, Inc.)
"WinPatrol" -> C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot] -> [2009/10/10 16:07:08 | 00,320,832 | ---- | M] (BillP Studios)
< Run [HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\] > -> HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"Speaking Clock Deluxe" -> C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe ["C:\Program Files\Speaking Clock Deluxe\SpClDlx.exe"] -> [2009/06/30 14:54:02 | 02,350,592 | ---- | M] (Lux Aeterna)
< RunOnce [HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\] > -> HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ->
"FlashPlayerUpdate" -> C:\WINDOWS\System32\Macromed\Flash\FlashUtil10b.exe [C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe] -> File not found
< Admin Startup Folder > -> C:\Documents and Settings\Admin\Start Menu\Programs\Startup ->
C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Check for TWS Updates.lnk -> C:\Jts\WiseUpdt.exe -> [2006/11/08 14:55:02 | 00,194,775 | ---- | M] ()
C:\Documents and Settings\Admin\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> C:\Program Files\ERUNT\AUTOBACK.EXE -> [2005/10/20 12:04:08 | 00,038,912 | ---- | M] ()
-> C:\Documents and Settings\Admin\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk.disabled -> [2009/07/05 19:53:14 | 00,000,870 | ---- | M] ()
< Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ->
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk -> C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe -> [2005/12/12 15:05:30 | 00,221,247 | ---- | M] (American Power Conversion Corporation)
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk -> C:\Program Files\Microsoft Office\Office\OSA9.EXE -> [1999/02/17 15:05:56 | 00,065,588 | ---- | M] (Microsoft Corporation)
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup ->
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
\Infodelivery\Restrictions\\"NoUpdateCheck" -> [1] -> File not found
< Software Policy Settings [HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004] > -> HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\SOFTWARE\Policies\Microsoft\Internet Explorer ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"LinkResolveIgnoreLinkInfo" -> [0] -> File not found
\\"NoResolveSearch" -> [1] -> File not found
\\"NoCDBurning" -> [0] -> File not found
\\"HonorAutoRunSetting" -> [1] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDrives" -> [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004] > -> HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [323] -> File not found
\\"LinkResolveIgnoreLinkInfo" -> [0] -> File not found
\\"NoDriveAutoRun" -> [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004] > -> HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Menu: Spybot - Search & Destroy Configuration] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\] > -> HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2009/01/26 15:31:02 | 01,879,896 | ---- | M] (Safer Networking Limited)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 6669 domain(s) found. ->
60 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 6693 domain(s) found. ->
60 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 6693 domain(s) found. ->
60 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4200 domain(s) found. ->
33 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 4200 domain(s) found. ->
33 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\] > -> HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 10228 domain(s) found. ->
72 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\] > -> HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{7530BFB8-7293-4D34-9923-61A11451AFC5} [HKLM] -> http://download.eset.com/special/eos/OnlineScanner.cab [OnlineScanner Control] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab [Java Plug-in 1.6.0_17] ->
{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [HKLM] -> Reg Error: Value error. [Reg Error: Value error.] ->
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab [Java Plug-in 1.6.0_17] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab [Java Plug-in 1.6.0_17] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] ->
{E06E2E99-0AA1-11D4-ABA6-0060082AA75C} [HKLM] -> https://interactivebrokers.webex.com/client/T26L/event/ieatgpc.cab [GpcContainer Class] ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ ->
DhcpNameServer -> 192.168.5.1 ->
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{6EB8A60A-4560-4CA1-8D06-1B736600D1D3}\\DhcpNameServer -> 192.168.5.1 (Realtek RTL8139 Family PCI Fast Ethernet NIC) ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell ->
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
AtiExtEvent -> C:\WINDOWS\System32\ati2evxx.dll -> [2006/02/21 20:40:30 | 00,061,440 | ---- | M] (ATI Technologies Inc.)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List ->
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List ->
"C:\Ensign\Ensign.exe" -> C:\Ensign\Ensign.exe [C:\Ensign\Ensign.exe:*:Enabled:Ensign Windows] -> [2009/12/31 15:19:08 | 05,246,464 | ---- | M] (Ensign Software, Inc.)
"C:\FTGT\ftgt4.exe" -> C:\FTGT\ftgt4.exe [C:\FTGT\ftgt4.exe:*:Enabled:Fibonacci Galactic Trader 4] -> [2009/08/03 17:40:26 | 18,317,312 | ---- | M] (Fibonacci Trader Corp.)
"C:\Jts\WiseUpdt.exe" -> C:\Jts\WiseUpdt.exe [C:\Jts\WiseUpdt.exe:*:Enabled:Check for TWS Updates] -> [2006/11/08 14:55:02 | 00,194,775 | ---- | M] ()
"C:\MTP6RTData\MTPDataServer.exe" -> C:\MTP6RTData\MTPDataServer.exe [C:\MTP6RTData\MTPDataServer.exe:*:Enabled:Real-Time Data Server for MTPredictor] -> [2009/12/03 02:44:22 | 01,700,864 | ---- | M] (MTPredictor Limited)
"C:\Program Files\Atomic Clock Sync\Atomic.exe" -> C:\Program Files\Atomic Clock Sync\Atomic.exe [C:\Program Files\Atomic Clock Sync\Atomic.exe:*:Enabled:Atomic Clock Sync (2)] -> [2004/06/17 09:46:48 | 00,524,288 | ---- | M] (Chaos Software Group, Inc.)
"C:\Program Files\Conference\Conference.dll" -> C:\Program Files\Conference\Conference.dll [C:\Program Files\Conference\Conference.dll:*:Enabled:Audio/Video Conference by KIOSK Team] -> [2008/06/07 11:15:21 | 03,255,808 | ---- | M] (©2002-2007 Audio/Video Conference Software)
"C:\Program Files\Foxmail\Foxmail.exe" -> C:\Program Files\Foxmail\Foxmail.exe [C:\Program Files\Foxmail\Foxmail.exe:*:Enabled:Foxmail] -> [2004/06/18 09:41:24 | 03,273,216 | ---- | M] (Boda Network Technology Inc.)
"C:\Program Files\NinjaTrader 6.5\bin\NinjaTrader.exe" -> C:\Program Files\NinjaTrader 6.5\bin\NinjaTrader.exe [C:\Program Files\NinjaTrader 6.5\bin\NinjaTrader.exe:*:Enabled:NinjaTrader application] -> [2009/12/09 06:25:04 | 00,143,360 | ---- | M] (NinjaTrader)
"C:\Program Files\Outlook Express\msimn.exe" -> C:\Program Files\Outlook Express\msimn.exe [C:\Program Files\Outlook Express\msimn.exe:*:Enabled:Outlook Express] -> [2008/04/13 19:12:28 | 00,060,416 | -HS- | M] (Microsoft Corporation)
"C:\Program Files\Real Time Software Engineering\MetaServer RT 3.2 for TWS\msrt.exe" -> C:\Program Files\Real Time Software Engineering\MetaServer RT 3.2 for TWS\msrt.exe [C:\Program Files\Real Time Software Engineering\MetaServer RT 3.2 for TWS\msrt.exe:*:Enabled:MetaServer RT 3.2] -> [2008/04/16 16:27:36 | 01,669,888 | ---- | M] (RT Soft Ltd.)
"C:\Program Files\Real\RealPlayer\realplay.exe" -> C:\Program Files\Real\RealPlayer\realplay.exe [C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer] -> [2010/01/12 15:30:06 | 00,222,728 | ---- | M] (RealNetworks, Inc.)
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" -> C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe:*:Enabled:Spybot - Search & Destroy] -> [2009/01/26 15:31:12 | 05,365,592 | RHS- | M] (Safer Networking Limited)
"C:\Program Files\Trading Rooms Technologies, Inc\TradingRooms\Avx\TradingRooms.exe" -> C:\Program Files\Trading Rooms Technologies, Inc\TradingRooms\Avx\TradingRooms.exe [C:\Program Files\Trading Rooms Technologies, Inc\TradingRooms\Avx\TradingRooms.exe:*:Enabled:TradingRooms] -> [2007/05/14 07:43:20 | 00,049,152 | ---- | M] ()
"C:\Program Files\Ventrilo\Ventrilo.exe" -> C:\Program Files\Ventrilo\Ventrilo.exe [C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe] -> [2008/11/10 10:23:50 | 01,539,072 | ---- | M] ()
"C:\SierraChart\SierraChart.exe" -> C:\SierraChart\SierraChart.exe [C:\SierraChart\SierraChart.exe:*:Enabled:Sierra Chart] -> [2009/12/31 02:41:36 | 04,551,680 | ---- | M] ( )
"C:\WINDOWS\system32\javaw.exe" -> C:\WINDOWS\System32\javaw.exe [C:\WINDOWS\system32\javaw.exe:*:Enabled:Java(TM) 2 Platform Standard Edition binary] -> [2010/01/04 08:18:14 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot ->
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 ->
"DisplayName" -> CD-ROM Driver ->
"ImagePath" -> [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > -> ->
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2006/04/05 21:14:25 | 00,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command ->
comfile [open] -> "%1" %* ->
exefile [open] -> "%1" %* ->
[Files/Folders - Created Within 30 Days]
NOTE 2nd half of file to follow....
Hi Peku006,
Here is the rest of the file
Thanks
condor
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2006/04/05 21:14:25 | 00,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 ->
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command ->
comfile [open] -> "%1" %* ->
exefile [open] -> "%1" %* ->
NOTE. End of first half of File
Second half of file starts here.......
[Files/Folders - Created Within 30 Days]
OTS.exe -> C:\Documents and Settings\Admin\Desktop\OTS.exe -> [2010/01/23 12:23:33 | 00,631,296 | ---- | C] (OldTimer Tools)
symlcbrd.sys -> C:\WINDOWS\System32\drivers\symlcbrd.sys -> [2010/01/20 19:36:22 | 00,004,608 | ---- | C] (Symantec Corporation)
WinPatrol -> C:\Documents and Settings\Admin\Application Data\WinPatrol -> [2010/01/20 11:24:24 | 00,000,000 | ---D | C]
BillP Studios -> C:\Program Files\BillP Studios -> [2010/01/20 11:23:57 | 00,000,000 | ---D | C]
SpywareBlaster -> C:\Program Files\SpywareBlaster -> [2010/01/20 11:15:01 | 00,000,000 | ---D | C]
RECYCLER -> C:\RECYCLER -> [2010/01/20 10:38:28 | 00,000,000 | -HSD | C]
backups -> C:\backups -> [2010/01/19 07:10:25 | 00,000,000 | ---D | C]
Desktop -> C:\Documents and Settings\All Users\Desktop -> [2010/01/18 11:22:11 | 00,000,000 | ---D | C]
ESET -> C:\Program Files\ESET -> [2010/01/18 09:51:43 | 00,000,000 | ---D | C]
Admin.exe -> C:\Admin.exe -> [2010/01/17 10:27:45 | 00,401,720 | ---- | C] (Trend Micro Inc.)
Motive -> C:\Documents and Settings\All Users\Application Data\Motive -> [2010/01/15 21:00:57 | 00,000,000 | ---D | C]
Registry Search -> C:\Program Files\Registry Search -> [2010/01/14 13:04:04 | 00,000,000 | ---D | C]
aclayers.dll -> C:\WINDOWS\System32\dllcache\aclayers.dll -> [2010/01/13 07:15:01 | 00,471,552 | ---- | C] (Microsoft Corporation)
Real -> C:\Documents and Settings\All Users\Application Data\Real -> [2010/01/12 15:33:35 | 00,000,000 | ---D | C]
rmoc3260.dll -> C:\WINDOWS\System32\rmoc3260.dll -> [2010/01/12 15:32:20 | 00,185,920 | ---- | C] (RealNetworks, Inc.)
pndx5016.dll -> C:\WINDOWS\System32\pndx5016.dll -> [2010/01/12 15:31:17 | 00,006,656 | ---- | C] (RealNetworks, Inc.)
pndx5032.dll -> C:\WINDOWS\System32\pndx5032.dll -> [2010/01/12 15:31:17 | 00,005,632 | ---- | C] (RealNetworks, Inc.)
xing shared -> C:\Program Files\Common Files\xing shared -> [2010/01/12 15:31:08 | 00,000,000 | ---D | C]
pncrt.dll -> C:\WINDOWS\System32\pncrt.dll -> [2010/01/12 15:30:03 | 00,278,528 | ---- | C] (Real Networks, Inc)
CyberLink -> C:\Documents and Settings\Admin\Application Data\CyberLink -> [2010/01/09 11:16:34 | 00,000,000 | ---D | C]
Speaking Clock Deluxe -> C:\Program Files\Speaking Clock Deluxe -> [2010/01/04 12:58:27 | 00,000,000 | ---D | C]
javaws.exe -> C:\WINDOWS\System32\javaws.exe -> [2010/01/04 08:18:48 | 00,149,280 | ---- | C] (Sun Microsystems, Inc.)
javaw.exe -> C:\WINDOWS\System32\javaw.exe -> [2010/01/04 08:18:48 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.)
java.exe -> C:\WINDOWS\System32\java.exe -> [2010/01/04 08:18:48 | 00,145,184 | ---- | C] (Sun Microsystems, Inc.)
javacpl.cpl -> C:\WINDOWS\System32\javacpl.cpl -> [2010/01/04 08:18:48 | 00,073,728 | ---- | C] (Sun Microsystems, Inc.)
Windows Installer Clean Up -> C:\Program Files\Windows Installer Clean Up -> [2010/01/04 08:11:12 | 00,000,000 | ---D | C]
McAfee -> C:\Documents and Settings\All Users\Application Data\McAfee -> [2010/01/03 11:20:40 | 00,000,000 | ---D | C]
Other Kaspersky uninstall Tools -> C:\Program Files\Other Kaspersky uninstall Tools -> [2010/01/03 10:54:42 | 00,000,000 | ---D | C]
VS Revo Group -> C:\Program Files\VS Revo Group -> [2010/01/02 14:35:05 | 00,000,000 | ---D | C]
Windows Resource Kits -> C:\Program Files\Windows Resource Kits -> [2010/01/01 13:54:09 | 00,000,000 | ---D | C]
Safer Networking -> C:\Documents and Settings\Admin\Application Data\Safer Networking -> [2010/01/01 12:10:57 | 00,000,000 | ---D | C]
Aezay Productions -> C:\Program Files\Aezay Productions -> [2010/01/01 11:46:07 | 00,000,000 | ---D | C]
HijackThis.exe -> C:\HijackThis.exe -> [2010/01/01 10:48:45 | 00,401,720 | ---- | C] (Trend Micro Inc.)
ERUNT -> C:\Program Files\ERUNT -> [2009/12/31 22:09:02 | 00,000,000 | ---D | C]
cmdcons -> C:\cmdcons -> [2009/12/31 08:29:56 | 00,000,000 | RHSD | C]
Safer Networking -> C:\Program Files\Safer Networking -> [2009/12/30 20:11:49 | 00,000,000 | ---D | C]
EnsignBackup -> C:\EnsignBackup -> [2009/12/29 21:56:50 | 00,000,000 | ---D | C]
Malwarebytes -> C:\Documents and Settings\Admin\Application Data\Malwarebytes -> [2009/12/29 12:55:07 | 00,000,000 | ---D | C]
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2009/12/29 12:54:59 | 00,038,224 | ---- | C] (Malwarebytes Corporation)
Malwarebytes -> C:\Documents and Settings\All Users\Application Data\Malwarebytes -> [2009/12/29 12:54:55 | 00,000,000 | ---D | C]
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2009/12/29 12:54:52 | 00,019,160 | ---- | C] (Malwarebytes Corporation)
Malwarebytes' Anti-Malware -> C:\Program Files\Malwarebytes' Anti-Malware -> [2009/12/29 12:54:52 | 00,000,000 | ---D | C]
ParetoLogic -> C:\Program Files\ParetoLogic -> [2009/12/28 19:21:43 | 00,000,000 | ---D | C]
Microsoft -> C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft -> [2009/12/25 12:18:13 | 00,000,000 | ---D | M]
Adobe -> C:\Documents and Settings\LocalService\Application Data\Adobe -> [2009/12/25 12:18:00 | 00,000,000 | ---D | M]
Backups_Ensign -> C:\Backups_Ensign -> [2009/12/25 08:16:35 | 00,000,000 | ---D | C]
avipbb.sys -> C:\WINDOWS\System32\drivers\avipbb.sys -> [2009/12/24 15:38:52 | 00,096,104 | ---- | C] (Avira GmbH)
avgntflt.sys -> C:\WINDOWS\System32\drivers\avgntflt.sys -> [2009/12/24 15:38:51 | 00,056,816 | ---- | C] (Avira GmbH)
avgntdd.sys -> C:\WINDOWS\System32\drivers\avgntdd.sys -> [2009/12/24 15:38:51 | 00,045,416 | ---- | C] (Avira GmbH)
ssmdrv.sys -> C:\WINDOWS\System32\drivers\ssmdrv.sys -> [2009/12/24 15:38:51 | 00,028,520 | ---- | C] (Avira GmbH)
avgntmgr.sys -> C:\WINDOWS\System32\drivers\avgntmgr.sys -> [2009/12/24 15:38:51 | 00,022,360 | ---- | C] (Avira GmbH)
Avira -> C:\Program Files\Avira -> [2009/12/24 15:38:41 | 00,000,000 | ---D | C]
Avira -> C:\Documents and Settings\All Users\Application Data\Avira -> [2009/12/24 15:38:41 | 00,000,000 | ---D | C]
temp -> C:\WINDOWS\temp -> [2009/12/24 13:50:01 | 00,000,000 | ---D | C]
Microsoft -> C:\Documents and Settings\LocalService\Application Data\Microsoft -> [2009/11/01 11:21:19 | 00,000,000 | --SD | M]
Roxio -> C:\Documents and Settings\LocalService\Application Data\Roxio -> [2008/11/10 20:18:25 | 00,000,000 | ---D | M]
Microsoft -> C:\Documents and Settings\NetworkService\Application Data\Microsoft -> [2008/08/30 08:44:24 | 00,000,000 | --SD | M]
Microsoft -> C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft -> [2008/08/30 08:44:24 | 00,000,000 | ---D | M]
[Files/Folders - Modified Within 30 Days]
fidbox.dat -> C:\WINDOWS\System32\drivers\fidbox.dat -> [2010/01/23 12:26:31 | 17,869,31232 | -HS- | M] ()
OTS.exe -> C:\Documents and Settings\Admin\Desktop\OTS.exe -> [2010/01/23 12:23:36 | 00,631,296 | ---- | M] (OldTimer Tools)
GoogleUpdateTaskUserS-1-5-21-1844237615-1326574676-725345543-1004UA.job -> C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1326574676-725345543-1004UA.job -> [2010/01/23 12:18:00 | 00,000,978 | ---- | M] ()
Spybot Bug Report_MyWebSearch.CLP -> C:\Documents and Settings\Admin\Desktop\Spybot Bug Report_MyWebSearch.CLP -> [2010/01/23 09:23:40 | 00,088,439 | ---- | M] ()
wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2010/01/23 07:00:23 | 00,013,646 | ---- | M] ()
nvapps.xml -> C:\WINDOWS\System32\nvapps.xml -> [2010/01/23 06:59:47 | 00,180,569 | ---- | M] ()
SA.DAT -> C:\WINDOWS\tasks\SA.DAT -> [2010/01/23 06:59:06 | 00,000,006 | -H-- | M] ()
bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2010/01/23 06:58:58 | 00,002,048 | --S- | M] ()
hiberfil.sys -> C:\hiberfil.sys -> [2010/01/23 06:58:45 | 21,459,64032 | -HS- | M] ()
VSNAP.IDX -> C:\VSNAP.IDX -> [2010/01/23 06:09:09 | 00,004,096 | -HS- | M] ()
fidbox.idx -> C:\WINDOWS\System32\drivers\fidbox.idx -> [2010/01/23 06:09:08 | 20,933,888 | -HS- | M] ()
ntuser.dat -> C:\Documents and Settings\Admin\ntuser.dat -> [2010/01/23 06:07:40 | 11,534,336 | ---- | M] ()
ntuser.ini -> C:\Documents and Settings\Admin\ntuser.ini -> [2010/01/23 06:07:40 | 00,000,278 | -HS- | M] ()
GoogleUpdateTaskUserS-1-5-21-1844237615-1326574676-725345543-1004Core.job -> C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-1326574676-725345543-1004Core.job -> [2010/01/22 19:18:03 | 00,000,926 | ---- | M] ()
IconCache.db -> C:\Documents and Settings\Admin\Local Settings\Application Data\IconCache.db -> [2010/01/22 16:07:25 | 21,515,974 | -H-- | M] ()
FTGT32.INI -> C:\WINDOWS\FTGT32.INI -> [2010/01/22 16:05:51 | 00,000,550 | ---- | M] ()
solfire6.ini -> C:\WINDOWS\solfire6.ini -> [2010/01/22 14:55:11 | 00,005,755 | ---- | M] ()
astros.ini -> C:\WINDOWS\astros.ini -> [2010/01/22 10:51:05 | 00,000,405 | ---- | M] ()
KADJISYS.INI -> C:\WINDOWS\KADJISYS.INI -> [2010/01/22 07:33:12 | 00,000,024 | ---- | M] ()
FTROBOT.INI -> C:\WINDOWS\FTROBOT.INI -> [2010/01/22 07:21:27 | 00,000,023 | ---- | M] ()
ETF GROUPS & SHARES.xls -> C:\Documents and Settings\Admin\My Documents\ETF GROUPS & SHARES.xls -> [2010/01/21 21:06:29 | 00,029,184 | ---- | M] ()
ParetoLogic Registration3.job -> C:\WINDOWS\tasks\ParetoLogic Registration3.job -> [2010/01/21 18:00:01 | 00,000,444 | ---- | M] ()
TWS Previous Version.LNK -> C:\Documents and Settings\All Users\Desktop\TWS Previous Version.LNK -> [2010/01/21 07:36:04 | 00,001,667 | ---- | M] ()
Trader Workstation 4.0.LNK -> C:\Documents and Settings\All Users\Desktop\Trader Workstation 4.0.LNK -> [2010/01/21 07:36:04 | 00,001,647 | ---- | M] ()
ib.ini -> C:\WINDOWS\ib.ini -> [2010/01/21 07:36:04 | 00,000,042 | ---- | M] ()
Check for TWS Updates.lnk -> C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Check for TWS Updates.lnk -> [2010/01/21 07:36:03 | 00,000,485 | ---- | M] ()
symlcbrd.sys -> C:\WINDOWS\System32\drivers\symlcbrd.sys -> [2010/01/20 19:36:22 | 00,004,608 | ---- | M] (Symantec Corporation)
HOSTS -> C:\WINDOWS\System32\drivers\etc\HOSTS -> [2010/01/20 19:03:05 | 00,619,870 | ---- | M] ()
GDIPFONTCACHEV1.DAT -> C:\Documents and Settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT -> [2010/01/20 12:23:37 | 00,087,680 | ---- | M] ()
Shortcut to WinPatrolEx.exe.lnk -> C:\Documents and Settings\Admin\Desktop\Shortcut to WinPatrolEx.exe.lnk -> [2010/01/20 11:29:51 | 00,000,758 | ---- | M] ()
SpywareBlaster.lnk -> C:\Documents and Settings\Admin\Desktop\SpywareBlaster.lnk -> [2010/01/20 11:15:05 | 00,000,690 | ---- | M] ()
FNTCACHE.DAT -> C:\WINDOWS\System32\FNTCACHE.DAT -> [2010/01/20 10:48:16 | 00,327,504 | ---- | M] ()
system.ini -> C:\WINDOWS\system.ini -> [2010/01/20 08:34:20 | 00,000,227 | ---- | M] ()
HOSTS.MVP -> C:\WINDOWS\System32\drivers\etc\HOSTS.MVP -> [2010/01/20 07:21:55 | 00,374,883 | ---- | M] ()
Shortcut to clipbrd.exe.lnk -> C:\Documents and Settings\Admin\Desktop\Shortcut to clipbrd.exe.lnk -> [2010/01/19 12:54:56 | 00,000,631 | ---- | M] ()
Adobe Reader 9.lnk -> C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk -> [2010/01/19 09:21:39 | 00,001,729 | ---- | M] ()
cdplayer.ini -> C:\WINDOWS\cdplayer.ini -> [2010/01/16 08:50:05 | 00,040,418 | ---- | M] ()
ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2010/01/16 07:41:50 | 00,000,376 | ---- | M] ()
win.ini -> C:\WINDOWS\win.ini -> [2010/01/16 07:41:12 | 00,002,680 | ---- | M] ()
Microsoft Office.lnk -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk -> [2010/01/16 07:41:06 | 00,001,725 | ---- | M] ()
hosts.20100120-072155.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20100120-072155.backup -> [2010/01/15 19:01:31 | 00,374,883 | ---- | M] ()
imsins.BAK -> C:\WINDOWS\imsins.BAK -> [2010/01/13 07:49:36 | 00,001,374 | ---- | M] ()
hosts.20100115-190131.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20100115-190131.backup -> [2010/01/12 19:09:51 | 00,373,249 | ---- | M] ()
rmoc3260.dll -> C:\WINDOWS\System32\rmoc3260.dll -> [2010/01/12 15:32:20 | 00,185,920 | ---- | M] (RealNetworks, Inc.)
pndx5016.dll -> C:\WINDOWS\System32\pndx5016.dll -> [2010/01/12 15:31:17 | 00,006,656 | ---- | M] (RealNetworks, Inc.)
pndx5032.dll -> C:\WINDOWS\System32\pndx5032.dll -> [2010/01/12 15:31:17 | 00,005,632 | ---- | M] (RealNetworks, Inc.)
pncrt.dll -> C:\WINDOWS\System32\pncrt.dll -> [2010/01/12 15:30:03 | 00,278,528 | ---- | M] (Real Networks, Inc)
1.hosts -> C:\WINDOWS\System32\drivers\etc\1.hosts -> [2010/01/12 04:36:26 | 00,619,896 | ---- | M] ()
hosts.20100112-190951.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20100112-190951.backup -> [2010/01/09 19:53:28 | 00,373,249 | ---- | M] ()
Microsoft Excel (2).lnk -> C:\Documents and Settings\Admin\Desktop\Microsoft Excel (2).lnk -> [2010/01/08 08:04:32 | 00,002,471 | ---- | M] ()
Fibonacci Galactic Trader 4 (2).lnk -> C:\Documents and Settings\Admin\Desktop\Fibonacci Galactic Trader 4 (2).lnk -> [2010/01/08 07:57:21 | 00,001,307 | ---- | M] ()
mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation)
mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation)
Sierra Chart (C--SierraChart).lnk -> C:\Documents and Settings\Admin\Desktop\Sierra Chart (C--SierraChart).lnk -> [2010/01/06 14:54:19 | 00,000,560 | ---- | M] ()
XoftSpySE.job -> C:\WINDOWS\tasks\XoftSpySE.job -> [2010/01/06 01:46:03 | 00,000,376 | ---- | M] ()
Advanced SystemCare (2).lnk -> C:\Documents and Settings\Admin\Desktop\Advanced SystemCare (2).lnk -> [2010/01/05 19:54:12 | 00,000,898 | ---- | M] ()
OpenOffice.org (2).lnk -> C:\Documents and Settings\Admin\Desktop\OpenOffice.org (2).lnk -> [2010/01/05 19:17:47 | 00,000,917 | ---- | M] ()
Solar Fire Deluxe (2).lnk -> C:\Documents and Settings\Admin\Desktop\Solar Fire Deluxe (2).lnk -> [2010/01/05 19:15:54 | 00,001,547 | ---- | M] ()
TWS Previous Version.LNK -> C:\TWS Previous Version.LNK -> [2010/01/05 17:51:14 | 00,001,595 | ---- | M] ()
Trader Workstation 4.0.LNK -> C:\Trader Workstation 4.0.LNK -> [2010/01/05 17:51:14 | 00,001,575 | ---- | M] ()
Start AntiVir (2).lnk -> C:\Documents and Settings\Admin\Desktop\Start AntiVir (2).lnk -> [2010/01/04 20:36:09 | 00,001,725 | ---- | M] ()
Launch ParetoLogic Privacy Controls (2).lnk -> C:\Documents and Settings\Admin\Desktop\Launch ParetoLogic Privacy Controls (2).lnk -> [2010/01/04 19:14:00 | 00,000,891 | ---- | M] ()
Launch XoftSpySE (2).lnk -> C:\Documents and Settings\Admin\Desktop\Launch XoftSpySE (2).lnk -> [2010/01/04 19:12:48 | 00,000,819 | ---- | M] ()
Malwarebytes' Anti-Malware (2).lnk -> C:\Documents and Settings\Admin\Desktop\Malwarebytes' Anti-Malware (2).lnk -> [2010/01/04 19:11:40 | 00,000,708 | ---- | M] ()
Progs_.ini -> C:\WINDOWS\Progs_.ini -> [2010/01/04 12:58:44 | 00,000,041 | ---- | M] ()
Speaking Clock Deluxe.lnk -> C:\Documents and Settings\Admin\Desktop\Speaking Clock Deluxe.lnk -> [2010/01/04 12:58:30 | 00,000,688 | ---- | M] ()
Trader Workstation 4.0 (2).LNK -> C:\Documents and Settings\Admin\Desktop\Trader Workstation 4.0 (2).LNK -> [2010/01/04 08:23:59 | 00,001,661 | ---- | M] ()
javaws.exe -> C:\WINDOWS\System32\javaws.exe -> [2010/01/04 08:18:14 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.)
javaw.exe -> C:\WINDOWS\System32\javaw.exe -> [2010/01/04 08:18:14 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.)
java.exe -> C:\WINDOWS\System32\java.exe -> [2010/01/04 08:18:14 | 00,145,184 | ---- | M] (Sun Microsystems, Inc.)
javacpl.cpl -> C:\WINDOWS\System32\javacpl.cpl -> [2010/01/04 08:18:14 | 00,073,728 | ---- | M] (Sun Microsystems, Inc.)
deploytk.dll -> C:\WINDOWS\System32\deploytk.dll -> [2010/01/04 08:18:13 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.)
Ensign Windows.lnk -> C:\Documents and Settings\Admin\Desktop\Ensign Windows.lnk -> [2010/01/03 15:46:35 | 00,000,494 | ---- | M] ()
NeroDigital.ini -> C:\WINDOWS\NeroDigital.ini -> [2010/01/03 10:57:02 | 00,000,069 | ---- | M] ()
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2010/01/02 18:58:18 | 00,006,656 | ---- | M] ()
Shortcut to HijackThis.exe.lnk -> C:\Documents and Settings\Admin\Desktop\Shortcut to HijackThis.exe.lnk -> [2010/01/01 10:49:03 | 00,000,411 | ---- | M] ()
HijackThis.exe -> C:\HijackThis.exe -> [2010/01/01 10:48:46 | 00,401,720 | ---- | M] (Trend Micro Inc.)
Admin.exe -> C:\Admin.exe -> [2010/01/01 10:48:46 | 00,401,720 | ---- | M] (Trend Micro Inc.)
ERUNT AutoBackup.lnk -> C:\Documents and Settings\Admin\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> [2009/12/31 22:09:11 | 00,000,767 | ---- | M] ()
ERUNT.lnk -> C:\Documents and Settings\Admin\Desktop\ERUNT.lnk -> [2009/12/31 22:09:04 | 00,000,592 | ---- | M] ()
requested-files[2009-12-31_22_01].cab -> C:\Documents and Settings\Admin\Desktop\requested-files[2009-12-31_22_01].cab -> [2009/12/31 22:01:40 | 00,013,840 | ---- | M] ()
boot.ini -> C:\boot.ini -> [2009/12/31 18:49:07 | 00,000,314 | RHS- | M] ()
hosts.20100109-195327.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20100109-195327.backup -> [2009/12/31 11:16:11 | 00,372,665 | ---- | M] ()
hosts.20091231-111611.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20091231-111611.backup -> [2009/12/31 08:01:29 | 00,372,665 | ---- | M] ()
hosts.20091231-080129.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20091231-080129.backup -> [2009/12/31 07:20:13 | 00,372,665 | ---- | M] ()
1st_Quarter_2010_Almanac.pdf -> C:\Documents and Settings\Admin\My Documents\1st_Quarter_2010_Almanac.pdf -> [2009/12/30 15:48:58 | 03,084,487 | ---- | M] ()
ParetoLogic Privacy Controls_{25B399F8-F410-11DE-82C1-0016761CF813}.job -> C:\WINDOWS\tasks\ParetoLogic Privacy Controls_{25B399F8-F410-11DE-82C1-0016761CF813}.job -> [2009/12/28 19:21:47 | 00,000,446 | ---- | M] ()
MTPredictor Data Server v1.3.lnk -> C:\Documents and Settings\Admin\Desktop\MTPredictor Data Server v1.3.lnk -> [2009/12/28 13:17:47 | 00,002,243 | ---- | M] ()
hosts.20091231-072013.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20091231-072013.backup -> [2009/12/27 21:13:18 | 00,372,089 | ---- | M] ()
avipbb.sys -> C:\WINDOWS\System32\drivers\avipbb.sys -> [2009/12/25 07:05:12 | 00,096,104 | ---- | M] (Avira GmbH)
avgntflt.sys -> C:\WINDOWS\System32\drivers\avgntflt.sys -> [2009/12/25 07:05:12 | 00,056,816 | ---- | M] (Avira GmbH)
ssmdrv.sys -> C:\WINDOWS\System32\drivers\ssmdrv.sys -> [2009/12/25 07:05:12 | 00,028,520 | ---- | M] (Avira GmbH)
Boot.bak -> C:\Boot.bak -> [2009/12/24 14:31:43 | 00,000,210 | ---- | M] ()
8 C:\Documents and Settings\Admin\Local Settings\temp\*.tmp files -> C:\Documents and Settings\Admin\Local Settings\temp\*.tmp ->
[Files - No Company Name]
Spybot Bug Report_MyWebSearch.CLP -> C:\Documents and Settings\Admin\Desktop\Spybot Bug Report_MyWebSearch.CLP -> [2010/01/23 09:23:40 | 00,088,439 | ---- | C] ()
TWS Previous Version.LNK -> C:\Documents and Settings\All Users\Desktop\TWS Previous Version.LNK -> [2010/01/21 07:36:04 | 00,001,667 | ---- | C] ()
Trader Workstation 4.0.LNK -> C:\Documents and Settings\All Users\Desktop\Trader Workstation 4.0.LNK -> [2010/01/21 07:36:04 | 00,001,647 | ---- | C] ()
Shortcut to WinPatrolEx.exe.lnk -> C:\Documents and Settings\Admin\Desktop\Shortcut to WinPatrolEx.exe.lnk -> [2010/01/20 11:29:51 | 00,000,758 | ---- | C] ()
SpywareBlaster.lnk -> C:\Documents and Settings\Admin\Desktop\SpywareBlaster.lnk -> [2010/01/20 11:15:05 | 00,000,690 | ---- | C] ()
Shortcut to clipbrd.exe.lnk -> C:\Documents and Settings\Admin\Desktop\Shortcut to clipbrd.exe.lnk -> [2010/01/19 12:54:56 | 00,000,631 | ---- | C] ()
Adobe Reader 9.lnk -> C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk -> [2010/01/19 09:21:39 | 00,001,729 | ---- | C] ()
hiberfil.sys -> C:\hiberfil.sys -> [2010/01/17 10:12:14 | 21,459,64032 | -HS- | C] ()
Calc_Furnaces.xls -> C:\Documents and Settings\Admin\My Documents\Calc_Furnaces.xls -> [2010/01/13 18:41:18 | 00,208,384 | ---- | C] ()
IconCache.db -> C:\Documents and Settings\Admin\Local Settings\Application Data\IconCache.db -> [2010/01/12 16:19:47 | 21,515,974 | -H-- | C] ()
Fibonacci Galactic Trader 4 (2).lnk -> C:\Documents and Settings\Admin\Desktop\Fibonacci Galactic Trader 4 (2).lnk -> [2010/01/08 07:57:21 | 00,001,307 | ---- | C] ()
Advanced SystemCare (2).lnk -> C:\Documents and Settings\Admin\Desktop\Advanced SystemCare (2).lnk -> [2010/01/05 19:54:12 | 00,000,898 | ---- | C] ()
OpenOffice.org (2).lnk -> C:\Documents and Settings\Admin\Desktop\OpenOffice.org (2).lnk -> [2010/01/05 19:17:47 | 00,000,917 | ---- | C] ()
Solar Fire Deluxe (2).lnk -> C:\Documents and Settings\Admin\Desktop\Solar Fire Deluxe (2).lnk -> [2010/01/05 19:15:54 | 00,001,547 | ---- | C] ()
TWS Previous Version.LNK -> C:\TWS Previous Version.LNK -> [2010/01/05 17:51:14 | 00,001,595 | ---- | C] ()
Trader Workstation 4.0.LNK -> C:\Trader Workstation 4.0.LNK -> [2010/01/05 17:51:13 | 00,001,575 | ---- | C] ()
Start AntiVir (2).lnk -> C:\Documents and Settings\Admin\Desktop\Start AntiVir (2).lnk -> [2010/01/04 20:36:09 | 00,001,725 | ---- | C] ()
Launch ParetoLogic Privacy Controls (2).lnk -> C:\Documents and Settings\Admin\Desktop\Launch ParetoLogic Privacy Controls (2).lnk -> [2010/01/04 19:14:00 | 00,000,891 | ---- | C] ()
Launch XoftSpySE (2).lnk -> C:\Documents and Settings\Admin\Desktop\Launch XoftSpySE (2).lnk -> [2010/01/04 19:12:48 | 00,000,819 | ---- | C] ()
Malwarebytes' Anti-Malware (2).lnk -> C:\Documents and Settings\Admin\Desktop\Malwarebytes' Anti-Malware (2).lnk -> [2010/01/04 19:11:40 | 00,000,708 | ---- | C] ()
Progs_.ini -> C:\WINDOWS\Progs_.ini -> [2010/01/04 12:58:44 | 00,000,041 | ---- | C] ()
Speaking Clock Deluxe.lnk -> C:\Documents and Settings\Admin\Desktop\Speaking Clock Deluxe.lnk -> [2010/01/04 12:58:30 | 00,000,688 | ---- | C] ()
Trader Workstation 4.0 (2).LNK -> C:\Documents and Settings\Admin\Desktop\Trader Workstation 4.0 (2).LNK -> [2010/01/04 08:23:59 | 00,001,661 | ---- | C] ()
ntuser.dat -> C:\Documents and Settings\Admin\ntuser.dat -> [2010/01/03 11:33:24 | 11,534,336 | ---- | C] ()
Shortcut to HijackThis.exe.lnk -> C:\Documents and Settings\Admin\Desktop\Shortcut to HijackThis.exe.lnk -> [2010/01/01 10:49:03 | 00,000,411 | ---- | C] ()
ERUNT AutoBackup.lnk -> C:\Documents and Settings\Admin\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -> [2009/12/31 22:09:11 | 00,000,767 | ---- | C] ()
ERUNT.lnk -> C:\Documents and Settings\Admin\Desktop\ERUNT.lnk -> [2009/12/31 22:09:04 | 00,000,592 | ---- | C] ()
requested-files[2009-12-31_22_01].cab -> C:\Documents and Settings\Admin\Desktop\requested-files[2009-12-31_22_01].cab -> [2009/12/31 22:01:40 | 00,013,840 | ---- | C] ()
1st_Quarter_2010_Almanac.pdf -> C:\Documents and Settings\Admin\My Documents\1st_Quarter_2010_Almanac.pdf -> [2009/12/30 15:48:58 | 03,084,487 | ---- | C] ()
ParetoLogic Privacy Controls_{25B399F8-F410-11DE-82C1-0016761CF813}.job -> C:\WINDOWS\tasks\ParetoLogic Privacy Controls_{25B399F8-F410-11DE-82C1-0016761CF813}.job -> [2009/12/28 19:21:46 | 00,000,446 | ---- | C] ()
Microsoft Office.lnk -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk -> [2009/12/24 14:32:10 | 00,001,725 | ---- | C] ()
APC UPS Status.lnk -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk -> [2009/12/24 14:32:10 | 00,000,629 | ---- | C] ()
NtDirect.dll -> C:\WINDOWS\System32\NtDirect.dll -> [2009/12/09 06:24:54 | 00,098,304 | ---- | C] ()
mdm.ini -> C:\WINDOWS\mdm.ini -> [2009/05/09 19:32:30 | 00,000,063 | ---- | C] ()
RMDSConfig.ini -> C:\WINDOWS\System32\RMDSConfig.ini -> [2009/03/19 09:10:50 | 00,000,108 | ---- | C] ()
ss.drv -> C:\WINDOWS\System32\ss.drv -> [2008/12/29 12:53:57 | 00,006,144 | -HS- | C] ()
EurekaLog.ini -> C:\WINDOWS\EurekaLog.ini -> [2008/11/29 10:19:10 | 00,000,131 | ---- | C] ()
{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini -> C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini -> [2008/11/17 08:41:05 | 00,000,262 | ---- | C] ()
daptanmo.dll -> C:\WINDOWS\System32\daptanmo.dll -> [2008/08/05 11:39:47 | 00,004,608 | ---- | C] ()
winros_old.ini -> C:\WINDOWS\winros_old.ini -> [2008/08/04 18:48:05 | 00,000,306 | ---- | C] ()
winros.ini -> C:\WINDOWS\winros.ini -> [2008/08/04 18:48:05 | 00,000,301 | ---- | C] ()
WinSig_old.ini -> C:\WINDOWS\WinSig_old.ini -> [2008/08/04 18:48:05 | 00,000,072 | ---- | C] ()
WinSig.ini -> C:\WINDOWS\WinSig.ini -> [2008/08/04 18:48:05 | 00,000,072 | ---- | C] ()
reader_old.ini -> C:\WINDOWS\reader_old.ini -> [2008/08/04 18:48:05 | 00,000,070 | ---- | C] ()
reader.ini -> C:\WINDOWS\reader.ini -> [2008/08/04 18:48:05 | 00,000,070 | ---- | C] ()
msnotr32.dll -> C:\WINDOWS\System32\msnotr32.dll -> [2008/07/19 09:49:13 | 00,000,009 | ---- | C] ()
abaecdfdee_z.dll -> C:\WINDOWS\System32\abaecdfdee_z.dll -> [2008/07/11 19:20:54 | 00,000,023 | -HS- | C] ()
patchw32.dll -> C:\WINDOWS\System32\patchw32.dll -> [2008/07/04 06:23:45 | 00,164,864 | ---- | C] ()
LFCMP61N.DLL -> C:\WINDOWS\System32\LFCMP61N.DLL -> [2008/07/04 06:23:44 | 00,158,720 | ---- | C] ()
Lfpng61n.dll -> C:\WINDOWS\System32\Lfpng61n.dll -> [2008/07/04 06:23:44 | 00,110,080 | ---- | C] ()
LTFIL61N.DLL -> C:\WINDOWS\System32\LTFIL61N.DLL -> [2008/07/04 06:23:44 | 00,043,008 | ---- | C] ()
MSWTHK32.DLL -> C:\WINDOWS\System32\MSWTHK32.DLL -> [2008/07/04 06:23:44 | 00,017,920 | ---- | C] ()
MSWTHK16.DLL -> C:\WINDOWS\System32\MSWTHK16.DLL -> [2008/07/04 06:23:44 | 00,003,360 | ---- | C] ()
patchw32.dll -> C:\WINDOWS\patchw32.dll -> [2008/06/06 18:17:15 | 00,215,144 | R--- | C] ()
pw32a.dll -> C:\WINDOWS\pw32a.dll -> [2008/06/06 18:15:12 | 00,215,144 | R--- | C] ()
pdfxp.dll -> C:\WINDOWS\System32\pdfxp.dll -> [2008/04/07 09:18:59 | 00,081,920 | ---- | C] ()
adwarealert.sys -> C:\WINDOWS\System32\drivers\adwarealert.sys -> [2008/01/25 18:25:35 | 00,019,568 | ---- | C] ()
SierraChart.INI -> C:\WINDOWS\SierraChart.INI -> [2007/11/30 20:27:38 | 00,000,380 | ---- | C] ()
wininit.ini -> C:\WINDOWS\wininit.ini -> [2007/10/13 07:04:33 | 00,000,634 | ---- | C] ()
unninja.ini -> C:\WINDOWS\unninja.ini -> [2007/09/11 15:17:23 | 00,001,411 | ---- | C] ()
solfire6.ini -> C:\WINDOWS\solfire6.ini -> [2007/03/22 19:24:57 | 00,005,755 | ---- | C] ()
px.ini -> C:\WINDOWS\System32\px.ini -> [2007/01/17 12:57:34 | 00,000,000 | ---- | C] ()
vbupdtx.ini -> C:\WINDOWS\vbupdtx.ini -> [2006/12/19 15:39:53 | 00,000,035 | ---- | C] ()
CddbPlaylist2Roxio.dll -> C:\WINDOWS\System32\CddbPlaylist2Roxio.dll -> [2006/12/13 23:01:36 | 00,520,192 | ---- | C] ()
CddbFileTaggerRoxio.dll -> C:\WINDOWS\System32\CddbFileTaggerRoxio.dll -> [2006/12/13 23:01:36 | 00,204,800 | ---- | C] ()
cdplayer.ini -> C:\WINDOWS\cdplayer.ini -> [2006/11/24 11:25:38 | 00,040,418 | ---- | C] ()
ShareBarData.dll -> C:\WINDOWS\ShareBarData.dll -> [2006/11/10 21:06:02 | 00,059,904 | ---- | C] ()
ETSF0002.dll -> C:\WINDOWS\System32\ETSF0002.dll -> [2006/05/11 14:26:34 | 01,164,800 | ---- | C] ()
swedll32.dll -> C:\WINDOWS\System32\swedll32.dll -> [2006/05/05 12:38:42 | 00,434,176 | ---- | C] ()
NeroDigital.ini -> C:\WINDOWS\NeroDigital.ini -> [2006/04/12 18:25:12 | 00,000,069 | ---- | C] ()
PROTOCOL.INI -> C:\WINDOWS\PROTOCOL.INI -> [2006/04/11 20:23:34 | 00,000,000 | ---- | C] ()
acsatlas.ini -> C:\WINDOWS\acsatlas.ini -> [2006/04/11 20:22:50 | 00,000,140 | ---- | C] ()
ETASCII.INI -> C:\WINDOWS\ETASCII.INI -> [2006/04/11 20:19:43 | 00,001,520 | ---- | C] ()
ETPLAN1.DLL -> C:\WINDOWS\System32\ETPLAN1.DLL -> [2006/04/11 20:19:41 | 00,089,600 | ---- | C] ()
ETAST32.dll -> C:\WINDOWS\System32\ETAST32.dll -> [2006/04/11 20:19:41 | 00,043,520 | ---- | C] ()
solfire5.ini -> C:\WINDOWS\solfire5.ini -> [2006/04/11 20:19:26 | 00,004,626 | ---- | C] ()
ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2006/04/06 21:57:41 | 00,000,376 | ---- | C] ()
ddedll.dll -> C:\WINDOWS\ddedll.dll -> [2006/04/06 09:42:45 | 00,200,704 | ---- | C] ()
ib.ini -> C:\WINDOWS\ib.ini -> [2006/04/06 09:36:37 | 00,000,042 | ---- | C] ()
toFront.dll -> C:\WINDOWS\toFront.dll -> [2006/04/06 09:36:36 | 00,027,136 | ---- | C] ()
GetIe.dll -> C:\WINDOWS\GetIe.dll -> [2006/04/06 09:36:36 | 00,026,624 | ---- | C] ()
KADJISYS.INI -> C:\WINDOWS\KADJISYS.INI -> [2006/04/06 09:03:27 | 00,000,024 | ---- | C] ()
astros.ini -> C:\WINDOWS\astros.ini -> [2006/04/06 09:03:11 | 00,000,405 | ---- | C] ()
FTGT32.INI -> C:\WINDOWS\FTGT32.INI -> [2006/04/06 09:03:04 | 00,000,550 | ---- | C] ()
FTROBOT.INI -> C:\WINDOWS\FTROBOT.INI -> [2006/04/06 09:03:04 | 00,000,023 | ---- | C] ()
IQ_API.dll -> C:\WINDOWS\System32\IQ_API.dll -> [2006/04/06 09:00:11 | 00,040,960 | ---- | C] ()
CTA32.dll -> C:\WINDOWS\System32\CTA32.dll -> [2006/04/06 09:00:08 | 00,065,536 | ---- | C] ()
CompDLL.dll -> C:\WINDOWS\System32\CompDLL.dll -> [2006/04/06 09:00:08 | 00,045,056 | ---- | C] ()
SX32W.DLL -> C:\WINDOWS\System32\SX32W.DLL -> [2006/04/06 09:00:08 | 00,036,352 | ---- | C] ()
proxydll.dll -> C:\WINDOWS\System32\proxydll.dll -> [2006/04/06 09:00:08 | 00,028,672 | ---- | C] ()
IMPLODE.DLL -> C:\WINDOWS\System32\IMPLODE.DLL -> [2006/04/06 09:00:08 | 00,017,920 | ---- | C] ()
MMP.DLL -> C:\WINDOWS\System32\MMP.DLL -> [2006/04/06 08:57:30 | 00,180,224 | ---- | C] ()
MAPMEMP.SYS -> C:\WINDOWS\System32\drivers\MAPMEMP.SYS -> [2006/04/06 08:57:30 | 00,063,080 | ---- | C] ()
FASTPCL.DLL -> C:\WINDOWS\System32\FASTPCL.DLL -> [2006/04/06 08:57:30 | 00,014,082 | ---- | C] ()
SETNTREG.DLL -> C:\WINDOWS\System32\SETNTREG.DLL -> [2006/04/06 08:57:30 | 00,010,752 | ---- | C] ()
FASTPCNT.DLL -> C:\WINDOWS\System32\FASTPCNT.DLL -> [2006/04/06 08:57:30 | 00,008,192 | ---- | C] ()
CALL32.DLL -> C:\WINDOWS\System32\CALL32.DLL -> [2006/04/06 08:57:30 | 00,003,776 | ---- | C] ()
revew2k.dll -> C:\WINDOWS\System32\revew2k.dll -> [2006/04/05 21:24:58 | 00,028,674 | ---- | C] ()
st2itwa.dll -> C:\WINDOWS\System32\st2itwa.dll -> [2006/04/05 21:24:58 | 00,024,576 | ---- | C] ()
noeyreg.dll -> C:\WINDOWS\System32\noeyreg.dll -> [2006/04/05 21:24:58 | 00,023,554 | ---- | C] ()
nvwdmcpl.dll -> C:\WINDOWS\System32\nvwdmcpl.dll -> [2006/03/09 14:29:00 | 01,703,936 | ---- | C] ()
nview.dll -> C:\WINDOWS\System32\nview.dll -> [2006/03/09 14:29:00 | 01,486,848 | ---- | C] ()
nvwimg.dll -> C:\WINDOWS\System32\nvwimg.dll -> [2006/03/09 14:29:00 | 01,019,904 | ---- | C] ()
nvhwvid.dll -> C:\WINDOWS\System32\nvhwvid.dll -> [2006/03/09 14:29:00 | 00,573,440 | ---- | C] ()
nvshell.dll -> C:\WINDOWS\System32\nvshell.dll -> [2006/03/09 14:29:00 | 00,466,944 | ---- | C] ()
nvnt4cpl.dll -> C:\WINDOWS\System32\nvnt4cpl.dll -> [2006/03/09 14:29:00 | 00,286,720 | ---- | C] ()
fmtkit60.dll -> C:\WINDOWS\System32\fmtkit60.dll -> [2005/06/08 22:00:00 | 00,360,448 | ---- | C] ()
ETSF0001.dll -> C:\WINDOWS\System32\ETSF0001.dll -> [2005/01/21 16:50:18 | 00,486,400 | ---- | C] ()
METALIB.DLL -> C:\WINDOWS\System32\METALIB.DLL -> [2004/04/19 19:13:00 | 00,434,176 | ---- | C] ()
ETPlan2.dll -> C:\WINDOWS\System32\ETPlan2.dll -> [2003/03/11 13:36:00 | 00,073,216 | ---- | C] ()
MSRTEDIT.DLL -> C:\WINDOWS\System32\MSRTEDIT.DLL -> [1999/01/22 13:46:58 | 00,065,536 | ---- | C] ()
REGOBJ.DLL -> C:\WINDOWS\System32\REGOBJ.DLL -> [1998/01/12 03:00:00 | 00,040,448 | ---- | C] ()
[Alternate Data Streams]
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E95B6FD
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >
[/code]
Hi condor
Have you used "Ask toolbar"
MyWebSearch and MyWay are Internet Explorer toolbars (Add-ons (http://windowsxp.mvps.org/addons.htm)) often bundled with "free software" offered by third party software vendors. You can read more about it in What is MyWebSearch? (http://www.pchell.com/support/mywebsearch.shtml). The MyWebSearch Help Center (http://help.mywebsearch.com/sbar2.html) provides additional information and frequently asked questions related to the toolbar.
MyWebSearch and MyWay were pre-installed on new Dell computers starting in November 2004 as reported in The Pharmer In The Dell (http://thundercloud.net/infoave/pharmer-rant.htm). Dell had a link to "What is the Dell MyWebSearch Home Page?" but it has since been redirected to The "Dell My Way" Home Page (http://support.dell.com/support/topics/global.aspx/support/dsn/en/document?c=us&cs=19&l=en&s=dhs&dn=1091919). Dell now uses the "Dell Search Assistant (http://dellsearchedit.myway.com/samisc/searchhelp.jhtml)" where they address many of the same concerns previously addressed in the redirected link. To remove the Search Assistant, please follow Dell's Search Assistant removal instructions (http://dellsearchedit.myway.com/samisc/searchhelp.jhtml#sa3).
Some anti-virus and anti-malware programs detect the toolbar as a malware threat (not-a-virus:AdTool.Win32.MyWebSearch) while others (Spybot, MBAM, Ad-aware...) may detect or try removing its files and registry entries. Although these types of scanning tools detect its files/registry entries, remnants may still be found from time to time during subsequent scans. If that's all you are dealing with, then I wouldn't be too concerned.
To remove MyWebSearch, please follow the instructions for How do I "uninstall" the My Web Search toolbar? (http://help.mywebsearch.com/sbar2.html#q4) or try using MS-MVP Kelly Theriot's MyWaySearchAssistant Uninstaller (http://www.kellys-korner-xp.com/regs_edits/DellMyWaySearchAssistantUninstaller.exe).
Thanks peku006
Hi peku006,
I was wondering if you know of any software tool that would help me trace back from the MyWay.MyWebSearch entry in the registry to the source of the infection? We know the registry address of the problem. Can we work backwards to find it?
The problem probably started as you said with the Ask.com toolbar and I have tried the suggestions you made, as well as uninstalling & deleting anything toolbar or browser related, but still can not get to the source.
Thanks again for all your help.
condor
Hi condor
Ok, we can remove "Ask.com" totally......
Under the Paste Fix Here box on the right, paste in the contents of following code box
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Admin\Application Data\Mozilla\FireFox\Profiles\4f99sura.default\prefs.js
YN -> browser.search.defaultenginename -> "Ask.com"
YN -> browser.search.order.1 -> "Ask.com"
YN -> browser.search.selectedEngine -> "Ask.com"
< FireFox SearchPlugins [User Folders] > ->
YY -> askcom.xml -> C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\4f99sura.default\searchplugins\askcom.xml
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\] > -> HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
* This will create a log in C:\_OTS\MovedFiles\<date>_<time>.log where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.
Thanks peku006
Hi peku006,
Here is the log from OTS.
Thanks
condor
[Registry - Safe List]
File C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\4f99sura.default\searchplugins\askcom.xml not found.
Registry value HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\ not found.
Registry value HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Registry value HKEY_USERS\S-1-5-21-1844237615-1326574676-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}\ not found.
< End of fix log >
OTS by OldTimer - Version 3.1.19.4 fix logfile created on 01282010_070945
Hi condor
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:regfind
MyWebSearch
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
Thanks peku006
Hi peku006,
I have run Systemlook and OTM several times over the past few days (as you showed me in earlier posts) and have narrowed the initiating factor down to “something” in the IE files which directs IE to h**p://go.microsoft.com/fwlink/?LinkId=69157 or 54896.
This immediately generates the Registry entry
“R1 – HKLM \Software\Microsoft\Internet Explorer\Main\ “etc,
as appeared in the first HJT log you had me run on Page 1, and also the entry Spybot initially found at the “toolbar” address “A4AA.”
I confirmed the problem as initiating in IE by uninstalling/deleteing IE8. This stopped the infection. When I re-installed IE8 the problem came back even though I had added the “bad” http address to the IE Restricted Web Site list, and Custom Blocking the “A4AA” address in Spyblaster. So there appear to be some files I was unable to delete before I did the re-install of IE8.
I uninstalled IE8 again yesterday and have had no re-infection since. It seems if I no longer use IE I will not re-infect the computer.
I don’t know if it is significant, but after IE had been uninstalled WinPatrol intercepted a file called “Research” supposedly from Microsoft IE trying to install itself.
Perhaps there is some way to clean up the remnants of the IE files which would also include wherever the virus is lurking?
Here is the Systemlook file you requested which seems to be OK.
Thanks again for all your help.
condor
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:14 on 31/01/2010 by Admin (Administrator - Elevation successful)
========== regfind ==========
Searching for "MyWebSearch"
No data found.
-=End Of File=-
Hi condor
all the logs look good...I have to say that in my view, we are ready ,I can not help you any more if the problem is due to IE
Thanks peku006
As this issue appears to be resolved, this topic is now closed
We are pleased to have been some help in getting you clean.
If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)