View Full Version : Strange Goings On II
Hello,
This is my first post. I am running Windows XP Home SP3 on a Compaq Presario SR1123WM. I'm here because I have some very strange things going on. I have a dialog box that comes up on startup with a 0 in the title bar and only a 0 in the dialog area. The only way to get past this is to click on OK since you can't X out of it. I have uninstalled Windows Media Player since I don't use it. However since uninstalling I have found some files with the WMP icon. When I mouse over these the yellow box says it's a DAT file, however if you open the properties it says the file is a Notepad file. I have been having problems with my AVG 2011 antivirus. It has shown no problems but I ran across one of the above mentioned WMP/Notepad files that in the text mentiones registering a fake update to AVG. I have tried to repair and uninstall with AVG Remover and reinstall but still having problems and no detections. It also appears that the msi.exe file may be corrupted because although I can download and see the install window installing updates the do not show up in Control Panel with Show Updates checked. Also when I scan images in and have the folder set to view as Thumbnails no thumbs show up, just folders and icons as tiles. Also there is a program in Add/Remove Programs Microsoft Visual J# .NET Redistributable Package 1.1 that will not let me uninstall. I have researched this program and I do not need or want it. I have ran a search on my computer and this program did not come up so it appears to be hidden.Thank you in advance for your help.
Here are the logs
DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 13:01:36.39 on Mon 02/21/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.32 [GMT -6:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.com
============== Pseudo HJT Report ===============
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [Trend Micro RUBotted V2.0 Beta] c:\program files\trend micro\rubotted\RUBottedGUI.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Conime] %windir%\system32\conime.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\erunt autobackup.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\microsoft office fast start.lnk - c:\msoffice\office\FASTBOOT.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\microsoft office find fast indexer.lnk - c:\msoffice\office\FINDFAST.EXE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\microsoft office shortcut bar.lnk - c:\msoffice\office\MSOFFICE.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microsoft office fast start.lnk - c:\msoffice\office\FASTBOOT.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microsoft office find fast indexer.lnk - c:\msoffice\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microsoft office shortcut bar.lnk - c:\msoffice\office\MSOFFICE.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
============= SERVICES / DRIVERS ===============
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\RUBotSrv.exe [2011-2-8 439632]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-9-13 308656]
S2 LinksysUpdater;Linksys Updater;"c:\program files\linksys\linksys updater\bin\linksysupdater.exe" -s "c:\program files\linksys\linksys updater\conf\wrapper.conf" --> c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [?]
S3 GQOHOD;GQOHOD;c:\docume~1\owner\locals~1\temp\GQOHOD.exe [2011-2-11 420736]
S3 GYX;GYX;c:\docume~1\owner\locals~1\temp\GYX.exe [2011-2-11 469888]
=============== Created Last 30 ================
2011-02-18 13:33:08 -------- d-----w- c:\documents and settings\owner\My Scans
2011-02-17 13:38:12 -------- d--h--w- c:\windows\PIF
2011-02-17 13:36:18 -------- d-----w- C:\MSOffice
2011-02-15 18:52:16 -------- d-----w- c:\docume~1\owner\applic~1\ElevatedDiagnostics
2011-02-10 17:48:47 -------- d-----w- c:\program files\RegScrubXP
2011-02-08 17:48:47 -------- d-----w- c:\program files\WinPcap
2011-02-08 17:48:05 -------- d-----w- c:\program files\Trend Micro
2011-02-04 20:21:55 -------- d-----w- c:\docume~1\owner\applic~1\AVG10
2011-02-04 20:14:01 -------- d-----w- c:\program files\AVG
2011-02-04 19:34:08 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-02-04 19:34:08 -------- d-----w- c:\documents and settings\owner\log
2011-02-04 16:17:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-01-24 17:52:17 -------- d-----w- c:\docume~1\owner\locals~1\applic~1\Help
2011-01-24 14:00:40 -------- d-----w- c:\windows\pss
==================== Find3M ====================
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-10 18:16:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-10 18:16:38 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-06 16:08:57 282624 ----a-w- c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\presario\xphnars4en\plugin\bin\jsharpde\clientutil52.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38:47 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:05 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
============= FINISH: 13:02:38.18 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Run these programs in order please
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
I have ran the scans you requested with setting as instructed. ATF Cleaner ran fine. Downloaded and installed Malwarebytes and scanned, it found nothing. Downloaded and installed OTL, ran as instructed. I got an error message as follows: Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c. When I clicked Retry message flashed. Tried this three times then clicked Continue and nothing happened, clicked Continue four more times and scan resumed. Also since yesterday when I installed and ran Spybot S&D which found nothing, my desktop icon and start menu icons are missing. Went to the Program File and there was no .exe file. There was however one of those WMP icons that says it's a DAT file on rollover and says it's a DAT file in Properties that opens with Notepad. Also in the Spybot Program file is a file unis000.msg. It says this is an Outlook Item, same in Properties. I don't use Outlook at all. Also my AVG 2011 antivirus is not working and I can't repair it or reinstall it.
Malwarebytes Log
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5854
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/23/2011 1:51:15 PM
mbam-log-2011-02-23 (13-51-15).txt
Scan type: Quick scan
Objects scanned: 137833
Time elapsed: 6 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
OTL Logs
OTL.txt
OTL logfile created on: 2/23/2011 1:58:39 PM - Run 1
OTL by OldTimer - Version 3.2.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
247.00 Mb Total Physical Memory | 160.00 Mb Available Physical Memory | 64.00% Memory free
606.00 Mb Paging File | 391.00 Mb Available in Paging File | 64.00% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.44 Gb Total Space | 59.29 Gb Free Space | 84.16% Space Free | Partition Type: NTFS
Drive D: | 4.07 Gb Total Space | 0.67 Gb Free Space | 16.50% Space Free | Partition Type: FAT32
Computer Name: GOODRICH106 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe (Adobe Systems Incorporated)
PRC - C:\WINDOWS\system32\WISPTIS.EXE (Microsoft Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (nmservice) -- File not found
SRV - (LinksysUpdater) -- File not found
SRV - (HidServ) -- File not found
SRV - (GYX) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (nosGetPlusHelper) getPlus(R) -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll (NOS Microsystems Ltd.)
SRV - (RUBotSrv) -- C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe (Trend Micro Inc.)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies, Inc.)
========== Driver Services (SafeList) ==========
DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (purendis) -- C:\WINDOWS\system32\drivers\purendis.sys (Cisco Systems, Inc.)
DRV - (pnarp) -- C:\WINDOWS\system32\drivers\pnarp.sys (Cisco Systems, Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (SiSkp) -- C:\WINDOWS\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura Ltd)
DRV - (fasttx2k) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys (Promise Technology, Inc.)
DRV - (SISAGP) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys (Silicon Integrated Systems Corporation)
DRV - (viaagp1) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )
DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1847296987-2612838788-886327785-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1847296987-2612838788-886327785-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2004/02/13 02:08:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe (Trend Micro Inc.)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1847296987-2612838788-886327785-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - Reg Error: Key error. File not found
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/02 02:03:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2002/09/11 03:02:32 | 000,000,045 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{1a1dc31e-19ab-11e0-bf94-0011091137e1}\Shell\AutoRun\command - "" = J:\setupSNK.exe
O33 - MountPoints2\{305a3320-19a9-11e0-bf93-806d6172696f}\Shell\AutoRun\command - "" = D:\Info.exe -- [2002/09/10 21:54:58 | 000,040,960 | -HS- | M] (XSS)
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\Info.exe -- [2002/09/10 21:54:58 | 000,040,960 | -HS- | M] (XSS)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/02/23 13:54:36 | 000,577,024 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/23 13:41:38 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mwbam-setup.exe
[2011/02/23 13:37:01 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2011/02/22 15:09:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Candy
[2011/02/22 14:00:50 | 004,738,880 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\My Documents\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/22 10:46:40 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2011/02/21 15:01:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2011/02/21 14:13:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trend Micro
[2011/02/21 13:35:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/02/21 13:35:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/02/21 13:15:15 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Owner\My Documents\spybotsd162.exe
[2011/02/21 11:40:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/02/21 11:39:33 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/02/21 11:34:24 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe
[2011/02/18 07:33:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Scans
[2011/02/17 11:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Forklift Checklists
[2011/02/17 07:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Template
[2011/02/17 07:36:18 | 000,000,000 | ---D | C] -- C:\MSOffice(2)
[2011/02/16 12:20:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Shipping Notices
[2011/02/16 12:18:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Repairs Received
[2011/02/16 12:13:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\AEI TAG P.O.s
[2011/02/15 12:52:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\ElevatedDiagnostics
[2011/02/15 12:40:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2011/02/11 14:41:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer
[2011/02/11 14:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\backups
[2011/02/10 14:06:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\vmmap
[2011/02/10 11:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\RegScrubXP
[2011/02/10 11:48:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\RegScrubXP
[2011/02/10 11:23:44 | 000,115,960 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\windows-kb841720-enu-v4.exe
[2011/02/10 11:20:49 | 000,122,152 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\doomcln-kb836528-v4-enu.exe
[2011/02/10 11:09:08 | 000,359,656 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\msicuu2.exe
[2011/02/10 10:17:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Browser Guard 2010
[2011/02/08 11:48:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap
[2011/02/08 11:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2011/02/08 11:48:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trend Micro RUBotted
[2011/02/08 11:48:05 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/02/07 07:37:46 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/02/07 07:33:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG PC Tuneup 2011
[2011/02/04 14:38:56 | 007,592,248 | ---- | C] (AVG ) -- C:\Documents and Settings\Owner\My Documents\avg_pct_stf_all_2011_24_c5.exe
[2011/02/04 14:24:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1
[2011/02/04 14:14:01 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/02/04 13:45:05 | 006,018,568 | ---- | C] (Trend Micro, Inc. ) -- C:\Documents and Settings\Owner\Desktop\RUBottedSetup.exe
[2011/02/04 13:43:27 | 000,532,480 | ---- | C] (Trend Micro Incorporated) -- C:\Documents and Settings\Owner\Desktop\cwshredder.exe
[2011/02/04 13:41:54 | 004,738,880 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/04 13:34:08 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/02/04 13:34:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\log
[2011/02/04 10:17:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/01/28 09:57:15 | 002,132,576 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\AVGIDPUninstaller.exe
[2011/01/28 09:55:41 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Owner\Desktop\avg_remover_stf_x86_2011_1184.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files - Modified Within 30 Days ==========
[2011/02/23 13:54:40 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/23 13:42:57 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/23 13:41:38 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mwbam-setup.exe
[2011/02/23 13:37:01 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2011/02/22 14:00:50 | 004,738,880 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\My Documents\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/22 13:47:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/22 13:47:17 | 259,575,808 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/21 15:03:17 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/21 15:03:13 | 000,146,808 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/21 14:17:58 | 001,171,456 | -H-- | M] () -- C:\__ofidx0.ffx
[2011/02/21 14:17:58 | 000,180,224 | -H-- | M] () -- C:\__ofidx.ffl
[2011/02/21 14:17:58 | 000,004,713 | -H-- | M] () -- C:\__ofidx.ffa
[2011/02/21 13:15:15 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Owner\My Documents\spybotsd162.exe
[2011/02/21 11:34:32 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe
[2011/02/18 11:17:08 | 000,009,830 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\exefix.reg
[2011/02/15 12:40:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/14 07:54:54 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\AEI TAG RECEIVED LIST.xls
[2011/02/11 11:14:18 | 000,000,041 | ---- | M] () -- C:\Documents and Settings\Owner\WellKnownServers.xml
[2011/02/10 14:13:22 | 000,305,152 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\windiag.iso
[2011/02/10 13:00:55 | 000,443,304 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/02/10 13:00:55 | 000,072,142 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/02/10 11:48:48 | 000,000,658 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RegScrubXP.lnk
[2011/02/10 11:47:16 | 000,593,556 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\regscrubxpsetup_3.2.exe
[2011/02/10 11:23:44 | 000,115,960 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\windows-kb841720-enu-v4.exe
[2011/02/10 11:22:17 | 000,654,920 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\mtinst.exe
[2011/02/10 11:20:55 | 000,122,152 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\doomcln-kb836528-v4-enu.exe
[2011/02/10 11:17:37 | 000,032,078 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\RogueChecker.zip
[2011/02/10 11:14:21 | 000,231,390 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer.zip
[2011/02/10 11:13:20 | 000,554,035 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\vmmap.zip
[2011/02/10 11:11:02 | 000,430,080 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\UPHClean-Setup.msi
[2011/02/10 11:09:08 | 000,359,656 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\msicuu2.exe
[2011/02/09 08:57:00 | 004,337,573 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\u10iavi3432sq.bin
[2011/02/09 08:54:23 | 000,140,288 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\vcleaner.exe
[2011/02/08 11:48:51 | 000,000,073 | ---- | M] () -- C:\WINDOWS\System32\-1
[2011/02/07 07:33:40 | 000,000,856 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2011/02/07 07:33:40 | 000,000,838 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\AVG PC Tuneup 2011.lnk
[2011/02/07 07:31:50 | 007,592,248 | ---- | M] (AVG ) -- C:\Documents and Settings\Owner\My Documents\avg_pct_stf_all_2011_24_c5.exe
[2011/02/04 13:45:05 | 006,018,568 | ---- | M] (Trend Micro, Inc. ) -- C:\Documents and Settings\Owner\Desktop\RUBottedSetup.exe
[2011/02/04 13:43:31 | 000,532,480 | ---- | M] (Trend Micro Incorporated) -- C:\Documents and Settings\Owner\Desktop\cwshredder.exe
[2011/02/04 13:41:54 | 004,738,880 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/04 13:34:08 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/02/04 13:33:24 | 001,113,789 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RootkitBuster_3.60.1016.zip
[2011/02/04 11:18:49 | 000,061,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msado21.tlb
[2011/01/28 10:52:38 | 090,232,246 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avg_arl_ffi_all_100_100826a3693.rar
[2011/01/28 10:30:59 | 000,000,582 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1.zip
[2011/01/28 09:57:15 | 002,132,576 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\AVGIDPUninstaller.exe
[2011/01/28 09:55:56 | 001,090,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Owner\Desktop\avg_remover_stf_x86_2011_1184.exe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files Created - No Company Name ==========
[2011/02/21 14:17:58 | 000,004,713 | -H-- | C] () -- C:\__ofidx.ffa
[2011/02/21 14:17:54 | 001,171,456 | -H-- | C] () -- C:\__ofidx0.ffx
[2011/02/21 14:13:24 | 000,180,224 | -H-- | C] () -- C:\__ofidx.ffl
[2011/02/18 11:17:07 | 000,009,830 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\exefix.reg
[2011/02/11 11:13:22 | 000,000,041 | ---- | C] () -- C:\Documents and Settings\Owner\WellKnownServers.xml
[2011/02/10 14:13:21 | 000,305,152 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\windiag.iso
[2011/02/10 11:48:48 | 000,000,658 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RegScrubXP.lnk
[2011/02/10 11:47:09 | 000,593,556 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\regscrubxpsetup_3.2.exe
[2011/02/10 11:22:11 | 000,654,920 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\mtinst.exe
[2011/02/10 11:17:37 | 000,032,078 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\RogueChecker.zip
[2011/02/10 11:14:18 | 000,231,390 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer.zip
[2011/02/10 11:13:14 | 000,554,035 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\vmmap.zip
[2011/02/10 11:10:58 | 000,430,080 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\UPHClean-Setup.msi
[2011/02/09 08:56:59 | 004,337,573 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\u10iavi3432sq.bin
[2011/02/09 08:54:18 | 000,140,288 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\vcleaner.exe
[2011/02/08 11:48:50 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\-1
[2011/02/07 07:33:40 | 000,000,856 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2011/02/07 07:33:40 | 000,000,838 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\AVG PC Tuneup 2011.lnk
[2011/02/04 13:33:13 | 001,113,789 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RootkitBuster_3.60.1016.zip
[2011/01/28 10:52:20 | 090,232,246 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avg_arl_ffi_all_100_100826a3693.rar
[2011/01/28 10:30:56 | 000,000,582 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1.zip
[2011/01/14 12:54:08 | 000,030,616 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\installer.log
[2011/01/14 11:58:09 | 000,000,230 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\LaunchHomeCenter.log
[2011/01/07 12:29:17 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2009/10/20 12:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2004/04/03 02:18:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/03 01:36:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/04/03 01:36:39 | 000,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/04/02 18:17:14 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/04/02 18:15:40 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/04/02 18:00:40 | 000,027,752 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/04/02 04:01:01 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/04/02 03:52:33 | 000,000,889 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/04/02 03:14:52 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/04/02 02:43:52 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/02 02:34:53 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/04/02 02:34:53 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/04/02 02:34:35 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/04/02 02:08:11 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/04/02 00:52:53 | 000,000,553 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/04/01 17:57:08 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/01/08 00:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
========== LOP Check ==========
[2011/02/10 09:24:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2011/01/14 14:24:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/02/22 14:01:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/02/21 15:08:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/02/04 11:51:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG
[2011/02/15 12:52:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ElevatedDiagnostics
[2004/04/02 19:28:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2011/02/23 08:09:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Temp
[2011/02/17 07:46:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
< End of report >
Extras.txt
OTL Extras logfile created on: 2/23/2011 1:58:39 PM - Run 1
OTL by OldTimer - Version 3.2.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
247.00 Mb Total Physical Memory | 160.00 Mb Available Physical Memory | 64.00% Memory free
606.00 Mb Paging File | 391.00 Mb Available in Paging File | 64.00% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.44 Gb Total Space | 59.29 Gb Free Space | 84.16% Space Free | Partition Type: NTFS
Drive D: | 4.07 Gb Total Space | 0.67 Gb Free Space | 16.50% Space Free | Partition Type: FAT32
Computer Name: GOODRICH106 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
========== System Restore Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\mmc.exe" = C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console -- (Microsoft Corporation)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java(TM) 6 Update 23
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup 2011
"{54D4EAF5-4C80-4878-B4AC-5AE454A02E3C}_is1" = Trend Micro RUBotted 2.0 Beta
"{56BA241F-580C-43D2-8403-947241AAE633}" = center
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{AC76BA86-7AD7-1033-7B44-A00000000001}" = Adobe Reader 6.0.1
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}" = Microsoft Plus! Digital Media Edition
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
"{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw
"{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK AiO Home Center
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{FBDBC490-089D-4476-BF72-1F7A6368200A}" = Pure Networks Platform
"{FE24086F-3B0C-4C47-A874-97A7B8E2FBBE}" = aioscnnr
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Agere Systems Soft Modem" = Agere Systems PCI Soft Modem
"Compaq Instant Support" = Compaq Instant Support
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"RegScrubXP_is1" = RegScrubXP 3.25
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinPcapInst" = WinPcap 4.1.1
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
========== Last 10 Event Log Errors ==========
[ Application Events ]
Error - 2/7/2011 5:31:35 PM | Computer Name = GOODRICH106 | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll
. Error code = 0x80131047
Error - 2/7/2011 5:31:35 PM | Computer Name = GOODRICH106 | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Runtime.Serialization.dll
. Error code = 0x80131047
Error - 2/7/2011 5:31:36 PM | Computer Name = GOODRICH106 | Source = .NET Runtime Optimization Service | ID = 1101
Description = .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32)
- Failed to compile: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.ServiceModel.dll
. Error code = 0x80131047
Error - 2/9/2011 12:00:48 PM | Computer Name = GOODRICH106 | Source = MsiInstaller | ID = 10005
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- Error
27035. CA_Error27035: ReloadAvi(0xE001003D): Reloading of AVG databases failed
Error - 2/10/2011 2:47:42 PM | Computer Name = GOODRICH106 | Source = MsiInstaller | ID = 11719
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- Error
1719. SA_Error1719: StandardAction(0xC00706B7): The Windows Installer Service could
not be accessed. This can occur if you are running Windows in safe mode, or if
the Windows Installer is not correctly installed. Contact your support personnel
for assistance.
Error - 2/11/2011 5:26:36 PM | Computer Name = GOODRICH106 | Source = Application Error | ID = 1000
Description = Faulting application GQOHOD.exe, version 1.71.0.0, faulting module
GQOHOD.exe, version 1.71.0.0, fault address 0x0002764c.
Error - 2/11/2011 5:26:39 PM | Computer Name = GOODRICH106 | Source = Application Error | ID = 1000
Description = Faulting application GQOHOD.exe, version 1.71.0.0, faulting module
GQOHOD.exe, version 1.71.0.0, fault address 0x0002764c.
Error - 2/14/2011 10:57:50 AM | Computer Name = GOODRICH106 | Source = Application Error | ID = 1004
Description = Faulting application GQOHOD.exe, version 1.71.0.0, faulting module
GQOHOD.exe, version 1.71.0.0, fault address 0x0002764c.
Error - 2/22/2011 3:37:49 PM | Computer Name = GOODRICH106 | Source = MsiInstaller | ID = 11719
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- Error
1719. SA_Error1719: StandardAction(0xC00706B7): The Windows Installer Service could
not be accessed. This can occur if you are running Windows in safe mode, or if
the Windows Installer is not correctly installed. Contact your support personnel
for assistance.
Error - 2/22/2011 4:06:49 PM | Computer Name = GOODRICH106 | Source = MsiInstaller | ID = 11719
Description = SA_Error1709: StandardAction(0xC00706AD): Product: AVG 2011 -- Error
1719. SA_Error1719: StandardAction(0xC00706B7): The Windows Installer Service could
not be accessed. This can occur if you are running Windows in safe mode, or if
the Windows Installer is not correctly installed. Contact your support personnel
for assistance.
[ System Events ]
Error - 1/12/2011 1:22:01 PM | Computer Name = GOODRICH106 | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.MFC could not be found and Last
Error was The referenced assembly is not installed on your system.
Error - 1/12/2011 1:22:01 PM | Computer Name = GOODRICH106 | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error
message: The referenced assembly is not installed on your system. .
Error - 1/12/2011 1:22:01 PM | Computer Name = GOODRICH106 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\AVG\AVG10\avgui.exe.
Reference
error message: The operation completed successfully. .
Error - 1/12/2011 1:22:48 PM | Computer Name = GOODRICH106 | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.MFC could not be found and Last
Error was The referenced assembly is not installed on your system.
Error - 1/12/2011 1:22:48 PM | Computer Name = GOODRICH106 | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error
message: The referenced assembly is not installed on your system. .
Error - 1/12/2011 1:22:48 PM | Computer Name = GOODRICH106 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\AVG\AVG10\avgse.dll.
Reference
error message: The operation completed successfully. .
Error - 1/12/2011 1:23:58 PM | Computer Name = GOODRICH106 | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).
Error - 1/12/2011 1:52:41 PM | Computer Name = GOODRICH106 | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC90.MFC could not be found and Last
Error was The referenced assembly is not installed on your system.
Error - 1/12/2011 1:52:41 PM | Computer Name = GOODRICH106 | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error
message: The referenced assembly is not installed on your system. .
Error - 1/12/2011 1:52:41 PM | Computer Name = GOODRICH106 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\AVG\AVG10\avgse.dll.
Reference
error message: The operation completed successfully. .
< End of report >
Hi,
Looking through your log I am seeing a lot of malware removal programs that you may have run, best to wait for a helper on the forum before you run any of these on your own, some may have removed some stuff that didn't need to be removed. Its best to just run your AV and a program like Malwarebytes.
RegScrubXP 3.25 <-- running registry cleaners like this is not a good practice also unless your a windows expert and know exactly whats being removed, even the good legit programs at times remove entries they should not have, remove the wrong entry or entries and it could leave your system unbootable. I dont know if you ran this and if so how many times but it may have damaged your system
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
O33 - MountPoints2\{1a1dc31e-19ab-11e0-bf94-0011091137e1}\Shell\AutoRun\command - "" = J:\setupSNK.exe
O33 - MountPoints2\{305a3320-19a9-11e0-bf93-806d6172696f}\Shell\AutoRun\command - "" = D:\Info.exe -- [2002/09/10 21:54:58 | 000,040,960 | -HS- | M] (XSS)
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\Info.exe -- [2002/09/10 21:54:58 | 000,040,960 | -HS- | M] (XSS)
:Services
:Reg
:Files
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
Hi,
I backed up with ERUNT and ran the scan as instructed. Upon reboot I still have the dialox box with 0 in the title bar and 0 in the text area. Posting Fix scan results and OTL scan 2. Thank you.
About the tools I have, I haven't ran any "fixes" except rootkitbuster which found nothing. I have ran Rootkit Revealer and observed only. These tools were gotten for future use if needed according to research I have done. None will be run without instructions to do so and directions on use.
OTL Fix Scan Results
All processes killed
========== PROCESSES ==========
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1a1dc31e-19ab-11e0-bf94-0011091137e1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1a1dc31e-19ab-11e0-bf94-0011091137e1}\ not found.
File J:\setupSNK.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{305a3320-19a9-11e0-bf93-806d6172696f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{305a3320-19a9-11e0-bf93-806d6172696f}\ not found.
D:\Info.exe moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ deleted successfully.
File D:\Info.exe not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Owner
->Temp folder emptied: 46320495 bytes
->Temporary Internet Files folder emptied: 14806754 bytes
->Java cache emptied: 1716232 bytes
->Flash cache emptied: 4283 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 60.00 mb
OTL by OldTimer - Version 3.2.21.0 log created on 02242011_092444
Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\SQL.LOG scheduled to be moved on reboot.
Registry entries deleted on Reboot...
OTL Scan 2
OTL logfile created on: 2/24/2011 9:31:27 AM - Run 2
OTL by OldTimer - Version 3.2.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
247.00 Mb Total Physical Memory | 145.00 Mb Available Physical Memory | 58.00% Memory free
606.00 Mb Paging File | 405.00 Mb Available in Paging File | 67.00% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.44 Gb Total Space | 59.39 Gb Free Space | 84.32% Space Free | Partition Type: NTFS
Drive D: | 4.07 Gb Total Space | 0.67 Gb Free Space | 16.50% Space Free | Partition Type: FAT32
Computer Name: GOODRICH106 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (nmservice) -- File not found
SRV - (LinksysUpdater) -- File not found
SRV - (HidServ) -- File not found
SRV - (GYX) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (nosGetPlusHelper) getPlus(R) -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll (NOS Microsystems Ltd.)
SRV - (RUBotSrv) -- C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe (Trend Micro Inc.)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies, Inc.)
========== Driver Services (SafeList) ==========
DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (purendis) -- C:\WINDOWS\system32\drivers\purendis.sys (Cisco Systems, Inc.)
DRV - (pnarp) -- C:\WINDOWS\system32\drivers\pnarp.sys (Cisco Systems, Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (SiSkp) -- C:\WINDOWS\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura Ltd)
DRV - (fasttx2k) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys (Promise Technology, Inc.)
DRV - (SISAGP) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys (Silicon Integrated Systems Corporation)
DRV - (viaagp1) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )
DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2011/02/24 09:24:47 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe (Trend Micro Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - Reg Error: Key error. File not found
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/02 02:03:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2002/09/11 03:02:32 | 000,000,045 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/02/24 09:24:44 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/02/23 13:54:36 | 000,577,024 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/23 13:41:38 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mwbam-setup.exe
[2011/02/23 13:37:01 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2011/02/22 15:09:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Candy
[2011/02/22 14:00:50 | 004,738,880 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\My Documents\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/22 10:46:40 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2011/02/21 15:01:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2011/02/21 14:13:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trend Micro
[2011/02/21 13:35:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/02/21 13:35:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/02/21 13:15:15 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Owner\My Documents\spybotsd162.exe
[2011/02/21 11:40:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/02/21 11:39:33 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/02/21 11:34:24 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe
[2011/02/18 07:33:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Scans
[2011/02/17 11:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Forklift Checklists
[2011/02/17 07:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Template
[2011/02/17 07:36:18 | 000,000,000 | ---D | C] -- C:\MSOffice(2)
[2011/02/16 12:20:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Shipping Notices
[2011/02/16 12:18:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Repairs Received
[2011/02/16 12:13:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\AEI TAG P.O.s
[2011/02/15 12:52:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\ElevatedDiagnostics
[2011/02/15 12:40:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2011/02/11 14:41:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer
[2011/02/11 14:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\backups
[2011/02/10 14:06:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\vmmap
[2011/02/10 11:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\RegScrubXP
[2011/02/10 11:48:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\RegScrubXP
[2011/02/10 11:23:44 | 000,115,960 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\windows-kb841720-enu-v4.exe
[2011/02/10 11:20:49 | 000,122,152 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\doomcln-kb836528-v4-enu.exe
[2011/02/10 11:09:08 | 000,359,656 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\msicuu2.exe
[2011/02/10 10:17:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Browser Guard 2010
[2011/02/08 11:48:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap
[2011/02/08 11:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2011/02/08 11:48:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trend Micro RUBotted
[2011/02/08 11:48:05 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/02/07 07:37:46 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/02/07 07:33:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG PC Tuneup 2011
[2011/02/04 14:38:56 | 007,592,248 | ---- | C] (AVG ) -- C:\Documents and Settings\Owner\My Documents\avg_pct_stf_all_2011_24_c5.exe
[2011/02/04 14:24:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1
[2011/02/04 14:14:01 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/02/04 13:45:05 | 006,018,568 | ---- | C] (Trend Micro, Inc. ) -- C:\Documents and Settings\Owner\Desktop\RUBottedSetup.exe
[2011/02/04 13:43:27 | 000,532,480 | ---- | C] (Trend Micro Incorporated) -- C:\Documents and Settings\Owner\Desktop\cwshredder.exe
[2011/02/04 13:41:54 | 004,738,880 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/04 13:34:08 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/02/04 13:34:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\log
[2011/02/04 10:17:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/01/28 09:57:15 | 002,132,576 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\AVGIDPUninstaller.exe
[2011/01/28 09:55:41 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Owner\Desktop\avg_remover_stf_x86_2011_1184.exe
========== Files - Modified Within 30 Days ==========
[2011/02/24 09:26:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/24 09:25:56 | 259,575,808 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/24 09:24:47 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/02/23 13:54:40 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/23 13:42:57 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/23 13:41:38 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mwbam-setup.exe
[2011/02/23 13:37:01 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2011/02/22 14:00:50 | 004,738,880 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\My Documents\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/21 15:03:17 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/21 15:03:13 | 000,146,808 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/21 14:17:58 | 001,171,456 | -H-- | M] () -- C:\__ofidx0.ffx
[2011/02/21 14:17:58 | 000,180,224 | -H-- | M] () -- C:\__ofidx.ffl
[2011/02/21 14:17:58 | 000,004,713 | -H-- | M] () -- C:\__ofidx.ffa
[2011/02/21 13:15:15 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Owner\My Documents\spybotsd162.exe
[2011/02/21 11:34:32 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe
[2011/02/18 11:17:08 | 000,009,830 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\exefix.reg
[2011/02/15 12:40:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/14 07:54:54 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\AEI TAG RECEIVED LIST.xls
[2011/02/11 11:14:18 | 000,000,041 | ---- | M] () -- C:\Documents and Settings\Owner\WellKnownServers.xml
[2011/02/10 14:13:22 | 000,305,152 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\windiag.iso
[2011/02/10 13:00:55 | 000,443,304 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/02/10 13:00:55 | 000,072,142 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/02/10 11:48:48 | 000,000,658 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RegScrubXP.lnk
[2011/02/10 11:47:16 | 000,593,556 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\regscrubxpsetup_3.2.exe
[2011/02/10 11:23:44 | 000,115,960 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\windows-kb841720-enu-v4.exe
[2011/02/10 11:22:17 | 000,654,920 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\mtinst.exe
[2011/02/10 11:20:55 | 000,122,152 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\doomcln-kb836528-v4-enu.exe
[2011/02/10 11:17:37 | 000,032,078 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\RogueChecker.zip
[2011/02/10 11:14:21 | 000,231,390 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer.zip
[2011/02/10 11:13:20 | 000,554,035 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\vmmap.zip
[2011/02/10 11:11:02 | 000,430,080 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\UPHClean-Setup.msi
[2011/02/10 11:09:08 | 000,359,656 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\msicuu2.exe
[2011/02/09 08:57:00 | 004,337,573 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\u10iavi3432sq.bin
[2011/02/09 08:54:23 | 000,140,288 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\vcleaner.exe
[2011/02/08 11:48:51 | 000,000,073 | ---- | M] () -- C:\WINDOWS\System32\-1
[2011/02/07 07:33:40 | 000,000,856 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2011/02/07 07:33:40 | 000,000,838 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\AVG PC Tuneup 2011.lnk
[2011/02/07 07:31:50 | 007,592,248 | ---- | M] (AVG ) -- C:\Documents and Settings\Owner\My Documents\avg_pct_stf_all_2011_24_c5.exe
[2011/02/04 13:45:05 | 006,018,568 | ---- | M] (Trend Micro, Inc. ) -- C:\Documents and Settings\Owner\Desktop\RUBottedSetup.exe
[2011/02/04 13:43:31 | 000,532,480 | ---- | M] (Trend Micro Incorporated) -- C:\Documents and Settings\Owner\Desktop\cwshredder.exe
[2011/02/04 13:41:54 | 004,738,880 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/04 13:34:08 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/02/04 13:33:24 | 001,113,789 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RootkitBuster_3.60.1016.zip
[2011/02/04 11:18:49 | 000,061,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msado21.tlb
[2011/01/28 10:52:38 | 090,232,246 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avg_arl_ffi_all_100_100826a3693.rar
[2011/01/28 10:30:59 | 000,000,582 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1.zip
[2011/01/28 09:57:15 | 002,132,576 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\AVGIDPUninstaller.exe
[2011/01/28 09:55:56 | 001,090,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Owner\Desktop\avg_remover_stf_x86_2011_1184.exe
========== Files Created - No Company Name ==========
[2011/02/21 14:17:58 | 000,004,713 | -H-- | C] () -- C:\__ofidx.ffa
[2011/02/21 14:17:54 | 001,171,456 | -H-- | C] () -- C:\__ofidx0.ffx
[2011/02/21 14:13:24 | 000,180,224 | -H-- | C] () -- C:\__ofidx.ffl
[2011/02/18 11:17:07 | 000,009,830 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\exefix.reg
[2011/02/11 11:13:22 | 000,000,041 | ---- | C] () -- C:\Documents and Settings\Owner\WellKnownServers.xml
[2011/02/10 14:13:21 | 000,305,152 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\windiag.iso
[2011/02/10 11:48:48 | 000,000,658 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RegScrubXP.lnk
[2011/02/10 11:47:09 | 000,593,556 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\regscrubxpsetup_3.2.exe
[2011/02/10 11:22:11 | 000,654,920 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\mtinst.exe
[2011/02/10 11:17:37 | 000,032,078 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\RogueChecker.zip
[2011/02/10 11:14:18 | 000,231,390 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer.zip
[2011/02/10 11:13:14 | 000,554,035 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\vmmap.zip
[2011/02/10 11:10:58 | 000,430,080 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\UPHClean-Setup.msi
[2011/02/09 08:56:59 | 004,337,573 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\u10iavi3432sq.bin
[2011/02/09 08:54:18 | 000,140,288 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\vcleaner.exe
[2011/02/08 11:48:50 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\-1
[2011/02/07 07:33:40 | 000,000,856 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2011/02/07 07:33:40 | 000,000,838 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\AVG PC Tuneup 2011.lnk
[2011/02/04 13:33:13 | 001,113,789 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RootkitBuster_3.60.1016.zip
[2011/01/28 10:52:20 | 090,232,246 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avg_arl_ffi_all_100_100826a3693.rar
[2011/01/28 10:30:56 | 000,000,582 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1.zip
[2011/01/14 12:54:08 | 000,030,616 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\installer.log
[2011/01/14 11:58:09 | 000,000,230 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\LaunchHomeCenter.log
[2011/01/07 12:29:17 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2009/10/20 12:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2004/04/03 02:18:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/03 01:36:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/04/03 01:36:39 | 000,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/04/02 18:17:14 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/04/02 18:15:40 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/04/02 18:00:40 | 000,027,752 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/04/02 04:01:01 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/04/02 03:52:33 | 000,000,889 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/04/02 03:14:52 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/04/02 02:43:52 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/02 02:34:53 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/04/02 02:34:53 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/04/02 02:34:35 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/04/02 02:08:11 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/04/02 00:52:53 | 000,000,553 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/04/01 17:57:08 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/01/08 00:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
========== Alternate Data Streams ==========
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
< End of report >
Upon review of my post I noticed the last OTL scan was done without the All Users box checked. I rescanned with it checked and am posting those results as well.
OTL Scan 2A
OTL logfile created on: 2/24/2011 9:54:34 AM - Run 3
OTL by OldTimer - Version 3.2.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
247.00 Mb Total Physical Memory | 120.00 Mb Available Physical Memory | 48.00% Memory free
606.00 Mb Paging File | 404.00 Mb Available in Paging File | 67.00% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.44 Gb Total Space | 59.39 Gb Free Space | 84.31% Space Free | Partition Type: NTFS
Drive D: | 4.07 Gb Total Space | 0.67 Gb Free Space | 16.50% Space Free | Partition Type: FAT32
Computer Name: GOODRICH106 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (nmservice) -- File not found
SRV - (LinksysUpdater) -- File not found
SRV - (HidServ) -- File not found
SRV - (GYX) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (nosGetPlusHelper) getPlus(R) -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll (NOS Microsystems Ltd.)
SRV - (RUBotSrv) -- C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe (Trend Micro Inc.)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies, Inc.)
========== Driver Services (SafeList) ==========
DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (purendis) -- C:\WINDOWS\system32\drivers\purendis.sys (Cisco Systems, Inc.)
DRV - (pnarp) -- C:\WINDOWS\system32\drivers\pnarp.sys (Cisco Systems, Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (SiSkp) -- C:\WINDOWS\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura Ltd)
DRV - (fasttx2k) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys (Promise Technology, Inc.)
DRV - (SISAGP) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys (Silicon Integrated Systems Corporation)
DRV - (viaagp1) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )
DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1847296987-2612838788-886327785-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1847296987-2612838788-886327785-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2011/02/24 09:24:47 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe (Trend Micro Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1847296987-2612838788-886327785-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - Reg Error: Key error. File not found
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/02 02:03:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2002/09/11 03:02:32 | 000,000,045 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/02/24 09:24:44 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/02/23 13:54:36 | 000,577,024 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/23 13:41:38 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mwbam-setup.exe
[2011/02/23 13:37:01 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2011/02/22 15:09:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Candy
[2011/02/22 14:00:50 | 004,738,880 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\My Documents\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/22 10:46:40 | 000,000,000 | ---D | C] -- C:\Program Files\NOS
[2011/02/21 15:01:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2011/02/21 14:13:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trend Micro
[2011/02/21 13:35:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/02/21 13:35:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/02/21 13:15:15 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Owner\My Documents\spybotsd162.exe
[2011/02/21 11:40:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/02/21 11:39:33 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/02/21 11:34:24 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe
[2011/02/18 07:33:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Scans
[2011/02/17 11:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Forklift Checklists
[2011/02/17 07:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Template
[2011/02/17 07:36:18 | 000,000,000 | ---D | C] -- C:\MSOffice(2)
[2011/02/16 12:20:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Shipping Notices
[2011/02/16 12:18:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Repairs Received
[2011/02/16 12:13:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\AEI TAG P.O.s
[2011/02/15 12:52:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\ElevatedDiagnostics
[2011/02/15 12:40:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2011/02/11 14:41:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer
[2011/02/11 14:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\backups
[2011/02/10 14:06:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\vmmap
[2011/02/10 11:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\RegScrubXP
[2011/02/10 11:48:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\RegScrubXP
[2011/02/10 11:23:44 | 000,115,960 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\windows-kb841720-enu-v4.exe
[2011/02/10 11:20:49 | 000,122,152 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\doomcln-kb836528-v4-enu.exe
[2011/02/10 11:09:08 | 000,359,656 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\msicuu2.exe
[2011/02/10 10:17:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Browser Guard 2010
[2011/02/08 11:48:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap
[2011/02/08 11:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2011/02/08 11:48:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trend Micro RUBotted
[2011/02/08 11:48:05 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/02/07 07:37:46 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/02/07 07:33:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG PC Tuneup 2011
[2011/02/04 14:38:56 | 007,592,248 | ---- | C] (AVG ) -- C:\Documents and Settings\Owner\My Documents\avg_pct_stf_all_2011_24_c5.exe
[2011/02/04 14:24:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1
[2011/02/04 14:14:01 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/02/04 13:45:05 | 006,018,568 | ---- | C] (Trend Micro, Inc. ) -- C:\Documents and Settings\Owner\Desktop\RUBottedSetup.exe
[2011/02/04 13:43:27 | 000,532,480 | ---- | C] (Trend Micro Incorporated) -- C:\Documents and Settings\Owner\Desktop\cwshredder.exe
[2011/02/04 13:41:54 | 004,738,880 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/04 13:34:08 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/02/04 13:34:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\log
[2011/02/04 10:17:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/01/28 09:57:15 | 002,132,576 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\AVGIDPUninstaller.exe
[2011/01/28 09:55:41 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Owner\Desktop\avg_remover_stf_x86_2011_1184.exe
========== Files - Modified Within 30 Days ==========
[2011/02/24 09:26:01 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/24 09:25:56 | 259,575,808 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/24 09:24:47 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/02/23 13:54:40 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/23 13:42:57 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/23 13:41:38 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mwbam-setup.exe
[2011/02/23 13:37:01 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2011/02/22 14:00:50 | 004,738,880 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\My Documents\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/21 15:03:17 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/21 15:03:13 | 000,146,808 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/21 14:17:58 | 001,171,456 | -H-- | M] () -- C:\__ofidx0.ffx
[2011/02/21 14:17:58 | 000,180,224 | -H-- | M] () -- C:\__ofidx.ffl
[2011/02/21 14:17:58 | 000,004,713 | -H-- | M] () -- C:\__ofidx.ffa
[2011/02/21 13:15:15 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Owner\My Documents\spybotsd162.exe
[2011/02/21 11:34:32 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe
[2011/02/18 11:17:08 | 000,009,830 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\exefix.reg
[2011/02/15 12:40:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/14 07:54:54 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\AEI TAG RECEIVED LIST.xls
[2011/02/11 11:14:18 | 000,000,041 | ---- | M] () -- C:\Documents and Settings\Owner\WellKnownServers.xml
[2011/02/10 14:13:22 | 000,305,152 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\windiag.iso
[2011/02/10 13:00:55 | 000,443,304 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/02/10 13:00:55 | 000,072,142 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/02/10 11:48:48 | 000,000,658 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RegScrubXP.lnk
[2011/02/10 11:47:16 | 000,593,556 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\regscrubxpsetup_3.2.exe
[2011/02/10 11:23:44 | 000,115,960 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\windows-kb841720-enu-v4.exe
[2011/02/10 11:22:17 | 000,654,920 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\mtinst.exe
[2011/02/10 11:20:55 | 000,122,152 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\doomcln-kb836528-v4-enu.exe
[2011/02/10 11:17:37 | 000,032,078 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\RogueChecker.zip
[2011/02/10 11:14:21 | 000,231,390 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer.zip
[2011/02/10 11:13:20 | 000,554,035 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\vmmap.zip
[2011/02/10 11:11:02 | 000,430,080 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\UPHClean-Setup.msi
[2011/02/10 11:09:08 | 000,359,656 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\msicuu2.exe
[2011/02/09 08:57:00 | 004,337,573 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\u10iavi3432sq.bin
[2011/02/09 08:54:23 | 000,140,288 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\vcleaner.exe
[2011/02/08 11:48:51 | 000,000,073 | ---- | M] () -- C:\WINDOWS\System32\-1
[2011/02/07 07:33:40 | 000,000,856 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2011/02/07 07:33:40 | 000,000,838 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\AVG PC Tuneup 2011.lnk
[2011/02/07 07:31:50 | 007,592,248 | ---- | M] (AVG ) -- C:\Documents and Settings\Owner\My Documents\avg_pct_stf_all_2011_24_c5.exe
[2011/02/04 13:45:05 | 006,018,568 | ---- | M] (Trend Micro, Inc. ) -- C:\Documents and Settings\Owner\Desktop\RUBottedSetup.exe
[2011/02/04 13:43:31 | 000,532,480 | ---- | M] (Trend Micro Incorporated) -- C:\Documents and Settings\Owner\Desktop\cwshredder.exe
[2011/02/04 13:41:54 | 004,738,880 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/04 13:34:08 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/02/04 13:33:24 | 001,113,789 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RootkitBuster_3.60.1016.zip
[2011/02/04 11:18:49 | 000,061,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msado21.tlb
[2011/01/28 10:52:38 | 090,232,246 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avg_arl_ffi_all_100_100826a3693.rar
[2011/01/28 10:30:59 | 000,000,582 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1.zip
[2011/01/28 09:57:15 | 002,132,576 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\AVGIDPUninstaller.exe
[2011/01/28 09:55:56 | 001,090,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Owner\Desktop\avg_remover_stf_x86_2011_1184.exe
========== Files Created - No Company Name ==========
[2011/02/21 14:17:58 | 000,004,713 | -H-- | C] () -- C:\__ofidx.ffa
[2011/02/21 14:17:54 | 001,171,456 | -H-- | C] () -- C:\__ofidx0.ffx
[2011/02/21 14:13:24 | 000,180,224 | -H-- | C] () -- C:\__ofidx.ffl
[2011/02/18 11:17:07 | 000,009,830 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\exefix.reg
[2011/02/11 11:13:22 | 000,000,041 | ---- | C] () -- C:\Documents and Settings\Owner\WellKnownServers.xml
[2011/02/10 14:13:21 | 000,305,152 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\windiag.iso
[2011/02/10 11:48:48 | 000,000,658 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RegScrubXP.lnk
[2011/02/10 11:47:09 | 000,593,556 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\regscrubxpsetup_3.2.exe
[2011/02/10 11:22:11 | 000,654,920 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\mtinst.exe
[2011/02/10 11:17:37 | 000,032,078 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\RogueChecker.zip
[2011/02/10 11:14:18 | 000,231,390 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer.zip
[2011/02/10 11:13:14 | 000,554,035 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\vmmap.zip
[2011/02/10 11:10:58 | 000,430,080 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\UPHClean-Setup.msi
[2011/02/09 08:56:59 | 004,337,573 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\u10iavi3432sq.bin
[2011/02/09 08:54:18 | 000,140,288 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\vcleaner.exe
[2011/02/08 11:48:50 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\-1
[2011/02/07 07:33:40 | 000,000,856 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2011/02/07 07:33:40 | 000,000,838 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\AVG PC Tuneup 2011.lnk
[2011/02/04 13:33:13 | 001,113,789 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RootkitBuster_3.60.1016.zip
[2011/01/28 10:52:20 | 090,232,246 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avg_arl_ffi_all_100_100826a3693.rar
[2011/01/28 10:30:56 | 000,000,582 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1.zip
[2011/01/14 12:54:08 | 000,030,616 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\installer.log
[2011/01/14 11:58:09 | 000,000,230 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\LaunchHomeCenter.log
[2011/01/07 12:29:17 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2009/10/20 12:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2004/04/03 02:18:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/03 01:36:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/04/03 01:36:39 | 000,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/04/02 18:17:14 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/04/02 18:15:40 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/04/02 18:00:40 | 000,027,752 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/04/02 04:01:01 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/04/02 03:52:33 | 000,000,889 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/04/02 03:14:52 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/04/02 02:43:52 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/02 02:34:53 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/04/02 02:34:53 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/04/02 02:34:35 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/04/02 02:08:11 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/04/02 00:52:53 | 000,000,553 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/04/01 17:57:08 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/01/08 00:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
========== Alternate Data Streams ==========
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
< End of report >
The only thing I see is a service that I am not sure of
Download and Run SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:service
GYX
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I also dont see any sign of Windows Media Player
Random System Information Tool
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
I ran System Look and RSIT as instructed. After the scans I looked in the C:\Program Files\Malwarebytes folder and there is still a WMP icon that says DAT file on rollover and opens with notepad. The filename is unins002.dat. There is also an Outlook icon (envelope) with filename unins002.msg says it's an Outlook Item, both are 11KB. I cannot open any files using MS Office. There is a trial version of Office 2003 that has never been activated and I installed Office 97 the icons for Office 97 are in the Start menu but when I try to open excel a blank excel screen comes up with a dialog box that says trying to install or words to that effect, it is gone very quickly. I have tried to uninstall the trial of Office 2003 but it says it can't uninstall. There are Office 2003 icons in several of my files, but as I said I have not activated Office 2003. I noticed in the logs files refering to Linksys and Purenetwork. At one time I did have this machine hooked up to a Linksys router and the software installed, but no longer. I went into Add/Remove Programs and uninstalled Linksys but I still have a desktop icon for Linksys Advisor and have now seen these Linksys files in the logs. I don't know if that helps but it's some additional info to work with. Whatever is in here seems to be memory resident somehow reinstalling itself. Also, according to User Accounts there are only TWO user accounts ARI and Guest. I'm baffled. Thanks for your help.
Here are the logs you requested.
Systemlook Log
SystemLook 04.09.10 by jpshortstuff
Log created at 13:24 on 24/02/2011 by Owner
Administrator - Elevation successful
========== service ==========
GYX
GYX
(No Description)
Current Status: Stopped
Startup Type: Demand
Error Control: Critical
Binary: C:\DOCUME~1\Owner\LOCALS~1\Temp\GYX.exe
Group: (none)
SafeBoot:
Dependencies:
(none)
Dependant Services:
(none)
-= EOF =-
RSIT log.txt
Logfile of random's system information tool 1.08 (written by random/random)
Run by Owner at 2011-02-24 13:27:01
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 61 GB (84%) free of 72 GB
Total RAM: 247 MB (53% free)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:27:15 PM, on 2/24/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: GYX - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\GYX.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Unknown owner - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
--
End of file - 4496 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2011-01-10 325408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2011-01-10 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2011-01-10 79648]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-08-20 118784]
"KBD"=C:\HP\KBD\KBD.EXE [2003-02-11 61440]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2004-04-13 233472]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2004-06-29 88363]
"Reminder"=C:\Windows\Creator\Remind_XP.exe [2003-12-18 118784]
"AlcxMonitor"=C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-08-20 155648]
"EKIJ5000StatusMonitor"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe [2010-09-02 1638400]
"Trend Micro RUBotted V2.0 Beta"=C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe [2010-12-17 1103184]
"Conime"=C:\WINDOWS\system32\conime.exe [2008-04-14 27648]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-08-20 344064]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-14 239616]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=0
"legalnoticetext"=0
"shutdownwithoutlogon"=0
"undockwithoutlogon"=0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
======List of files/folders created in the last 1 months======
2011-02-24 13:27:01 ----D---- C:\rsit
2011-02-24 09:24:44 ----D---- C:\_OTL
2011-02-22 10:46:40 ----D---- C:\Program Files\NOS
2011-02-21 15:01:30 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2011-02-21 14:13:00 ----D---- C:\Documents and Settings\All Users\Application Data\Trend Micro
2011-02-21 13:35:12 ----D---- C:\Program Files\Spybot - Search & Destroy
2011-02-21 13:35:12 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2011-02-21 11:40:19 ----D---- C:\WINDOWS\ERDNT
2011-02-21 11:39:33 ----D---- C:\Program Files\ERUNT
2011-02-17 07:46:52 ----D---- C:\Documents and Settings\Owner\Application Data\Template
2011-02-17 07:36:18 ----D---- C:\MSOffice(2)
2011-02-15 12:52:16 ----D---- C:\Documents and Settings\Owner\Application Data\ElevatedDiagnostics
2011-02-15 12:40:24 ----D---- C:\WINDOWS\system32\windowspowershell
2011-02-15 12:40:11 ----DC---- C:\WINDOWS\$NtUninstallKB926139-v2$
2011-02-10 11:48:47 ----D---- C:\Program Files\RegScrubXP
2011-02-10 09:35:00 ----HDC---- C:\WINDOWS\$NtUninstallKB2478971$
2011-02-10 09:34:53 ----HDC---- C:\WINDOWS\$NtUninstallKB2485376$
2011-02-10 09:34:44 ----HDC---- C:\WINDOWS\$NtUninstallKB2479628$
2011-02-10 09:34:34 ----HDC---- C:\WINDOWS\$NtUninstallKB2483185$
2011-02-10 09:32:53 ----HDC---- C:\WINDOWS\$NtUninstallKB2476687$
2011-02-10 09:32:44 ----HDC---- C:\WINDOWS\$NtUninstallKB2478960$
2011-02-10 09:32:31 ----HDC---- C:\WINDOWS\$NtUninstallKB2393802$
2011-02-08 11:48:47 ----D---- C:\Program Files\WinPcap
2011-02-08 11:48:05 ----D---- C:\Program Files\Trend Micro
2011-02-07 07:37:46 ----D---- C:\Program Files\Reference Assemblies
2011-02-04 14:14:01 ----D---- C:\Program Files\AVG
2011-02-04 13:34:08 ----A---- C:\WINDOWS\system32\drivers\tmcomm.sys
2011-02-04 10:17:40 ----D---- C:\Documents and Settings\All Users\Application Data\MFAData
======List of files/folders modified in the last 1 months======
2011-02-24 13:27:13 ----D---- C:\WINDOWS\Prefetch
2011-02-24 11:52:24 ----D---- C:\WINDOWS\system32
2011-02-24 11:51:54 ----D---- C:\WINDOWS\Temp
2011-02-24 11:51:23 ----D---- C:\Documents and Settings\Owner\Application Data\AdobeUM
2011-02-24 09:25:22 ----A---- C:\WINDOWS\SchedLgU.Txt
2011-02-24 09:25:03 ----D---- C:\WINDOWS
2011-02-24 09:24:47 ----D---- C:\WINDOWS\system32\drivers\etc
2011-02-24 07:46:00 ----D---- C:\Documents and Settings\All Users\Application Data\Kodak
2011-02-24 07:45:58 ----D---- C:\Documents and Settings\Owner\Application Data\Temp
2011-02-24 07:31:50 ----D---- C:\WINDOWS\system32\FxsTmp
2011-02-23 13:42:58 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2011-02-23 13:42:56 ----D---- C:\WINDOWS\system32\drivers
2011-02-22 15:21:38 ----D---- C:\WINDOWS\system32\CatRoot2
2011-02-22 13:45:20 ----HD---- C:\WINDOWS\inf
2011-02-22 13:45:13 ----RSHDC---- C:\WINDOWS\system32\dllcache
2011-02-22 13:45:11 ----D---- C:\Program Files\Internet Explorer
2011-02-22 10:46:46 ----SD---- C:\WINDOWS\Downloaded Program Files
2011-02-22 10:46:40 ----D---- C:\Program Files
2011-02-22 09:42:29 ----D---- C:\WINDOWS\system32\CatRoot
2011-02-22 07:13:46 ----SD---- C:\Documents and Settings\Owner\Application Data\Microsoft
2011-02-21 15:08:34 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2011-02-21 15:02:31 ----D---- C:\WINDOWS\system32\config
2011-02-21 15:02:14 ----D---- C:\WINDOWS\system32\wbem
2011-02-21 15:02:14 ----D---- C:\WINDOWS\Registration
2011-02-21 15:01:25 ----D---- C:\Program Files\Common Files\Microsoft Shared
2011-02-21 15:01:14 ----D---- C:\WINDOWS\system
2011-02-21 14:59:20 ----D---- C:\WINDOWS\system32\Restore
2011-02-21 14:17:58 ----A---- C:\WINDOWS\system32\FFASTLOG.TXT
2011-02-21 14:07:59 ----RSD---- C:\WINDOWS\Fonts
2011-02-17 07:37:29 ----D---- C:\WINDOWS\Help
2011-02-17 07:37:09 ----D---- C:\WINDOWS\msapps
2011-02-15 12:53:14 ----D---- C:\WINDOWS\AppPatch
2011-02-15 12:45:23 ----RSD---- C:\WINDOWS\assembly
2011-02-15 12:45:23 ----D---- C:\WINDOWS\Microsoft.NET
2011-02-15 12:40:55 ----A---- C:\WINDOWS\imsins.BAK
2011-02-15 06:24:15 ----HD---- C:\WINDOWS\$hf_mig$
2011-02-11 13:09:30 ----SHD---- C:\System Volume Information
2011-02-11 09:21:43 ----HD---- C:\hp
2011-02-11 08:49:49 ----D---- C:\WINDOWS\I386
2011-02-11 08:49:28 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2011-02-10 13:00:55 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2011-02-10 11:48:23 ----D---- C:\WINDOWS\Debug
2011-02-10 11:45:54 ----D---- C:\WINDOWS\network diagnostic
2011-02-10 09:40:51 ----D---- C:\Program Files\HijackThis
2011-02-10 09:33:03 ----A---- C:\WINDOWS\system32\MRT.exe
2011-02-10 09:24:18 ----D---- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
2011-02-10 09:23:19 ----SHD---- C:\WINDOWS\Installer
2011-02-07 15:26:29 ----D---- C:\WINDOWS\Minidump
2011-02-04 13:06:55 ----D---- C:\Program Files\Windows Media Player
2011-02-04 11:51:54 ----D---- C:\Documents and Settings\Owner\Application Data\AVG
2011-02-04 10:30:26 ----D---- C:\Program Files\Common Files
2011-02-04 10:26:01 ----HD---- C:\Program Files\Uninstall Information
2011-02-04 10:16:58 ----HD---- C:\Program Files\InstallShield Installation Information
2011-02-04 10:16:57 ----D---- C:\Program Files\InterVideo
2011-02-04 10:08:26 ----D---- C:\Documents and Settings\All Users\Application Data\Motive
2011-01-31 08:45:05 ----D---- C:\WINDOWS\system32\Macromed
2011-01-25 11:10:30 ----D---- C:\Program Files\Adobe
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R0 fasttx2k;fasttx2k; C:\WINDOWS\System32\DRIVERS\fasttx2k.sys [2003-12-02 142336]
R0 ohci1394;VIA OHCI Compliant IEEE 1394 Host Controller; C:\WINDOWS\System32\DRIVERS\ohci1394.sys [2008-04-14 61696]
R0 PxHelp20;PxHelp20; C:\WINDOWS\System32\DRIVERS\PxHelp20.sys [2003-08-01 17136]
R0 SISAGP;SiS AGP Filter; C:\WINDOWS\System32\DRIVERS\SISAGPX.sys [2003-07-18 36992]
R0 viaagp1;VIA AGP Filter; C:\WINDOWS\System32\DRIVERS\viaagp1.sys [2003-07-02 27904]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 SiSkp;SiSkp; C:\WINDOWS\System32\DRIVERS\srvkp.sys [2004-01-02 11520]
R2 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2009-10-20 50704]
R2 pnarp;Pure Networks Device Discovery Driver; C:\WINDOWS\system32\DRIVERS\pnarp.sys [2008-12-12 23984]
R2 purendis;Pure Networks Wireless Driver; C:\WINDOWS\system32\DRIVERS\purendis.sys [2008-12-12 25264]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2004-06-29 1268204]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2004-08-20 737874]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2002-07-29 23808]
R3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\System32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-14 20608]
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-12-12 391424]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-14 60800]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-14 61824]
S3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2004-01-02 432000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-14 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 viagfx;viagfx; C:\WINDOWS\System32\DRIVERS\vtmini.sys [2004-02-04 134144]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2011-01-10 153376]
R2 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
R2 RUBotSrv;Trend Micro RUBotted Service; C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe [2010-12-17 439632]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service; C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe [2010-09-13 308656]
S2 LinksysUpdater;Linksys Updater; C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe -s C:\Program Files\Linksys\Linksys Updater\conf\wrapper.conf []
S2 nmservice;Pure Networks Platform Service; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-14 267776]
S3 GYX;GYX; C:\DOCUME~1\Owner\LOCALS~1\Temp\GYX.exe []
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 nosGetPlusHelper;getPlus(R) Helper 3004; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2009-10-20 117264]
S4 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
-----------------EOF-----------------
RSIT info.txt
info.txt logfile of random's system information tool 1.08 2011-02-24 13:27:19
======Uninstall list======
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Download Manager-->"C:\Program Files\NOS\bin\getPlusUninst_Adobe.exe" /Get1
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10m_ActiveX.exe -maintain activex
Adobe Reader 6.0.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Agere Systems PCI Soft Modem-->agrsmdel
aiofw-->MsiExec.exe /I{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}
aioprnt-->MsiExec.exe /X{0645A454-AD44-4F0D-99CF-6B762735AD1F}
aioscnnr-->MsiExec.exe /X{FE24086F-3B0C-4C47-A874-97A7B8E2FBBE}
AVG PC Tuneup 2011-->"C:\Program Files\AVG\AVG PC Tuneup 2011\unins000.exe"
center-->MsiExec.exe /I{56BA241F-580C-43D2-8403-947241AAE633}
Compaq Instant Support-->C:\PROGRA~1\COMPAQ~2\UNWISE.EXE C:\PROGRA~1\COMPAQ~2\INSTALL.LOG
HijackThis 2.0.2-->"C:\Documents and Settings\Owner\My Documents\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel(R) Extreme Graphics Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Java(TM) 6 Update 23-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216023FF}
KBD-->C:\HP\KBD\KBD.EXE uninstalled
KODAK AiO Home Center-->C:\Documents and Settings\All Users\Application Data\Kodak\Installer\Setup.exe /Web /x "{E0F274B7-592B-4669-8FB8-8D9825A09858}" CompanyName="Eastman Kodak Company" /code "1033"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins002.exe"
Microsoft .NET Framework 1.1 Security Update (KB2416447)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M2416447\M2416447Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Money 2004 System Pack-->MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Money 2004-->MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft Office Standard Edition 2003-->MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! Digital Media Edition-->MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Microsoft Works 7.0-->MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
MSXML 6.0 Parser-->MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
PreReq-->MsiExec.exe /{DA5BDB2A-12F0-4343-8351-21AAEB293990}
RegScrubXP 3.25-->"C:\Program Files\RegScrubXP\unins000.exe"
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A8894F19-59C8-38D2-8A75-36C0CCE56A5B} /qb+ REBOOTPROMPT=""
Security Update for Windows Internet Explorer 8 (KB2416400)-->"C:\WINDOWS\ie8updates\KB2416400-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2482017)-->"C:\WINDOWS\ie8updates\KB2482017-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows XP (KB2393802)-->"C:\WINDOWS\$NtUninstallKB2393802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2476687)-->"C:\WINDOWS\$NtUninstallKB2476687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2478960)-->"C:\WINDOWS\$NtUninstallKB2478960$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2478971)-->"C:\WINDOWS\$NtUninstallKB2478971$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2479628)-->"C:\WINDOWS\$NtUninstallKB2479628$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2483185)-->"C:\WINDOWS\$NtUninstallKB2483185$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2485376)-->"C:\WINDOWS\$NtUninstallKB2485376$\spuninst\spuninst.exe"
Trend Micro RUBotted 2.0 Beta-->"C:\Program Files\Trend Micro\RUBotted\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinPcap 4.1.1-->C:\Program Files\WinPcap\uninstall.exe
======Hosts File======
::1 localhost
======System event log======
Computer Name: GOODRICH106
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 1967
Source Name: Service Control Manager
Time Written: 20110112095730.000000-360
Event Type: error
User:
Computer Name: GOODRICH106
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 1964
Source Name: Service Control Manager
Time Written: 20110112095730.000000-360
Event Type: error
User:
Computer Name: GOODRICH106
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 1961
Source Name: Service Control Manager
Time Written: 20110112095730.000000-360
Event Type: error
User:
Computer Name: GOODRICH106
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 1958
Source Name: Service Control Manager
Time Written: 20110112095730.000000-360
Event Type: error
User:
Computer Name: GOODRICH106
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.
Record Number: 1955
Source Name: Service Control Manager
Time Written: 20110112095730.000000-360
Event Type: error
User:
=====Application event log=====
Computer Name: GOODRICH106
Event Code: 1015
Message: Failed to connect to server. Error: 0x800401F0
Record Number: 39
Source Name: MsiInstaller
Time Written: 20110106102122.000000-360
Event Type: warning
User: GOODRICH106\Owner
Computer Name: GOODRICH106
Event Code: 62
Message: WMI ADAP was unable to process the .NET CLR Networking performance library since one of the data blobs reported to have classes but had zero size
Record Number: 35
Source Name: WinMgmt
Time Written: 20110106101509.000000-360
Event Type: warning
User:
Computer Name: GOODRICH106
Event Code: 62
Message: WMI ADAP was unable to process the .NET CLR Data performance library since one of the data blobs reported to have classes but had zero size
Record Number: 34
Source Name: WinMgmt
Time Written: 20110106101509.000000-360
Event Type: warning
User:
Computer Name: GOODRICH106
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Record Number: 21
Source Name: WinMgmt
Time Written: 20110106100813.000000-360
Event Type: warning
User: GOODRICH106\Owner
Computer Name: GOODRICH106
Event Code: 1015
Message: Failed to connect to server. Error: 0x800401F0
Record Number: 11
Source Name: MsiInstaller
Time Written: 20110106094804.000000-360
Event Type: warning
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Python22
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 3 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0303
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"KDS_LANGUAGE"=13
-----------------EOF-----------------
Hi,
Lets do this
Open notepad and then copy and paste the bolded lines below into Notepad.
Go to File > save as and name the file fixes.bat.
Change the Save as type to all files and save it to your desktop.
@echo off
sc stop GYX.exe
sc delete GYX.exe
Double-click on fixes.bat file to execute it.
Reboot and post a new Hijackthis log
Then do this
Open HJT and go to Misc Tools > Process Manager > run and copy and paste the log into this thread for me to see
Hi,
Copied and pasted the bolded files to notepad, saved as All Files and ran it. Rebooted and ran HJT Scan, then Opened Process Manager and clicked on Run. This opened up the same dialog box as if you went to Start>Run. The entry in the box was services.exe which opened up the list of services, which I exported to Notepad since there was no option to Copy.
Between our posts I googled GYX and believe it is a part of the problem. While looking at GYX in Local Services I noticed (HJT Log 016) get plus(R) helper 3004 as a service just above GYX. I googled get plus (R) helper 3004 and it is from Adobe as part of the installer and is supposed to be deleted after the install completes for Adobe 6.0. Adobe says this should not be there and if it is it can be used as an exploit for trojans. Just a little info that may help you out. I believe these two items are related in causing the problems I'm having. You might take a look and see what you think. In the google results look for the link to Adobe.
BTW upon rebooting after running the fix you sent I still got the dialog box with 0 in the title bar and 0 in the dialog field just so you know.
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:29 AM, on 2/25/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - (no file)
O23 - Service: GYX - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\GYX.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Unknown owner - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
--
End of file - 4189 bytes
HJT Process Manager Run Log
Name Description Status Startup Type Log On As
.NET Runtime Optimization Service v2.0.50727_X86 Microsoft .NET Framework NGEN Manual Local System
Alerter Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local Service
Application Layer Gateway Service Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall. Started Manual Local Service
Application Management Provides software installation services such as Assign, Publish, and Remove. Manual Local System
ASP.NET State Service Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Network Service
Automatic Updates Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. Started Automatic Local System
Background Intelligent Transfer Service Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled. Started Automatic Local System
ClipBook Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start. Disabled Local System
COM+ Event System Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start. Started Manual Local System
COM+ System Application Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Computer Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Cryptographic Services Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
DCOM Server Process Launcher Provides launch functionality for DCOM services. Started Automatic Local System
DHCP Client Manages network configuration by registering and updating IP addresses and DNS names. Started Automatic Local System
Distributed Link Tracking Client Maintains links between NTFS files within a computer or across computers in a network domain. Started Automatic Local System
Distributed Transaction Coordinator Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Network Service
DNS Client Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Network Service
Error Reporting Service Allows error reporting for services and applictions running in non-standard environments. Started Automatic Local System
Event Log Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Started Automatic Local System
Extensible Authentication Protocol Service Provides windows clients Extensible Authentication Protocol Service Manual Local System
Fast User Switching Compatibility Provides management for applications that require assistance in a multiple user environment. Manual Local System
Fax Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network. Manual Local System
getPlus(R) Helper 3004 Manual Local System
GYX Manual Local System
Health Key and Certificate Management Service Manages health certificates and keys (used by NAP) Manual Local System
Help and Support Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
HTTP SSL This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Human Interface Device Access Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start. Disabled Local System
IMAPI CD-Burning COM Service Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Indexing Service Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language. Manual Local System
IPSEC Services Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Started Automatic Local System
Java Quick Starter Prefetches JRE files for faster startup of Java applets and applications Started Automatic Local System
Kodak AiO Network Discovery Service Automatic Local System
Linksys Updater Updater for Linksys EasyLink Advisor Automatic Local System
Logical Disk Manager Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Logical Disk Manager Administrative Service Configures hard disk drives and volumes. The service only runs for configuration processes and then stops. Manual Local System
Messenger Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start. Disabled Local System
MS Software Shadow Copy Provider Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Net Logon Supports pass-through authentication of account logon events for computers in a domain. Manual Local System
Net.Tcp Port Sharing Service Provides ability to share TCP ports over the net.tcp protocol. Started Automatic Local Service
NetMeeting Remote Desktop Sharing Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Network Access Protection Agent Allows windows clients to participate in Network Access Protection Manual Local System
Network Connections Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. Started Manual Local System
Network DDE Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Network DDE DSDM Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Network Location Awareness (NLA) Collects and stores network configuration and location information, and notifies applications when this information changes. Started Manual Local System
Network Provisioning Service Manages XML configuration files on a domain basis for automatic network provisioning. Manual Local System
NT LM Security Support Provider Provides security to remote procedure call (RPC) programs that use transports other than named pipes. Manual Local System
Office Source Engine Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports. Manual Local System
Performance Logs and Alerts Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Network Service
Plug and Play Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Started Automatic Local System
Portable Media Serial Number Service Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device. Manual Local System
Print Spooler Loads files to memory for later printing. Started Automatic Local System
Protected Storage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Started Automatic Local System
Pure Networks Platform Service Enables Pure Networks Platform services such as file sharing, printer sharing, and network monitoring. Automatic Local System
QoS RSVP Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets. Manual Local System
Remote Access Auto Connection Manager Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Disabled Local System
Remote Access Connection Manager Creates a network connection. Started Manual Local System
Remote Desktop Help Session Manager Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box. Manual Local System
Remote Packet Capture Protocol v.0 (experimental) Allows to capture traffic on this machine from a remote machine. Manual Local System
Remote Procedure Call (RPC) Provides the endpoint mapper and other miscellaneous RPC services. Started Automatic Network Service
Remote Procedure Call (RPC) Locator Manages the RPC name service database. Manual Network Service
Removable Storage Manual Local System
Routing and Remote Access Offers routing services to businesses in local area and wide area network environments. Disabled Local System
Secondary Logon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Security Accounts Manager Stores security information for local user accounts. Started Automatic Local System
Security Center Monitors system security settings and configurations. Started Automatic Local System
Server Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Shell Hardware Detection Disabled Local System
Smart Card Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local Service
SSDP Discovery Service Enables discovery of UPnP devices on your home network. Started Manual Local Service
System Event Notification Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Started Automatic Local System
System Restore Service Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Started Automatic Local System
Task Scheduler Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
TCP/IP NetBIOS Helper Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Started Automatic Local Service
Telephony Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Started Manual Local System
Terminal Services Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server. Started Manual Local System
Themes Provides user experience theme management. Started Automatic Local System
Trend Micro RUBotted Service Trend Micro service for RUBotted tool Started Automatic Local System
Uninterruptible Power Supply Manages an uninterruptible power supply (UPS) connected to the computer. Manual Local Service
Universal Plug and Play Device Host Provides support to host Universal Plug and Play devices. Manual Local Service
Volume Shadow Copy Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local Service
Windows Audio Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Windows CardSpace Securely enables the creation, management, and disclosure of digital identities. Manual Local System
Windows Firewall/Internet Connection Sharing (ICS) Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Started Automatic Local System
Windows Image Acquisition (WIA) Provides image acquisition services for scanners and cameras. Started Automatic Local System
Windows Installer Installs, repairs and removes software according to instructions contained in .MSI files. Manual Local System
Windows Management Instrumentation Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Windows Presentation Foundation Font Cache 3.0.0.0 Optimizes performance of Windows Presentation Foundation (WPF) applications by caching commonly used font data. WPF applications will start this service if it is not already running. It can be disabled, though doing so will degrade the performance of WPF applications. Disabled Local Service
Windows Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Started Automatic Local System
Wired AutoConfig This service performs IEEE 802.1X authentication on Ethernet interfaces Manual Local System
Wireless Zero Configuration Provides automatic configuration for the 802.11 adapters Started Automatic Local System
WMI Performance Adapter Provides performance library information from WMI HiPerf providers. Manual Local System
Workstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Hi,
I am afraid I cant read the Process log the way you posted it. Look in Misc Tools Processes and see if there is anything running related to windows media player is in there
Looks like the fix didn't take
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O23 - Service: GYX - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\GYX.exe (file missing)
Then run HJT and post a new log
Then run this scanner
OTL by OldTimer
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
Hi,
Ran the HJT and checked the named file, rebooted, the GYX file appears to be gone from the second scan. Still got the 0 dialog window on reboot.
Ran OTL as instructed but when finished only the OLT.txt file opened and I saved it. Went looking for the Extras file but could only find the last one from 2-23. Ran OTL again but still no Extras file. Sending what I have HJT and OLT.txt.
I noticed in the HJT log there still shows the AVG Security Toolbar. This does not display on screen and I used AVG Remover to uninstall all AVG before the failed try at reinstalling. Should AVG Security Toolbar still be there ? Please take a close look at OLT 06 & 07. The last 07 entry is in a file on C:\RECYCLER the item with the long number string after the user number (S-1-5-21) is the only one there. I will try posting the Running Processes from HJT again, this was done with the posting window open and only one tab open on IE.
Seems like we're making progress. Thanks again.
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:04 AM, on 2/25/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe
O1 - Hosts: ÿþ127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKLM\..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - (no file)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Unknown owner - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro RUBotted Service (RUBotSrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe
--
End of file - 4097 bytes
OTL.txt Log
OTL logfile created on: 2/25/2011 12:07:30 PM - Run 4
OTL by OldTimer - Version 3.2.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
247.00 Mb Total Physical Memory | 98.00 Mb Available Physical Memory | 40.00% Memory free
606.00 Mb Paging File | 405.00 Mb Available in Paging File | 67.00% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.44 Gb Total Space | 59.21 Gb Free Space | 84.05% Space Free | Partition Type: NTFS
Drive D: | 4.07 Gb Total Space | 0.67 Gb Free Space | 16.50% Space Free | Partition Type: FAT32
Computer Name: GOODRICH106 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (nosGetPlusHelper) getPlus(R) -- File not found
SRV - (nmservice) -- File not found
SRV - (LinksysUpdater) -- File not found
SRV - (HidServ) -- File not found
SRV - (GYX) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (RUBotSrv) -- C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe (Trend Micro Inc.)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies, Inc.)
========== Driver Services (SafeList) ==========
DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (purendis) -- C:\WINDOWS\system32\drivers\purendis.sys (Cisco Systems, Inc.)
DRV - (pnarp) -- C:\WINDOWS\system32\drivers\pnarp.sys (Cisco Systems, Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (SiSkp) -- C:\WINDOWS\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura Ltd)
DRV - (fasttx2k) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys (Promise Technology, Inc.)
DRV - (SISAGP) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys (Silicon Integrated Systems Corporation)
DRV - (viaagp1) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )
DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1847296987-2612838788-886327785-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1847296987-2612838788-886327785-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2011/02/24 09:24:47 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe (Trend Micro Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1847296987-2612838788-886327785-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - Reg Error: Key error. File not found
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/02 02:03:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2002/09/11 03:02:32 | 000,000,045 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\D\Shell\AutoRun\command - "" = Info.exe folder.htt 480 480
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/02/24 13:27:01 | 000,000,000 | ---D | C] -- C:\rsit
[2011/02/24 09:24:44 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/02/23 13:54:36 | 000,577,024 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/23 13:41:38 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mwbam-setup.exe
[2011/02/23 13:37:01 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2011/02/22 15:09:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Candy
[2011/02/22 14:00:50 | 004,738,880 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\My Documents\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/21 15:01:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2011/02/21 14:13:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trend Micro
[2011/02/21 13:35:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/02/21 13:35:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/02/21 13:15:15 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Owner\My Documents\spybotsd162.exe
[2011/02/21 11:40:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/02/21 11:39:33 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2011/02/21 11:34:24 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe
[2011/02/18 07:33:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Scans
[2011/02/17 11:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Forklift Checklists
[2011/02/17 07:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Template
[2011/02/17 07:36:18 | 000,000,000 | ---D | C] -- C:\MSOffice(2)
[2011/02/16 12:20:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Shipping Notices
[2011/02/16 12:18:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Repairs Received
[2011/02/16 12:13:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\AEI TAG P.O.s
[2011/02/15 12:52:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\ElevatedDiagnostics
[2011/02/15 12:40:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2011/02/11 14:41:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer
[2011/02/11 14:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\backups
[2011/02/10 14:06:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\vmmap
[2011/02/10 11:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\RegScrubXP
[2011/02/10 11:48:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\RegScrubXP
[2011/02/10 11:23:44 | 000,115,960 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\windows-kb841720-enu-v4.exe
[2011/02/10 11:20:49 | 000,122,152 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\doomcln-kb836528-v4-enu.exe
[2011/02/10 11:09:08 | 000,359,656 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\msicuu2.exe
[2011/02/10 10:17:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Browser Guard 2010
[2011/02/08 11:48:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap
[2011/02/08 11:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2011/02/08 11:48:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trend Micro RUBotted
[2011/02/08 11:48:05 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/02/07 07:37:46 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/02/07 07:33:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG PC Tuneup 2011
[2011/02/04 14:38:56 | 007,592,248 | ---- | C] (AVG ) -- C:\Documents and Settings\Owner\My Documents\avg_pct_stf_all_2011_24_c5.exe
[2011/02/04 14:24:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1
[2011/02/04 14:14:01 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/02/04 13:45:05 | 006,018,568 | ---- | C] (Trend Micro, Inc. ) -- C:\Documents and Settings\Owner\Desktop\RUBottedSetup.exe
[2011/02/04 13:43:27 | 000,532,480 | ---- | C] (Trend Micro Incorporated) -- C:\Documents and Settings\Owner\Desktop\cwshredder.exe
[2011/02/04 13:41:54 | 004,738,880 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/04 13:34:08 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/02/04 13:34:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\log
[2011/02/04 10:17:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/01/28 09:57:15 | 002,132,576 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\AVGIDPUninstaller.exe
[2011/01/28 09:55:41 | 001,090,912 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Owner\Desktop\avg_remover_stf_x86_2011_1184.exe
========== Files - Modified Within 30 Days ==========
[2011/02/25 10:59:59 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/25 10:59:57 | 259,575,808 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/25 08:09:47 | 000,000,047 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\fixes.bat
[2011/02/24 13:25:55 | 000,339,991 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RSIT.exe
[2011/02/24 13:23:19 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2011/02/24 09:24:47 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/02/23 13:54:40 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/23 13:42:57 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/23 13:41:38 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mwbam-setup.exe
[2011/02/23 13:37:01 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2011/02/22 14:00:50 | 004,738,880 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\My Documents\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/21 15:03:17 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/21 15:03:13 | 000,146,808 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/21 14:17:58 | 001,171,456 | -H-- | M] () -- C:\__ofidx0.ffx
[2011/02/21 14:17:58 | 000,180,224 | -H-- | M] () -- C:\__ofidx.ffl
[2011/02/21 14:17:58 | 000,004,713 | -H-- | M] () -- C:\__ofidx.ffa
[2011/02/21 13:15:15 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Owner\My Documents\spybotsd162.exe
[2011/02/21 11:34:32 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe
[2011/02/18 11:17:08 | 000,009,830 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\exefix.reg
[2011/02/15 12:40:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/14 07:54:54 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\AEI TAG RECEIVED LIST.xls
[2011/02/11 11:14:18 | 000,000,041 | ---- | M] () -- C:\Documents and Settings\Owner\WellKnownServers.xml
[2011/02/10 14:13:22 | 000,305,152 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\windiag.iso
[2011/02/10 13:00:55 | 000,443,304 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/02/10 13:00:55 | 000,072,142 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/02/10 11:48:48 | 000,000,658 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RegScrubXP.lnk
[2011/02/10 11:47:16 | 000,593,556 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\regscrubxpsetup_3.2.exe
[2011/02/10 11:23:44 | 000,115,960 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\windows-kb841720-enu-v4.exe
[2011/02/10 11:22:17 | 000,654,920 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\mtinst.exe
[2011/02/10 11:20:55 | 000,122,152 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\doomcln-kb836528-v4-enu.exe
[2011/02/10 11:17:37 | 000,032,078 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\RogueChecker.zip
[2011/02/10 11:14:21 | 000,231,390 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer.zip
[2011/02/10 11:13:20 | 000,554,035 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\vmmap.zip
[2011/02/10 11:11:02 | 000,430,080 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\UPHClean-Setup.msi
[2011/02/10 11:09:08 | 000,359,656 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\msicuu2.exe
[2011/02/09 08:57:00 | 004,337,573 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\u10iavi3432sq.bin
[2011/02/09 08:54:23 | 000,140,288 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\vcleaner.exe
[2011/02/08 11:48:51 | 000,000,073 | ---- | M] () -- C:\WINDOWS\System32\-1
[2011/02/07 07:33:40 | 000,000,856 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2011/02/07 07:33:40 | 000,000,838 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\AVG PC Tuneup 2011.lnk
[2011/02/07 07:31:50 | 007,592,248 | ---- | M] (AVG ) -- C:\Documents and Settings\Owner\My Documents\avg_pct_stf_all_2011_24_c5.exe
[2011/02/04 13:45:05 | 006,018,568 | ---- | M] (Trend Micro, Inc. ) -- C:\Documents and Settings\Owner\Desktop\RUBottedSetup.exe
[2011/02/04 13:43:31 | 000,532,480 | ---- | M] (Trend Micro Incorporated) -- C:\Documents and Settings\Owner\Desktop\cwshredder.exe
[2011/02/04 13:41:54 | 004,738,880 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/04 13:34:08 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/02/04 13:33:24 | 001,113,789 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RootkitBuster_3.60.1016.zip
[2011/02/04 11:18:49 | 000,061,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msado21.tlb
[2011/01/28 10:52:38 | 090,232,246 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avg_arl_ffi_all_100_100826a3693.rar
[2011/01/28 10:30:59 | 000,000,582 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1.zip
[2011/01/28 09:57:15 | 002,132,576 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\AVGIDPUninstaller.exe
[2011/01/28 09:55:56 | 001,090,912 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Documents and Settings\Owner\Desktop\avg_remover_stf_x86_2011_1184.exe
========== Files Created - No Company Name ==========
[2011/02/25 08:09:47 | 000,000,047 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\fixes.bat
[2011/02/24 13:25:52 | 000,339,991 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RSIT.exe
[2011/02/24 13:23:19 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2011/02/21 14:17:58 | 000,004,713 | -H-- | C] () -- C:\__ofidx.ffa
[2011/02/21 14:17:54 | 001,171,456 | -H-- | C] () -- C:\__ofidx0.ffx
[2011/02/21 14:13:24 | 000,180,224 | -H-- | C] () -- C:\__ofidx.ffl
[2011/02/18 11:17:07 | 000,009,830 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\exefix.reg
[2011/02/11 11:13:22 | 000,000,041 | ---- | C] () -- C:\Documents and Settings\Owner\WellKnownServers.xml
[2011/02/10 14:13:21 | 000,305,152 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\windiag.iso
[2011/02/10 11:48:48 | 000,000,658 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RegScrubXP.lnk
[2011/02/10 11:47:09 | 000,593,556 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\regscrubxpsetup_3.2.exe
[2011/02/10 11:22:11 | 000,654,920 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\mtinst.exe
[2011/02/10 11:17:37 | 000,032,078 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\RogueChecker.zip
[2011/02/10 11:14:18 | 000,231,390 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer.zip
[2011/02/10 11:13:14 | 000,554,035 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\vmmap.zip
[2011/02/10 11:10:58 | 000,430,080 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\UPHClean-Setup.msi
[2011/02/09 08:56:59 | 004,337,573 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\u10iavi3432sq.bin
[2011/02/09 08:54:18 | 000,140,288 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\vcleaner.exe
[2011/02/08 11:48:50 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\-1
[2011/02/07 07:33:40 | 000,000,856 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2011/02/07 07:33:40 | 000,000,838 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\AVG PC Tuneup 2011.lnk
[2011/02/04 13:33:13 | 001,113,789 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RootkitBuster_3.60.1016.zip
[2011/01/28 10:52:20 | 090,232,246 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avg_arl_ffi_all_100_100826a3693.rar
[2011/01/28 10:30:56 | 000,000,582 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1.zip
[2011/01/14 12:54:08 | 000,030,616 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\installer.log
[2011/01/14 11:58:09 | 000,000,230 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\LaunchHomeCenter.log
[2011/01/07 12:29:17 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2009/10/20 12:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2004/04/03 02:18:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/03 01:36:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/04/03 01:36:39 | 000,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/04/02 18:17:14 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/04/02 18:15:40 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/04/02 18:00:40 | 000,027,752 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/04/02 04:01:01 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/04/02 03:52:33 | 000,000,889 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/04/02 03:14:52 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/04/02 02:43:52 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/02 02:34:53 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/04/02 02:34:53 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/04/02 02:34:35 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/04/02 02:08:11 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/04/02 00:52:53 | 000,000,553 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/04/01 17:57:08 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/01/08 00:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
========== LOP Check ==========
[2011/02/10 09:24:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2011/01/14 14:24:45 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2011/02/22 14:01:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/02/21 15:08:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2011/02/04 11:51:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AVG
[2011/02/15 12:52:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ElevatedDiagnostics
[2004/04/02 19:28:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2011/02/25 07:28:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Temp
[2011/02/17 07:46:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Template
========== Purity Check ==========
========== Alternate Data Streams ==========
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
< End of report >
HJT Running Processes
Process list saved on 12:40:13 PM, on 2/25/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
[pid] [full path to filename] [file version] [company name]
416 C:\WINDOWS\System32\smss.exe 5.1.2600.5512 Microsoft Corporation
496 C:\WINDOWS\system32\winlogon.exe 5.1.2600.5512 Microsoft Corporation
540 C:\WINDOWS\system32\services.exe 5.1.2600.5755 Microsoft Corporation
552 C:\WINDOWS\system32\lsass.exe 5.1.2600.5512 Microsoft Corporation
704 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
800 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1044 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.6024 Microsoft Corporation
1156 C:\WINDOWS\system32\netdde.exe 5.1.2600.5512 Microsoft Corporation
1224 C:\Program Files\Java\jre6\bin\jqs.exe 6.0.230.5 Sun Microsystems, Inc.
1348 C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe 2.0.0.1030 Trend Micro Inc.
1424 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1908 C:\WINDOWS\Explorer.EXE 6.0.2900.5512 Microsoft Corporation
176 C:\WINDOWS\system32\wscntfy.exe 5.1.2600.5512 Microsoft Corporation
328 C:\WINDOWS\system32\hkcmd.exe 3.0.0.3889 Intel Corporation
336 C:\HP\KBD\KBD.EXE 1.0.2.0 Hewlett-Packard Company
364 C:\WINDOWS\AGRSMMSG.exe 2.1.41.10 Agere Systems
392 C:\WINDOWS\ALCXMNTR.EXE 1.5.0.0 Realtek Semiconductor Corp.
404 C:\WINDOWS\system32\igfxtray.exe 3.0.0.3889 Intel Corporation
316 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe 5.4.6.3 Eastman Kodak Company
444 C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe 2.0.0.1030 Trend Micro Inc.
460 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.5512 Microsoft Corporation
664 C:\Program Files\Internet Explorer\iexplore.exe 8.0.6001.18702 Microsoft Corporation
1636 C:\Program Files\Internet Explorer\iexplore.exe 8.0.6001.18702 Microsoft Corporation
3616 C:\Program Files\HijackThis\HijackThis.exe 2.0.0.2 Trend Micro Inc.
Hi,
I am not seeing any markers for WMP, not sure what that box on startup is all about. When where done I will link you to a windows forum for help sorting that out, doesn't look like its malware related.
Backup Your Registry with ERUNT:
Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.Note: to restore your registry, go to the backup folder and start ERDNT.exe
Open OTL.exe
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:processes
killallprocesses
:OTL
SRV - (GYX) -- File not found
:Services
:Reg
:Files
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]
Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
Hi,
Went to run ERUNT and it had been corrupted. No exe icons anywhere. Looked in Program Files\ERUNT and all icons were changed to Unknown Fil icons and there was a WMP icon as a DAT file that openes in Notepad. Deleted ERUNT from Program files and redownloaded it then ran it. Seemed to work fine and all the proper icons were in the program file.
Ran the fixes in OTL as instructed, rebooted, same 0 window appeared, then ran the scan with All Users checked. Once again I only got one log, no Extras log. Sending the Fix Log and the OTL.txt log.
OTL Fix Scan Log
All processes killed
========== PROCESSES ==========
========== OTL ==========
Service GYX stopped successfully!
Service GYX deleted successfully!
File File not found not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 16786 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Owner
->Temp folder emptied: 2540396 bytes
->Temporary Internet Files folder emptied: 33257688 bytes
->Java cache emptied: 572078 bytes
->Flash cache emptied: 2547 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 35.00 mb
OTL by OldTimer - Version 3.2.21.0 log created on 02282011_102538
Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\SQL.LOG scheduled to be moved on reboot.
Registry entries deleted on Reboot...
OTL4 Log
OTL logfile created on: 2/28/2011 10:31:21 AM - Run 5
OTL by OldTimer - Version 3.2.21.0 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
247.00 Mb Total Physical Memory | 116.00 Mb Available Physical Memory | 47.00% Memory free
606.00 Mb Paging File | 402.00 Mb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 372 744 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.44 Gb Total Space | 59.13 Gb Free Space | 83.95% Space Free | Partition Type: NTFS
Drive D: | 4.07 Gb Total Space | 0.67 Gb Free Space | 16.50% Space Free | Partition Type: FAT32
Computer Name: GOODRICH106 | User Name: Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe (Trend Micro Inc.)
PRC - C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe (Trend Micro Inc.)
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (nosGetPlusHelper) getPlus(R) -- File not found
SRV - (nmservice) -- File not found
SRV - (LinksysUpdater) -- File not found
SRV - (HidServ) -- File not found
SRV - (AppMgmt) -- File not found
SRV - (RUBotSrv) -- C:\Program Files\Trend Micro\RUBotted\RUBotSrv.exe (Trend Micro Inc.)
SRV - (Kodak AiO Network Discovery Service) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe (Eastman Kodak Company)
SRV - (rpcapd) Remote Packet Capture Protocol v.0 (experimental) -- C:\Program Files\WinPcap\rpcapd.exe (CACE Technologies, Inc.)
========== Driver Services (SafeList) ==========
DRV - (NPF) -- C:\WINDOWS\system32\drivers\npf.sys (CACE Technologies, Inc.)
DRV - (purendis) -- C:\WINDOWS\system32\drivers\purendis.sys (Cisco Systems, Inc.)
DRV - (pnarp) -- C:\WINDOWS\system32\drivers\pnarp.sys (Cisco Systems, Inc.)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (SiSkp) -- C:\WINDOWS\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (ALCXSENS) -- C:\WINDOWS\system32\drivers\ALCXSENS.SYS (Sensaura Ltd)
DRV - (fasttx2k) -- C:\WINDOWS\System32\DRIVERS\fasttx2k.sys (Promise Technology, Inc.)
DRV - (SISAGP) -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys (Silicon Integrated Systems Corporation)
DRV - (viaagp1) -- C:\WINDOWS\System32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (rtl8139) -- C:\WINDOWS\system32\drivers\R8139n51.sys (Realtek Semiconductor Corporation )
DRV - (Ps2) -- C:\WINDOWS\system32\drivers\PS2.sys (Hewlett-Packard Company)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - Reg Error: Key error. File not found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1847296987-2612838788-886327785-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1847296987-2612838788-886327785-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2011/02/28 10:25:44 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Conime] C:\WINDOWS\system32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [Trend Micro RUBotted V2.0 Beta] C:\Program Files\Trend Micro\RUBotted\RUBottedGUI.exe (Trend Micro Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1847296987-2612838788-886327785-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (get_atlcom Class)
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - Reg Error: Key error. File not found
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/04/02 02:03:32 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2002/09/11 03:02:32 | 000,000,045 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O33 - MountPoints2\D\Shell\AutoRun\command - "" = Info.exe folder.htt 480 480
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
========== Files/Folders - Created Within 30 Days ==========
[2011/02/28 10:28:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/02/28 10:20:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\erunt
[2011/02/24 13:27:01 | 000,000,000 | ---D | C] -- C:\rsit
[2011/02/24 09:24:44 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/02/23 13:54:36 | 000,577,024 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/23 13:41:38 | 007,734,240 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mwbam-setup.exe
[2011/02/23 13:37:01 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2011/02/22 15:09:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Candy
[2011/02/22 14:00:50 | 004,738,880 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\My Documents\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/21 15:01:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2011/02/21 14:13:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trend Micro
[2011/02/21 13:35:12 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/02/21 13:35:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/02/21 13:15:15 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Owner\My Documents\spybotsd162.exe
[2011/02/21 11:40:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/02/21 11:34:24 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe
[2011/02/18 07:33:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Scans
[2011/02/17 11:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Forklift Checklists
[2011/02/17 07:46:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Template
[2011/02/17 07:36:18 | 000,000,000 | ---D | C] -- C:\MSOffice(2)
[2011/02/16 12:20:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Shipping Notices
[2011/02/16 12:18:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Repairs Received
[2011/02/16 12:13:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\AEI TAG P.O.s
[2011/02/15 12:52:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\ElevatedDiagnostics
[2011/02/15 12:40:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\windowspowershell
[2011/02/11 14:41:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer
[2011/02/11 14:22:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\backups
[2011/02/10 14:06:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\vmmap
[2011/02/10 11:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\RegScrubXP
[2011/02/10 11:48:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\RegScrubXP
[2011/02/10 11:23:44 | 000,115,960 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\windows-kb841720-enu-v4.exe
[2011/02/10 11:20:49 | 000,122,152 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\doomcln-kb836528-v4-enu.exe
[2011/02/10 11:09:08 | 000,359,656 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\msicuu2.exe
[2011/02/10 10:17:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Browser Guard 2010
[2011/02/08 11:48:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinPcap
[2011/02/08 11:48:47 | 000,000,000 | ---D | C] -- C:\Program Files\WinPcap
[2011/02/08 11:48:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Trend Micro RUBotted
[2011/02/08 11:48:05 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/02/07 07:37:46 | 000,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2011/02/07 07:33:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\AVG PC Tuneup 2011
[2011/02/04 14:38:56 | 007,592,248 | ---- | C] (AVG ) -- C:\Documents and Settings\Owner\My Documents\avg_pct_stf_all_2011_24_c5.exe
[2011/02/04 14:24:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\avg_update_mssct_2011_1
[2011/02/04 14:14:01 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2011/02/04 13:45:05 | 006,018,568 | ---- | C] (Trend Micro, Inc. ) -- C:\Documents and Settings\Owner\Desktop\RUBottedSetup.exe
[2011/02/04 13:43:27 | 000,532,480 | ---- | C] (Trend Micro Incorporated) -- C:\Documents and Settings\Owner\Desktop\cwshredder.exe
[2011/02/04 13:41:54 | 004,738,880 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/04 13:34:08 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/02/04 13:34:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\log
[2011/02/04 10:17:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
========== Files - Modified Within 30 Days ==========
[2011/02/28 10:27:36 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/28 10:27:35 | 259,575,808 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/28 10:25:44 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/02/28 10:19:36 | 000,513,320 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\erunt.zip
[2011/02/25 08:09:47 | 000,000,047 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\fixes.bat
[2011/02/24 13:25:55 | 000,339,991 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RSIT.exe
[2011/02/24 13:23:19 | 000,075,264 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2011/02/23 13:54:40 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2011/02/23 13:42:57 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/23 13:41:38 | 007,734,240 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mwbam-setup.exe
[2011/02/23 13:37:01 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Owner\Desktop\ATF-Cleaner.exe
[2011/02/22 14:00:50 | 004,738,880 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\My Documents\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/21 15:03:17 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/21 15:03:13 | 000,146,808 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/02/21 14:17:58 | 001,171,456 | -H-- | M] () -- C:\__ofidx0.ffx
[2011/02/21 14:17:58 | 000,180,224 | -H-- | M] () -- C:\__ofidx.ffl
[2011/02/21 14:17:58 | 000,004,713 | -H-- | M] () -- C:\__ofidx.ffa
[2011/02/21 13:15:15 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Owner\My Documents\spybotsd162.exe
[2011/02/21 11:34:32 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe
[2011/02/18 11:17:08 | 000,009,830 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\exefix.reg
[2011/02/15 12:40:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/02/14 07:54:54 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\AEI TAG RECEIVED LIST.xls
[2011/02/11 11:14:18 | 000,000,041 | ---- | M] () -- C:\Documents and Settings\Owner\WellKnownServers.xml
[2011/02/10 14:13:22 | 000,305,152 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\windiag.iso
[2011/02/10 13:00:55 | 000,443,304 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/02/10 13:00:55 | 000,072,142 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/02/10 11:48:48 | 000,000,658 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RegScrubXP.lnk
[2011/02/10 11:47:16 | 000,593,556 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\regscrubxpsetup_3.2.exe
[2011/02/10 11:23:44 | 000,115,960 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\windows-kb841720-enu-v4.exe
[2011/02/10 11:22:17 | 000,654,920 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\mtinst.exe
[2011/02/10 11:20:55 | 000,122,152 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\doomcln-kb836528-v4-enu.exe
[2011/02/10 11:17:37 | 000,032,078 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\RogueChecker.zip
[2011/02/10 11:14:21 | 000,231,390 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer.zip
[2011/02/10 11:13:20 | 000,554,035 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\vmmap.zip
[2011/02/10 11:11:02 | 000,430,080 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\UPHClean-Setup.msi
[2011/02/10 11:09:08 | 000,359,656 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\My Documents\msicuu2.exe
[2011/02/09 08:57:00 | 004,337,573 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\u10iavi3432sq.bin
[2011/02/09 08:54:23 | 000,140,288 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\vcleaner.exe
[2011/02/08 11:48:51 | 000,000,073 | ---- | M] () -- C:\WINDOWS\System32\-1
[2011/02/07 07:33:40 | 000,000,856 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2011/02/07 07:33:40 | 000,000,838 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\AVG PC Tuneup 2011.lnk
[2011/02/07 07:31:50 | 007,592,248 | ---- | M] (AVG ) -- C:\Documents and Settings\Owner\My Documents\avg_pct_stf_all_2011_24_c5.exe
[2011/02/04 13:45:05 | 006,018,568 | ---- | M] (Trend Micro, Inc. ) -- C:\Documents and Settings\Owner\Desktop\RUBottedSetup.exe
[2011/02/04 13:43:31 | 000,532,480 | ---- | M] (Trend Micro Incorporated) -- C:\Documents and Settings\Owner\Desktop\cwshredder.exe
[2011/02/04 13:41:54 | 004,738,880 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\Owner\Desktop\avg_free_stb_all_2011_1204_cnet.exe
[2011/02/04 13:34:08 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2011/02/04 13:33:24 | 001,113,789 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\RootkitBuster_3.60.1016.zip
[2011/02/04 11:18:49 | 000,061,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\msado21.tlb
========== Files Created - No Company Name ==========
[2011/02/28 10:19:32 | 000,513,320 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\erunt.zip
[2011/02/25 08:09:47 | 000,000,047 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\fixes.bat
[2011/02/24 13:25:52 | 000,339,991 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RSIT.exe
[2011/02/24 13:23:19 | 000,075,264 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\SystemLook.exe
[2011/02/21 14:17:58 | 000,004,713 | -H-- | C] () -- C:\__ofidx.ffa
[2011/02/21 14:17:54 | 001,171,456 | -H-- | C] () -- C:\__ofidx0.ffx
[2011/02/21 14:13:24 | 000,180,224 | -H-- | C] () -- C:\__ofidx.ffl
[2011/02/18 11:17:07 | 000,009,830 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\exefix.reg
[2011/02/11 11:13:22 | 000,000,041 | ---- | C] () -- C:\Documents and Settings\Owner\WellKnownServers.xml
[2011/02/10 14:13:21 | 000,305,152 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\windiag.iso
[2011/02/10 11:48:48 | 000,000,658 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RegScrubXP.lnk
[2011/02/10 11:47:09 | 000,593,556 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\regscrubxpsetup_3.2.exe
[2011/02/10 11:22:11 | 000,654,920 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\mtinst.exe
[2011/02/10 11:17:37 | 000,032,078 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\RogueChecker.zip
[2011/02/10 11:14:18 | 000,231,390 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\RootkitRevealer.zip
[2011/02/10 11:13:14 | 000,554,035 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\vmmap.zip
[2011/02/10 11:10:58 | 000,430,080 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\UPHClean-Setup.msi
[2011/02/09 08:56:59 | 004,337,573 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\u10iavi3432sq.bin
[2011/02/09 08:54:18 | 000,140,288 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\vcleaner.exe
[2011/02/08 11:48:50 | 000,000,073 | ---- | C] () -- C:\WINDOWS\System32\-1
[2011/02/07 07:33:40 | 000,000,856 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AVG PC Tuneup 2011.lnk
[2011/02/07 07:33:40 | 000,000,838 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\AVG PC Tuneup 2011.lnk
[2011/02/04 13:33:13 | 001,113,789 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\RootkitBuster_3.60.1016.zip
[2011/01/14 12:54:08 | 000,030,616 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\installer.log
[2011/01/14 11:58:09 | 000,000,230 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\LaunchHomeCenter.log
[2011/01/07 12:29:17 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
[2009/10/20 12:19:30 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2004/04/03 02:18:54 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/04/03 01:36:40 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2004/04/03 01:36:39 | 000,000,451 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2004/04/02 18:17:14 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
[2004/04/02 18:15:40 | 000,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/04/02 18:00:40 | 000,027,752 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/04/02 04:01:01 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/04/02 03:52:33 | 000,000,889 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2004/04/02 03:14:52 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/04/02 02:43:52 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/02 02:34:53 | 000,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/04/02 02:34:53 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/04/02 02:34:35 | 000,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/04/02 02:08:11 | 000,000,802 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/04/02 00:52:53 | 000,000,553 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/04/01 17:57:08 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/01/08 00:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
========== Alternate Data Streams ==========
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4
< End of report >
Would you like me to send a copy of one of those WMP icon DAT files that open with Notepad. May be helpful.
Looks like we got that GYX this time .
What your experiencing with the O dat file is related to WinDVD Creator and we dont get into Windows issues on this forum, its just for malware removal.
I can link you to a forum to help you with that if you wish.
How are things running, any redirects or unwanted pop up windows ?
Hi,
So far, so good. The pages are loading noticeably faster on IE 8, that's good. The only concern I have left is if the D:\ is infected. A couple of months ago I did a format and reinstall of windows from the D:\ drive and thought I had killed the bug, but as time went on it began to show signs of infection and was apparently corrupting my AVG 2011 because it turned up nothing. I have found files in C:\Documentand Settings\Local Service\ there is a folder named IETldCache. When I open this folder there is a file of the same name that is a WMP icon listed as a DAT file and in Properties opens with Notepad. It appears to be part of our problem. In the Local Service folder there are folders named Application Data, Cookies, IETldCache, Local Settings, Start Menu, SYSTEM's Documents and files named NTUSER.DAT (WMP icon, opens with Notepad), ntuser.dat.log (text document icon, opens with Notepad), and lastly ntuser.ini (configuration settings opens with notepad. If you go into the Local Settings folder there are folders named Application Data, History, Temp, & Temporary Internet Files. If you go into the Temp folder there are folders Cookies, History, & Temporary Internet Files. In Temporary Internet Files there is one folder named Content.IE5, inside this folder are 4 folders and 2 files. Folders are 3DURVZO0, BZTV&G0G, D7726YKJ, X401YNKM. Note that the first two folders contain both the letter O and zero both in their names. Each of there folders has one file, desktop.ini configuration settings. The two files in this group are desktop.ini configuration settings and our old friend WMP icon index.dat, dat file that opens with notepad. Please advise of all safe deletions as I believe this may be the root of the problem. These are hidden files as is Local Service and all following with some unhidden ones in the hidden folders. Very strange to me.
I was curious if you had found anything on that get plus(R) helper 3004file ? I have seen it in Control Panel>Add/Remove Programs and tried to uninstall it but it wouldn't allow it. Any tips on how to get rid of it ? I really have no need for it and want to do my best to be sure I can get a clean reinstall of my AVG. I am seeing this file in the 016 portion of the OTL4 log. Just a note, the other day when I was looking at the process manager in HJT it showed 25 running processes and task manager was showing 34 running processes.
Also wondering about the two 024 entries. I'm using a MS sample picture as wallpaper. Those entries have never came up on a regular HJT scan.
I really do appreciate all you have done to help me. I'm just trying to be certain we kill this bug completely. I have been trying to get rid of it for 3 months. I believe we're about there. Thanks again.
I have been pulling the network plug except whe absolutely necessary to communicate or download so as to prevent any interference from the other end of this bug. Can you reccomend a user friendly firewall ? I have found in my studies that the windows firewall is swiss cheese.
Thanks again.
All those files and folders your talking about are legit and need to be there
http://www.bleepingcomputer.com/startups/getPlus_HelperSvc.exe-23382.html
Your system is clean so go online, do some surfing and enjoy
Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
Hi,
We may not be so clean. I just tried to install AVG after downloading the full installation files and got this error message: Error code 0xC0070643 General Internal Error The Windows Installer Service could not be accessed. This can occur if you are running windows in safe mode (I was not) or if the windows installer is not correctly installed. Contact your support. Context: MSI Action Failed.
Any ideas ? Thank you .
Tim Kimbley
Hello Tim,
That looks to be a windows problem installing AVG , not caused by malware
http://www.avgforums.com/viewtopic.php?f=7&t=1118
Run this scan
Scan With RootKitUnHooker
Please choose one link and download Rootkit Unhooker and save it to your desktop.
Link 1 (http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE)
Link 2 (http://www.kernelmode.info/ARKs/RKUnhookerLE.zip)
Link 3 (http://www.kernelmode.info/ARKs/RkU3.8.388.590.rar)
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers and Stealth
Uncheck the rest. then click OK
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
Wait till the scanner has finished and then click File > Save Report.
Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in your next reply.
Note** you may get the following warning, just click OK and continue.
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"
Hi,
Downloaded Rootkit Unhooker and ran as instructed. Checked and unchecked the items as instructed. hit Scan. I was not prompted to select which drives to scan, but allowed it to run anyway. Posting the report as requested. When I clicked SCAN the Stealth tab was showing and it flashed full of info for a millisecond then went blank.
Rootkit Unhooker Report1
RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xF8169000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2281472 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF908D000 C:\WINDOWS\System32\DRIVERS\AGRSM.sys 1269760 bytes (Agere Systems, SoftModem Device Driver)
0xBF064000 C:\WINDOWS\System32\ialmdd5.DLL 790528 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
0xF91FB000 C:\WINDOWS\System32\DRIVERS\ialmnt5.sys 741376 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xF9380000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xEFD30000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF801F000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xEFE3D000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEF7E9000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xEF2BD000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF94D9000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEF8B9000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF9353000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEECA8000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xEFDC8000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xEFE15000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xBF03E000 C:\WINDOWS\System32\ialmdev5.DLL 155648 bytes (Intel Corporation, Component GHAL Driver)
0xEFD0A000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xEFC46000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF8145000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF91C3000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF946E000 fasttx2k.sys 143360 bytes (Promise Technology, Inc., Promise FastTrak Series Driver for WindowsXP)
0xF8396000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xEFDF3000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806EF000 ACPI_HAL 131840 bytes
0x806EF000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF9436000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF94A9000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 122880 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF9339000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF9491000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xEFB66000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF9456000 C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF940D000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF812E000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xEF4DC000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF83B9000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF91E7000 C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xEFE96000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF9424000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF94C8000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF807D000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xEF40E000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF9788000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF9538000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF9758000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF95C8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF80BE000 C:\WINDOWS\system32\drivers\npf.sys 61440 bytes (CACE Technologies, Inc., npf.sys (NT5/6 x86) Kernel Driver)
0xF9798000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xEF5D9000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF9698000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF9548000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF9588000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF9768000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF95D8000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF9568000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF9748000 C:\WINDOWS\System32\DRIVERS\R8139n51.SYS 49152 bytes (Realtek Semiconductor Corporation , Realtek RTL8139/810x Family NDIS 5.1 Drv)
0xF95F8000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF96E8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF9778000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF9558000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF95E8000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF9528000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF9678000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF9598000 SISAGPX.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS AGPv3.5 Filter)
0xF9648000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF9578000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF9738000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF9608000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF96C8000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xEF8E6000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF96F8000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF9850000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF98D8000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF98E8000 C:\WINDOWS\System32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF9848000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF97A8000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF98F8000 C:\WINDOWS\System32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xF98E0000 C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF97C0000 viaagp1.sys 28672 bytes (VIA Technologies, Inc., VIA NT AGP Filter)
0xF9868000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF9858000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF9860000 C:\WINDOWS\System32\DRIVERS\PS2.sys 24576 bytes (Hewlett-Packard Company, PS2 SYS)
0xF9840000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF98C8000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF98D0000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF97B0000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF97E8000 C:\WINDOWS\system32\DRIVERS\pnarp.sys 20480 bytes (Cisco Systems, Inc., Address Resolution Protocol Driver)
0xF9878000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF97F0000 C:\WINDOWS\system32\DRIVERS\purendis.sys 20480 bytes (Cisco Systems, Inc., NDIS Relay Driver)
0xF97B8000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF9880000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF9870000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF9908000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF99EC000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xEFB0E000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF99D4000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF99B8000 C:\WINDOWS\System32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xF9938000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF800F000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF99DC000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7FEF000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7FE7000 C:\WINDOWS\System32\DRIVERS\srvkp.sys 12288 bytes (Silicon Integrated Systems Corporation, SiS VGA Driver Manager)
0xF9A76000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF9A9A000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF9A74000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF9A2E000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF9A28000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF9A78000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF9A38000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF9A7A000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF9A40000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF9A5C000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF9A2C000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF9A2A000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF9B0F000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF9C19000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF9B40000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF9AF0000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
Tim,
What I did was have you run a Rootkit scanner, this type of infection does not show up on most regular scanners as it hides itself, and this program is one of the best for finding rootkits and it found none.
Why dont you post here in this AVG forum for help with there product, looks like other people are having the same issue
http://forums.avg.com/us-en/avg-free-forum
Ken :)
Hi,
Thank you. I'll try the link you sent and see what happens. Thanks for all the help.
Tim Kimbley
Your welcome Tim,
Keep in mind that when you have problems on your system, there not always related to malware, there could be many causes, corrupted programs, missing drivers and even failing hardware and the list goes on.
Take Care,
Ken :)
Since your last reply I did some searching and researching. I have ha a program in Control Panel>Add/Remove Programs that I have not been able to uninstall. There just is no Remove button when highlited. It is Microsoft Visual J# .NET Redistributable Package 1.1. In my research at MS I found that this is a developer tool and I do not need or want it but haven't been able to get it to show up on any scans we or I have done.
I was looking for a way to get rid of that get Plus (R) Helper 3004 as I had found that these files are part of Adobe Reader 6.0 install and should delete themselves upon install therefore they shouldn't be there and Adobe says to delete them, whiich I did delete the NOS folder in C:\Program Files where this file resided but get Plus (R) Helper 3004 is running as a service in services and does not allow any option to delete it. While attempting to delete this service with HJT I clicked on Properties for this file in Services and it showed the path to be C:\WINDOWS\System32\svchost.exe -k nosGetPlusHelper. I went looking and in WINDOWS there was no System32 folder, rather a system32 folder. I did not find this file but in my search I looked in the Installer (hidden) folder and found files in C:\WINDOWS\Microsoft.NET\Framework\VJSharp\VJSharpSxS10.dll and VJSWfcHost.dll. These raised my suspicions that I had finally found the elusive MS Visual J# .NET Framework Redistributable Package 1.1 that I want to delete.
After CAREFUL reading I downloaded ComboFix, saved it to Desktop as Combo-Fix and ran it. It turned up the jsharp files. I am sending the ComboFix log for your review. As you will notice these jsharp files are in the long strings.
ComboFix Log 3-2-11
ComboFix 11-03-02.01 - Owner 03/02/2011 13:33:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.140 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2011-02-02 to 2011-03-02 )))))))))))))))))))))))))))))))
.
2011-03-01 19:55 . 2011-03-01 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-02-21 21:02 . 2011-02-21 21:02 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-21 19:35 . 2011-02-21 21:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-21 19:35 . 2011-02-21 21:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-02-18 13:33 . 2011-02-18 13:33 -------- d-----w- c:\documents and settings\Owner\My Scans
2011-02-17 13:46 . 2011-02-17 13:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Template
2011-02-17 13:36 . 2011-02-21 21:01 -------- d-----w- C:\MSOffice(2)
2011-02-15 18:52 . 2011-02-15 18:52 -------- d-----w- c:\documents and settings\Owner\Application Data\ElevatedDiagnostics
2011-02-10 17:48 . 2011-02-21 21:01 -------- d-----w- c:\program files\RegScrubXP
2011-02-08 17:48 . 2011-03-01 20:20 -------- d-----w- c:\program files\Trend Micro
2011-02-07 13:37 . 2011-02-07 13:37 -------- d-----w- c:\program files\Reference Assemblies
2011-02-04 19:34 . 2011-02-04 19:34 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-02-04 19:34 . 2011-02-04 19:34 -------- d-----w- c:\documents and settings\Owner\log
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-06-07 22:09 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-10 18:16 . 2011-01-10 18:17 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-10 18:16 . 2011-01-10 18:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-07 14:09 . 2004-06-07 22:32 290048 ----a-w- c:\windows\system32\atmfd.dll
2011-01-06 16:09 . 2011-01-06 16:09 32768 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\pchapi.dll
2011-01-06 16:09 . 2011-01-06 16:09 114688 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\ZipLib.dll
2011-01-06 16:09 . 2011-01-06 16:09 315392 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\pchmsxml.dll
2011-01-06 16:09 . 2011-01-06 16:09 26572 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\INV16.dll
2011-01-06 16:09 . 2011-01-06 16:09 3072 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\pchealthde.exe
2011-01-06 16:09 . 2011-01-06 16:09 5632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\GUI.dll
2011-01-06 16:09 . 2011-01-06 16:09 139264 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\ContentUpdater.exe
2011-01-06 16:09 . 2011-01-06 16:09 45056 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\util.dll
2011-01-06 16:09 . 2011-01-06 16:09 24576 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\pcdapi.dll
2011-01-06 16:09 . 2011-01-06 16:09 98304 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\PluginCtrl.dll
2011-01-06 16:09 . 2011-01-06 16:09 69632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\msxmlwrapper.dll
2011-01-06 16:09 . 2011-01-06 16:09 344064 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\api.dll
2011-01-06 16:09 . 2011-01-06 16:09 114688 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\asst_ui.dll
2011-01-06 16:08 . 2011-01-06 16:08 282624 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\clientutil52.dll
2011-01-06 16:08 . 2011-01-06 16:08 356352 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\client_motkt.dll
2011-01-06 16:08 . 2011-01-06 16:08 20480 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\InetCheckWrap.dll
2011-01-06 16:08 . 2011-01-06 16:08 49152 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\PCHI18N.dll
2011-01-06 16:08 . 2011-01-06 16:08 307200 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\pchnotify.exe
2011-01-06 16:08 . 2011-01-06 16:08 77824 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\WinVerifyTrust.dll
2011-01-06 16:08 . 2011-01-06 16:08 4096 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\winverifytrustwrapper.dll
2011-01-06 16:08 . 2011-01-06 16:08 315392 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\pchmsxml.dll
2011-01-06 16:08 . 2011-01-06 16:08 212992 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\jsharpinterp.dll
2011-01-06 16:08 . 2011-01-06 16:08 159744 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\PCHButton.exe
2011-01-06 16:08 . 2011-01-06 16:08 434176 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\motivede.dll
2011-01-06 16:08 . 2011-01-06 16:08 36864 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\gnu.dll
2011-01-06 16:08 . 2011-01-06 16:08 49152 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\hwinv.dll
2011-01-06 16:08 . 2011-01-06 16:08 126976 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\SearchCtrl.dll
2011-01-06 16:08 . 2011-01-06 16:08 77824 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\FDIWrapper.dll
2011-01-06 16:08 . 2011-01-06 16:08 69632 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\jsharpde\msxmlwrapper.dll
2011-01-06 16:08 . 2011-01-06 16:08 307200 ----a-w- c:\windows\pchealth\HelpCtr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Presario\XPHNARS4EN\plugin\bin\pchealthplugin.dll
2010-12-31 13:10 . 2004-04-02 06:52 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-06-07 22:32 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-01-22 07:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-06-07 22:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-06-07 22:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2004-06-07 22:33 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2011-01-06 16:07 385024 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-04-02 06:52 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-06-07 22:32 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2004-04-02 06:52 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2002-08-29 08:04 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2003-12-18 118784]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [9/13/2010 5:18 PM 308656]
S2 LinksysUpdater;Linksys Updater;"c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe" -s "c:\program files\Linksys\Linksys Updater\conf\wrapper.conf" --> c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [?]
S4 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [6/7/2004 4:09 PM 14336]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 13:41
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1847296987-2612838788-886327785-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3304)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\windows\ALCXMNTR.EXE
.
**************************************************************************
.
Completion time: 2011-03-02 13:45:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-02 19:45
Pre-Run: 63,519,031,296 bytes free
Post-Run: 63,451,639,808 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - 590401070616869110C053022084D660
Get Plus Helper is part of adobe updater, its a legit program
You need to post in a windows forum for help with that, we just do malware removal on this one
http://forums.whatthetech.com/index.php?showforum=119
You know, your getting all excited and tying yourself in a knot for really nothing.