AV Security Suite won't go away!

View previous topic View next topic Go down

AV Security Suite won't go away!

Post by OhioPuppy on Wed 30 Jun 2010, 1:16 pm

Hi, and thank you in advance for your help.

I became infected with AV Security Suite today, and I followed the standard AV Security removal instructions. Hijack This showed me the correct entry to delete, and I did so. Malware Bytes found and deleted five infected files, all of which looked like they were part of AV Security Suite.

But when I restarted my PC, the AV Security Suite came roaring right back. It won't even allow me to use IE or Safari -- it just keeps redirecting me to the "Navigating to this site may harm your computer" message, regardless of where I try to go.

I have run OTL, and here are the outputs.

OTL.txt:

OTL logfile created on: 6/29/2010 10:00:53 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Download Files\Hijack This
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 174.06 Gb Free Space | 58.39% Space Free | Partition Type: NTFS
Drive D: | 466.99 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-F4D19A0F8A
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/29 21:59:06 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Download Files\Hijack This\OTL.exe
PRC - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/06/29 21:59:06 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Download Files\Hijack This\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/05/03 19:00:18 | 001,156,440 | ---- | M] (LeapFrog Enterprises, Inc.) [Auto | Stopped] -- C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe -- (LeapFrog Connect Device Service)
SRV - [2010/03/25 21:40:44 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/09/15 14:13:30 | 000,299,008 | ---- | M] (Alcatel-Lucent) [Auto | Stopped] -- C:\Program Files\Common Files\Motive\McciServiceHost.exe -- (McciServiceHost)
SRV - [2008/04/10 20:08:44 | 000,212,992 | ---- | M] (IDT, Inc.) [Auto | Stopped] -- C:\WINDOWS\system32\stacsv.exe -- (STacSV)
SRV - [2007/07/03 12:32:16 | 000,131,072 | ---- | M] (NVIDIA) [Auto | Stopped] -- C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe -- (nTuneService)
SRV - [2007/06/12 13:27:22 | 001,309,264 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\swdsvc.exe -- (sdCoreService)
SRV - [2007/06/12 13:27:14 | 000,708,688 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\svcntaux.exe -- (sdAuxService)


========== Driver Services (SafeList) ==========

DRV - [2010/03/25 21:30:22 | 000,151,216 | ---- | M] (Microsoft Corporation) [File_System | System | Stopped] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/11/10 10:27:06 | 000,018,560 | ---- | M] (LeapFrog) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\FlyUsb.sys -- (FlyUsb)
DRV - [2009/09/15 14:13:34 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2009/09/15 14:13:34 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2009/04/30 10:02:00 | 008,055,584 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/10 20:10:10 | 001,271,032 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/07/03 12:33:04 | 000,006,912 | ---- | M] (NVidia Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\nvoclock.sys -- (NVR0Dev)
DRV - [2007/05/23 16:58:50 | 000,083,024 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iksyssec.sys -- (IKSysSec)
DRV - [2007/05/23 16:58:46 | 000,057,424 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iksysflt.sys -- (IkSysFlt)
DRV - [2007/05/23 16:58:42 | 000,053,840 | ---- | M] (PCTools Research Pty Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ikfilesec.sys -- (IKFileSec)
DRV - [2007/05/23 16:58:38 | 000,039,376 | ---- | M] (PCTools Research Pty Ltd.) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ikfileflt.sys -- (IKFileFlt)
DRV - [2007/03/16 14:59:40 | 000,054,272 | ---- | M] (Sonic Focus, Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sfng32.sys -- (sfng32)
DRV - [2006/11/01 10:39:16 | 000,246,680 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel(R)
DRV - [2006/10/30 16:53:32 | 000,044,416 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel(R)
DRV - [2006/09/24 09:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Boot | Running] -- C:\WINDOWS\system32\speedfan.sys -- (speedfan)
DRV - [2004/08/12 17:45:54 | 000,137,728 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [1996/04/03 15:33:26 | 000,005,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\giveio.sys -- (giveio)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2007/08/03 20:54:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn\
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/24 13:27:40 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/24 13:27:40 | 000,000,000 | ---D | M]

[2010/02/09 19:21:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/08/03 20:54:09 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\google-cjk@partners.mozilla.com
[2010/02/03 20:11:48 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\talkback@mozilla.org
[2009/03/31 22:47:26 | 000,324,976 | ---- | M] (Symantec Corporation) -- C:\Program Files\Mozilla Firefox\components\coFFPlgn.dll
[2010/02/03 20:11:36 | 000,067,688 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jar50.dll
[2010/02/03 20:11:36 | 000,054,368 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\jsd3250.dll
[2010/02/03 20:11:36 | 000,034,944 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\myspell.dll
[2010/02/03 20:11:36 | 000,046,712 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\spellchk.dll
[2010/02/03 20:11:36 | 000,172,136 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\xpinstal.dll
[2009/10/14 22:41:39 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2006/02/28 08:00:00 | 000,000,709 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (ChromeFrame BHO) - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\5.0.375.62\npchrome_frame.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe ()
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [IntelAudioStudio] C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe (Intel Corporation)
O4 - HKLM..\Run: [itype] c:\Program Files\Microsoft IntelliType Pro\itype.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Monitor] C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe (LeapFrog Enterprises, Inc.)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NWEReboot] File not found
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} [You must be registered and logged in to see this link.] (System Requirements Lab Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} [You must be registered and logged in to see this link.] (AxProdInfoCtl Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} [You must be registered and logged in to see this link.] (Symantec Download Manager)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_14)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_14)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\cf - No CLSID value found
O18 - Protocol\Handler\gcf {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome Frame\Application\5.0.375.62\npchrome_frame.dll (Google Inc.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - File not found
O24 - Desktop BackupWallPaper:
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/04/12 13:07:31 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004/08/24 17:38:10 | 000,000,000 | R--D | M] - D:\Autorun -- [ CDFS ]
O32 - AutoRun File - [2004/10/05 19:11:42 | 000,180,224 | R--- | M] () - D:\Autorun.exe -- [ CDFS ]
O32 - AutoRun File - [2004/08/24 17:57:32 | 000,000,042 | R--- | M] () - D:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\Autorun.exe -- [2004/10/05 19:11:42 | 000,180,224 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/04/12 08:42:04 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: MsMpSvc - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sdauxservice - C:\Program Files\Spyware Doctor\svcntaux.exe (PC Tools)
SafeBootMin: sdcoreservice - C:\Program Files\Spyware Doctor\swdsvc.exe (PC Tools)
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: hitmanpro35 - Reg Error: Value error.
SafeBootNet: hitmanpro35.sys - Reg Error: Value error.
SafeBootNet: HitmanPro35Crusader - Reg Error: Value error.
SafeBootNet: MsMpSvc - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sdauxservice - C:\Program Files\Spyware Doctor\svcntaux.exe (PC Tools)
SafeBootNet: sdcoreservice - C:\Program Files\Spyware Doctor\swdsvc.exe (PC Tools)
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error.
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error.
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error.
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - Reg Error: Value error.
ActiveX: {AA218328-0EA8-4D70-8972-E987A9190FF4} - Reg Error: Value error.
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lhacm - C:\WINDOWS\System32\lhacm.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\IR32_32.DLL ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\IR32_32.DLL ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\IR41_32.DLL (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Error starting restore point: The function was called in safe mode.
Error closing restore point: The sequence number is invalid.

========== Files/Folders - Created Within 30 Days ==========

[2010/06/29 21:59:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Helios
[2010/06/29 21:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Sun
[2010/06/29 21:14:59 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/06/29 21:14:57 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/06/29 20:35:57 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/06/29 20:32:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2010/06/29 20:32:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2010/06/11 16:42:04 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[2010/06/04 13:57:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/06/03 10:58:59 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/06/03 10:46:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\Temporary Internet Files
[2010/06/03 10:46:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\Temp
[2010/06/03 10:46:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\Recent
[2010/06/03 10:46:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Recent
[2010/06/03 10:46:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/06/03 10:46:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\History
[2010/06/02 13:58:48 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/06/02 13:58:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/06/02 08:42:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/06/02 08:42:31 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/06/01 16:36:58 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/06/01 14:56:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/06/01 14:56:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/01 13:02:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Google
[2010/06/01 12:51:08 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2010/06/01 12:45:53 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2010/06/01 12:45:53 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2010/06/01 12:45:53 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2010/06/01 12:45:53 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2010/06/01 12:45:53 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2010/06/01 12:45:53 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2010/06/01 12:45:53 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2010/06/01 12:45:53 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2010/06/01 12:45:53 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2010/06/01 12:45:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents
[2010/06/01 12:45:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft Help
[2010/06/01 12:45:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2010/06/01 12:45:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Favorites
[2010/06/01 12:45:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2010/06/01 12:45:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
[2010/06/01 12:45:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Apple Computer
[2010/06/01 11:24:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[12 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/29 21:59:56 | 000,786,432 | -H-- | M] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/29 21:59:04 | 000,000,408 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/06/29 21:53:49 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/29 21:53:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/29 21:52:43 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/29 21:50:21 | 000,229,488 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/06/29 21:50:15 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/29 21:48:32 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/06/29 21:26:33 | 000,002,644 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/06/29 21:15:01 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/29 20:35:57 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/06/29 20:29:03 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/29 20:24:13 | 000,000,820 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/29 19:59:26 | 000,016,968 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/06/28 21:35:12 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/06/28 21:33:58 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/06/28 20:00:00 | 000,000,738 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - User.job
[2010/06/27 11:52:36 | 000,043,520 | ---- | M] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2010/06/22 22:31:09 | 000,505,608 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/22 22:31:09 | 000,444,358 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/22 22:31:09 | 000,072,108 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/21 19:34:55 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/06/20 19:20:07 | 000,000,091 | ---- | M] () -- C:\WINDOWS\CIV.INI
[2010/06/19 13:17:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/12 06:45:04 | 000,268,600 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/11 22:02:53 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/08 19:49:33 | 000,000,282 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2010/06/04 20:15:28 | 000,000,582 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/04 20:15:28 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/06/04 20:15:28 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/06/03 11:00:45 | 000,069,632 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/06/02 15:32:17 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/06/01 16:25:03 | 003,152,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/06/01 13:37:48 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[12 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/29 21:15:01 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/29 20:35:57 | 000,001,734 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HijackThis.lnk
[2010/06/29 20:35:53 | 000,000,408 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/06/11 21:50:12 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/06/07 17:54:20 | 000,000,282 | ---- | C] () -- C:\WINDOWS\System32\.crusader
[2010/06/01 16:36:59 | 000,000,820 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Security Essentials.lnk
[2010/06/01 12:45:55 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/06/01 12:45:53 | 000,786,432 | -H-- | C] () -- C:\Documents and Settings\Administrator\NTUSER.DAT
[2010/06/01 12:45:53 | 000,446,464 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.LOG
[2010/05/25 19:25:04 | 000,016,968 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/14 15:25:21 | 000,000,225 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
[2010/04/14 15:25:21 | 000,000,093 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
[2010/04/14 15:24:20 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/07/19 21:28:49 | 000,030,464 | ---- | C] () -- C:\WINDOWS\macromix.dll
[2009/07/19 21:28:25 | 000,000,156 | ---- | C] () -- C:\WINDOWS\SGPS.INI
[2009/05/01 01:31:06 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/05/01 01:31:06 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/05/01 01:31:06 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/05/01 01:31:06 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/12/28 10:25:35 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/10/07 10:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 10:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/05/27 21:00:33 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2008/05/27 21:00:33 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2007/08/11 07:47:06 | 000,000,091 | ---- | C] () -- C:\WINDOWS\CIV.INI
[2007/08/11 07:46:47 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\IYVU9_32.DLL
[2007/07/28 18:00:07 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2007/05/08 19:35:22 | 000,197,120 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2007/05/08 13:36:49 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/05/08 10:48:00 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/04/12 14:44:48 | 000,000,373 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2007/03/12 12:01:30 | 000,217,088 | ---- | C] () -- C:\WINDOWS\NVGfxOgl.dll
[2000/09/13 18:15:38 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\pagesync.dll
[1996/04/03 15:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/04/12 08:47:00 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/04/12 08:47:00 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/04/12 08:47:00 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2006/02/28 08:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2006/02/28 08:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[1996/04/03 15:33:26 | 000,005,248 | ---- | M] () -- C:\WINDOWS\system32\giveio.sys
[2006/02/28 08:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2006/02/28 08:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2006/02/28 08:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2006/02/28 08:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2006/02/28 08:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2006/02/28 08:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2006/02/28 08:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2006/02/28 08:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2006/02/28 08:00:00 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2006/02/28 08:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2006/02/28 08:00:00 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2006/02/28 08:00:00 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2006/02/28 08:00:00 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2006/09/24 09:28:46 | 000,005,248 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\system32\speedfan.sys
[2008/04/13 14:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2010/05/02 01:22:50 | 001,851,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[4 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 20:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 20:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 20:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 20:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 20:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 20:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 20:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008/04/13 20:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 20:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 20:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 20:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 20:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 20:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008/04/13 20:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 20:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %SYSTEMDRIVE%\*.* >
[2007/07/20 20:58:00 | 000,002,694 | ---- | M] () -- C:\20070720 Resume.txt
[2007/08/06 20:30:43 | 000,000,794 | ---- | M] () -- C:\20070806 Overstock.txt
[2007/04/12 13:07:31 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/06/04 20:15:28 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2009/07/19 21:28:25 | 000,000,000 | ---- | M] () -- C:\CONFIG.001
[2009/07/19 21:28:30 | 000,000,012 | ---- | M] () -- C:\CONFIG.SYS
[2009/07/05 22:00:34 | 000,000,207 | ---- | M] () -- C:\Henrys_Defiance.txt
[2007/04/12 13:07:31 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/06/05 19:29:05 | 000,000,477 | ---- | M] () -- C:\LOG15.log
[2010/05/05 19:53:18 | 000,000,477 | ---- | M] () -- C:\LOG1A8.log
[2009/09/03 11:57:58 | 000,000,477 | ---- | M] () -- C:\LOG1C.log
[2009/11/08 16:59:25 | 000,000,477 | ---- | M] () -- C:\LOG3.log
[2010/01/18 21:59:14 | 000,000,477 | ---- | M] () -- C:\LOG4.log
[2010/03/30 20:39:14 | 000,000,477 | ---- | M] () -- C:\LOG50.log
[2009/03/24 21:31:05 | 000,000,477 | ---- | M] () -- C:\LOG58.log
[2010/03/27 16:15:06 | 000,000,477 | ---- | M] () -- C:\LOG8.log
[2009/07/28 10:42:00 | 000,000,477 | ---- | M] () -- C:\LOGA8F.log
[2010/03/07 22:53:36 | 000,000,477 | ---- | M] () -- C:\LOGC89.log
[2009/03/31 22:00:52 | 000,000,477 | ---- | M] () -- C:\LOGD.log
[2010/03/30 09:34:02 | 000,000,477 | ---- | M] () -- C:\LOGF.log
[2007/04/12 13:07:31 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/02/28 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/08/26 20:31:39 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/06/29 21:53:22 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
[2008/10/14 21:38:33 | 000,012,786 | ---- | M] () -- C:\The Cell.docx
[2009/10/22 22:13:27 | 000,007,168 | -HS- | M] () -- C:\Thumbs.db
[2007/05/19 16:46:40 | 004,935,756 | ---- | M] () -- C:\World Map.jpg
[2008/04/29 19:31:33 | 000,000,146 | ---- | M] () -- C:\YServer.txt
[12 C:\*.tmp files -> C:\*.tmp -> ]

< %PROGRAMFILES%\*. >
[2008/09/29 06:30:22 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2009/11/18 18:33:33 | 000,000,000 | ---D | M] -- C:\Program Files\AGEIA Technologies
[2010/06/02 13:58:48 | 000,000,000 | ---D | M] -- C:\Program Files\Alwil Software
[2008/08/08 19:50:54 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2009/07/11 21:45:50 | 000,000,000 | ---D | M] -- C:\Program Files\Atari
[2009/11/12 14:41:45 | 000,000,000 | ---D | M] -- C:\Program Files\ATT-SST
[2009/03/21 08:33:11 | 000,000,000 | ---D | M] -- C:\Program Files\BFG
[2009/03/08 18:47:31 | 000,000,000 | ---D | M] -- C:\Program Files\BitZipper
[2010/04/24 13:23:49 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2010/04/14 15:24:52 | 000,000,000 | ---D | M] -- C:\Program Files\Brother
[2010/06/01 10:13:14 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2010/03/01 18:49:49 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2007/04/12 13:04:51 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2010/03/19 06:43:38 | 000,000,000 | ---D | M] -- C:\Program Files\Conduit
[2007/04/13 09:50:46 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2007/05/14 19:00:46 | 000,000,000 | ---D | M] -- C:\Program Files\Diablo
[2009/12/31 18:33:16 | 000,000,000 | ---D | M] -- C:\Program Files\DIFX
[2007/05/14 20:41:04 | 000,000,000 | ---D | M] -- C:\Program Files\directx
[2009/11/14 19:15:10 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2010/01/01 14:42:09 | 000,000,000 | ---D | M] -- C:\Program Files\Guild Wars
[2010/06/10 21:04:29 | 000,000,000 | ---D | M] -- C:\Program Files\GURPS Character Assistant 4
[2010/05/25 19:24:25 | 000,000,000 | ---D | M] -- C:\Program Files\Hitman Pro 3.5
[2008/10/24 15:43:42 | 000,000,000 | ---D | M] -- C:\Program Files\IDT
[2009/07/19 21:16:47 | 000,000,000 | ---D | M] -- C:\Program Files\IMSI
[2010/04/14 15:24:18 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2007/04/12 17:49:54 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2008/10/24 15:26:17 | 000,000,000 | ---D | M] -- C:\Program Files\Intel Audio Studio
[2010/06/11 21:50:05 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/04/24 13:30:46 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2010/04/24 13:31:38 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2009/06/20 03:42:14 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/12/31 18:32:49 | 000,000,000 | ---D | M] -- C:\Program Files\LeapFrog
[2010/02/07 18:24:19 | 000,000,000 | ---D | M] -- C:\Program Files\LEGO Company
[2010/06/29 21:15:01 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2007/06/08 17:23:40 | 000,000,000 | ---D | M] -- C:\Program Files\Maxis
[2008/08/26 20:56:55 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2007/08/11 08:09:36 | 000,000,000 | ---D | M] -- C:\Program Files\MicroProse Software
[2007/04/12 13:07:54 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2007/12/03 22:48:18 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Games
[2007/04/12 16:28:09 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft IntelliPoint
[2007/04/12 16:27:16 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft IntelliType Pro
[2007/07/23 16:16:08 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2010/06/29 20:24:54 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Security Essentials
[2007/07/23 16:16:05 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2007/07/23 16:13:26 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio 8
[2009/10/22 08:03:19 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2007/07/23 16:15:17 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2010/03/10 22:50:13 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/04/14 15:44:36 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2007/07/23 16:16:19 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2007/04/12 13:03:56 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2007/04/12 13:04:33 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2007/04/13 09:32:28 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2007/08/14 21:46:11 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2010/05/30 11:30:30 | 000,000,000 | ---D | M] -- C:\Program Files\Mystery Case Files - Ravenhearst
[2007/04/13 09:56:33 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2008/08/26 20:34:21 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2007/08/11 21:19:50 | 000,000,000 | ---D | M] -- C:\Program Files\Nucleosys
[2007/08/18 07:10:13 | 000,000,000 | ---D | M] -- C:\Program Files\NVIDIA Corporation
[2007/04/12 13:04:41 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/05/11 21:43:10 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2009/10/14 22:41:33 | 000,000,000 | ---D | M] -- C:\Program Files\Pando Networks
[2007/06/18 06:14:26 | 000,000,000 | ---D | M] -- C:\Program Files\Photo Story 3 for Windows
[2010/03/01 19:07:05 | 000,000,000 | ---D | M] -- C:\Program Files\Picasa2
[2010/04/24 13:27:40 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2007/04/12 15:33:48 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/04/24 13:19:41 | 000,000,000 | ---D | M] -- C:\Program Files\Safari
[2009/06/21 14:34:56 | 000,000,000 | ---D | M] -- C:\Program Files\SEGA
[2010/03/01 18:50:17 | 000,000,000 | R--D | M] -- C:\Program Files\Skype
[2009/11/08 13:41:25 | 000,000,000 | ---D | M] -- C:\Program Files\SpeedFan
[2010/06/02 15:41:52 | 000,000,000 | ---D | M] -- C:\Program Files\Spybot - Search & Destroy
[2009/02/08 07:09:14 | 000,000,000 | ---D | M] -- C:\Program Files\Spyware Doctor
[2008/11/23 10:23:06 | 000,000,000 | ---D | M] -- C:\Program Files\Strange Adventures in Infinite Space
[2010/06/02 15:42:11 | 000,000,000 | ---D | M] -- C:\Program Files\SUPERAntiSpyware
[2009/07/13 17:48:00 | 000,000,000 | ---D | M] -- C:\Program Files\SystemRequirementsLab
[2008/06/15 22:05:54 | 000,000,000 | ---D | M] -- C:\Program Files\Teamspeak2_RC2
[2007/05/22 22:08:38 | 000,000,000 | ---D | M] -- C:\Program Files\TextPad 5
[2010/02/14 10:13:29 | 000,000,000 | ---D | M] -- C:\Program Files\Ticket to Ride Online
[2010/06/29 20:35:57 | 000,000,000 | ---D | M] -- C:\Program Files\Trend Micro
[2009/10/15 07:10:13 | 000,000,000 | ---D | M] -- C:\Program Files\Turbine
[2007/04/12 14:03:05 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2007/11/18 17:12:52 | 000,000,000 | ---D | M] -- C:\Program Files\Ventrilo
[2007/05/14 20:31:50 | 000,000,000 | ---D | M] -- C:\Program Files\Vivendi Universal Games
[2008/12/24 19:40:13 | 000,000,000 | ---D | M] -- C:\Program Files\WildGames
[2007/06/18 06:10:16 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2008/08/26 20:34:16 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2008/08/26 20:34:16 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2008/03/15 17:13:45 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Sidebar
[2007/04/12 13:06:40 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2007/04/12 13:07:54 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2007/05/25 07:25:45 | 000,000,000 | --SD | M] -- C:\Program Files\Xfire
[2008/10/24 13:28:11 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!
[2010/03/19 06:43:38 | 000,000,000 | ---D | M] -- C:\Program Files\Zynga

< %appdata%\*.* >
[2007/04/12 08:48:38 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\desktop.ini


< MD5 for: AGP440.SYS >
[2006/02/28 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/08/26 20:27:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/08/26 20:27:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2006/02/28 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/08/26 20:27:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/08/26 20:27:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2006/02/28 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2006/02/28 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2008/08/26 20:27:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/08/26 20:27:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2006/02/28 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2008/08/26 20:27:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2008/08/26 20:27:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2008/04/13 14:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 14:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-06-30 00:24:57
< End of report >


OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Wed 30 Jun 2010, 1:17 pm

Extras.Txt:

OTL Extras logfile created on: 6/29/2010 10:00:53 PM - Run 1
OTL by OldTimer - Version 3.2.7.0 Folder = C:\Download Files\Hijack This
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 84.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 174.06 Gb Free Space | 58.39% Space Free | Partition Type: NTFS
Drive D: | 466.99 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-F4D19A0F8A
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"56107:TCP" = 56107:TCP:*:Enabled:Pando Media Booster
"56107:UDP" = 56107:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Zoo Tycoon 2\zt.exe" = C:\Program Files\Microsoft Games\Zoo Tycoon 2\zt.exe:*:Enabled:Zoo Tycoon 2 Executable -- (Microsoft Corporation)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Program Files\Common Files\Motive\McciServiceHost.exe" = C:\Program Files\Common Files\Motive\McciServiceHost.exe:*:Enabled:McciServiceHost -- (Alcatel-Lucent)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Documents and Settings\User\Local Settings\Temp\7zSD9.tmp\SymNRT.exe" = C:\Documents and Settings\User\Local Settings\Temp\7zSD9.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- File not found
"C:\Documents and Settings\User\Local Settings\Temp\7zSDB.tmp\SymNRT.exe" = C:\Documents and Settings\User\Local Settings\Temp\7zSDB.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E4BC542-9CFD-4E97-B586-9F1E5516E7B9}" = Microsoft IntelliPoint 6.1
"{107254A0-0ADF-11D4-9397-00D0B7020B38}" =
"{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2222B364-0854-4265-B32E-A142DB9DC7BB}" = Intel(R) PRO Network Connections 11.2.0.69
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java(TM) 6 Update 14
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{374F03BB-9C09-4DB3-9C9B-C71E63292950}" = Google Earth
"{3A1B1652-D70A-4D19-981E-BB15D0DBF253}" = Ghostbusters (TM): The Video Game
"{4AC7761F-7B49-482A-9BA1-E223D32D2B64}" = Intel Audio Studio
"{4B222C8E-8DEB-4DBC-B57A-78BEB72ABD3A}" = LeapFrog Connect
"{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}" = Photo Story 3 for Windows
"{51F96AEC-D902-4434-A0DC-B9692A21AE7C}" = MobileMe Control Panel
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{55CE417E-BCB2-47B6-86B5-B40860D81033}" = Nero 7 Essentials
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{708A6AC6-03EC-11D5-AA9A-00C0DF245F7E}" = FloorPlan 3D v7
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{749C0879-145F-4509-B590-84BAEFF4193A}" = Intel Audio Studio
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA nTune
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUSR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUSR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUSR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUSR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUSR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{907B4640-266B-4A21-92FB-CD1A86CD0F63}" = RollerCoaster Tycoon® 3
"{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003
"{91120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{91120000-0011-0000-0000-0000000FF1CE}_PROPLUSR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0011-0000-0000-0000000FF1CE}_PROPLUSR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{9A912C12-A7DA-44D7-BD57-5CA85E2F33E1}" = Brother MFL-Pro Suite
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A52415E5-CA1E-44DE-9EDC-D412F31D271C}" = Google Photos Screensaver
"{A67BB21E-D419-45BB-AB86-7D87D14BBCE2}" = Safari
"{A7A34FC9-DF24-4A36-00AD-D4EFE94CC116}" = SimCity 4 Deluxe
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C73A3AB4-99A4-45E5-B77F-09A3065E0D6A}" = Microsoft IntelliType Pro 6.1
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{E05B1C38-AE31-4146-8D47-E5E71BEB8D9E}" = Immortal Cities
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E62A1F01-07B7-4541-A835-EE5B0BF064C2}" = Microsoft Antimalware
"{EA926717-CE5A-4CB4-AB21-9E6E9565A458}" = RCT3 Soaked
"{EF98A02A-1748-4762-9B7D-5ED1600520D5}" = Microsoft Security Essentials
"{F330293A-DB6A-4495-BE34-8DC9453CBFE1}" = LeapFrog Tag Plugin
"{F79AAB3A-B8B4-4AC7-94AB-1C4C076C6A89}" = The Simpsons Hit & Run(TM)
"0731-5765-0485-3896" = Ticket to Ride Online 1.1.5
"15b35190-c6f9-11d9-9669-0800200c9a66_is1" = Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.09.04.804
"781745E87AFF80C0C1388CFF79D19ECAB2E9BB47" = Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
"8F14F2ECEDE68D26EA515B48DC25B39103C4FE8D" = Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATT-SST-UversePortal" = AT&T Portal
"Battle.net" = Battle.net
"BitZipper_is1" = BitZipper 5.1
"CCleaner" = CCleaner
"Civilization II Multiplayer Gold Edition" = Civilization II Multiplayer Gold Edition
"Diablo" = Diablo
"Google Chrome Frame" = Google Chrome Frame
"Guild Wars" = Guild Wars
"GURPS Character Assistant 4" = GURPS Character Assistant 4
"HECI" = Intel(R) Management Engine Interface
"HijackThis" = HijackThis 2.0.2
"HitmanPro35" = Hitman Pro 3.5
"ie7" = Windows Internet Explorer 7
"InstallShield_{3A1B1652-D70A-4D19-981E-BB15D0DBF253}" = Ghostbusters (TM): The Video Game
"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA nTune
"InstallShield_{E05B1C38-AE31-4146-8D47-E5E71BEB8D9E}" = Immortal Cities
"Klinn's ElectroSet (RCT3)_is1" = Klinn's ElectroSet Version 2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Essentials" = Microsoft Security Essentials
"Mozilla Firefox (2.0.0.20)" = Mozilla Firefox (2.0.0.20)
"Network Addon Mod" = Network Addon Mod Version April 2008
"New LEGO Digital Designer" = LEGO Digital Designer
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa 3" = Picasa 3
"PROPLUSR" = Microsoft Office Professional Plus 2007
"SpeedFan" = SpeedFan (remove only)
"Spyware Doctor" = Spyware Doctor 5.0
"Strange Adventures in Infinite Space" = Strange Adventures in Infinite Space
"SystemRequirementsLab" = System Requirements Lab
"TagPlugin" = Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin)
"Teamspeak 2 RC2_is1" = TeamSpeak 2 RC2
"UPCShell" = LeapFrog Connect
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WT015792" = FATE
"Xfire" = Xfire (remove only)
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Extras" = Yahoo! Browser Services
"Yahoo! Mail" = Yahoo! Internet Mail
"Yahoo! Messenger" = Yahoo! Messenger
"YInstHelper" = Yahoo! Install Manager
"Zoo Tycoon 1.0" = Zoo Tycoon Expanded
"Zoo Tycoon 2" = Zoo Tycoon 2 Endangered Species
"Zynga Toolbar" = Zynga Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/29/2010 9:33:08 PM | Computer Name = USER-F4D19A0F8A | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/29/2010 9:48:01 PM | Computer Name = USER-F4D19A0F8A | Source = MsiInstaller | ID = 1008
Description = The installation of C:\Documents and Settings\Administrator\Application
Data\Sun\Java\jre1.6.0_20\jre1.6.0_20.msi is not permitted due to an error in software
restriction policy processing. The object cannot be trusted.

Error - 6/29/2010 9:49:34 PM | Computer Name = USER-F4D19A0F8A | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/29/2010 9:49:34 PM | Computer Name = USER-F4D19A0F8A | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/29/2010 9:50:11 PM | Computer Name = USER-F4D19A0F8A | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/29/2010 9:50:11 PM | Computer Name = USER-F4D19A0F8A | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/29/2010 9:53:41 PM | Computer Name = USER-F4D19A0F8A | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/29/2010 9:53:41 PM | Computer Name = USER-F4D19A0F8A | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/29/2010 9:53:41 PM | Computer Name = USER-F4D19A0F8A | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 6/29/2010 9:53:41 PM | Computer Name = USER-F4D19A0F8A | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

[ System Events ]
Error - 6/29/2010 9:48:03 PM | Computer Name = USER-F4D19A0F8A | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service MSIServer with
arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

Error - 6/29/2010 9:48:32 PM | Computer Name = USER-F4D19A0F8A | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 6/29/2010 9:49:37 PM | Computer Name = USER-F4D19A0F8A | Source = Service Control Manager | ID = 7000
Description = The Audio Service service failed to start due to the following error:
%%3

Error - 6/29/2010 9:54:00 PM | Computer Name = USER-F4D19A0F8A | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 6/29/2010 9:55:15 PM | Computer Name = USER-F4D19A0F8A | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips intelppm MpFilter

Error - 6/29/2010 9:57:53 PM | Computer Name = USER-F4D19A0F8A | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 6/29/2010 9:57:53 PM | Computer Name = USER-F4D19A0F8A | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 6/29/2010 9:58:00 PM | Computer Name = USER-F4D19A0F8A | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 6/29/2010 9:59:47 PM | Computer Name = USER-F4D19A0F8A | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 6/29/2010 9:59:47 PM | Computer Name = USER-F4D19A0F8A | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}


< End of report >

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by Belahzur on Thu 01 Jul 2010, 2:18 am

Hello.

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Update

Post by OhioPuppy on Thu 01 Jul 2010, 3:43 am

Thanks Belahzur! I can follow these additional steps when I get home from work, but I wanted to provide an update first. I realized that when I ran Hijack This and Malware Bytes when I was in Safe Mode, I had logged in as the Administrator, rather than as User.

After realizing this, I started the computer in Safe Mode again and logged in as User, and ran Hijack This and Malware Bytes again. I found the suspicious RUN: again via Hijack This, and I deleted it. Then I found four AV-infected files with Malware Bytes, and deleted those too. When I restarted my computer in normal mode, I saw no visible sign of AV Security.

However, what worries me now is that Microsoft Security Essentials does not seem to be starting up, and I can't even open the Security Essentials application to check configuration. Any thoughts about why that might be? Could the infection have compromised it? Should I reinstall it?

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by Belahzur on Thu 01 Jul 2010, 5:54 am

Hello.
Don't worry about MSE, it will work once we get rid of the infection.

From what I can see from the OTL log, it's just an infection that hijacks your Google/Yahoo searches.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Thu 01 Jul 2010, 6:37 am

Thanks for clarifying. Should I do these additional steps (OTL and GooredFix) in safe mode or in normal mode?

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by Belahzur on Thu 01 Jul 2010, 7:14 am

Normal mode, cause I want you to have a working internet connection incase.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Thu 01 Jul 2010, 11:25 am

OK, I reran OTL with the new parameters.

Here is the Goored output:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 20:23 on 30/06/2010 (User)
Firefox version 2.0.0.20 (en-US)

========== GooredScan ==========

Removing Orphan:
"{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}"="C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn" -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
[You must be registered and logged in to see this link.] [00:54 04/08/2007]
[You must be registered and logged in to see this link.] [00:54 04/08/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:54 04/08/2007]
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [14:17 08/11/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [22:17 01/01/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [22:33 03/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [07:42 20/06/2009]

C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\mrrorkfs.default\extensions\
staged-xpis [19:54 04/11/2009]
{20a82645-c095-46ed-80e3-08825760534b} [19:54 04/11/2009]
{3112ca9c-de6d-4884-a869-9855de68056c} [18:16 03/02/2010]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [18:16 03/02/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}" [00:54 04/08/2007]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [14:17 08/11/2008]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [11:52 21/08/2009]

-=E.O.F=-

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Thu 01 Jul 2010, 11:41 am

Some new behavior after reboot in Normal mode:
1. There is a button in the Taskbar for an "app" that claims to be "GDI+ Window", which shows the icon for MSE. Clicking on the button does nothing, and MSE still won't start up.
2. Internet Explorer is still being pushed over to a Proxy server when I start the machine in Normal mode. (I'm running in Safe Mode With Networking right now.)

Also, and I'm feeling foolish about this: the output from the latest OTL run indicated that it couldn't find the files that were supposed to be moved, but I didn't capture the log to paste it here. I'm not sure that last run of OTL had the effect we were hoping for.

Thanks for hanging in there with me.

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Thu 01 Jul 2010, 10:48 pm

Additional, happier update: upon rebooting this morning in Normal mode, MSE is working, IE is not being pushed to a proxy, "GDI+ Window" does not appear, and Yahoo and Google searches don't seem to be getting derailed. And no sign of AV Security Suite.

Unless you see something in the logs I pasted above, I think I'm good. Please confirm that the logs look OK, and thanks again!

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by Belahzur on Thu 01 Jul 2010, 11:56 pm

Hello.

  1. Close any open browsers.
  2. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
  3. Save this as Script.txt, in the same location as Gooredfix.exe
  4. Drag the script file into Gooredfix.exe
  5. When finished, it shall produce a log for you.
  6. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Fri 02 Jul 2010, 11:08 am

Here's the result; I'm not sure it found what it was supposed to delete:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 20:04 on 01/07/2010 (User)
Firefox version 2.0.0.20 (en-US)

========== Script ==========

Deleting "C:\D" -> Failed [1026]

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
[You must be registered and logged in to see this link.] [00:54 04/08/2007]
[You must be registered and logged in to see this link.] [00:54 04/08/2007]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [00:54 04/08/2007]
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [14:17 08/11/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [22:17 01/01/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [22:33 03/04/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [07:42 20/06/2009]

C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\mrrorkfs.default\extensions\
staged-xpis [19:54 04/11/2009]
{20a82645-c095-46ed-80e3-08825760534b} [19:54 04/11/2009]
{3112ca9c-de6d-4884-a869-9855de68056c} [18:16 03/02/2010]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [18:16 03/02/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c}"="C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}" [00:54 04/08/2007]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [14:17 08/11/2008]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension" [11:52 21/08/2009]

---------- Old Logs ----------
GooredFix[00.03.50_02-07-2010].txt
GooredFix[00.23.20_01-07-2010].txt
GooredFix[00.36.35_01-07-2010].txt

-=E.O.F=-

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Fri 02 Jul 2010, 12:20 pm

Further update: Restarted in Normal mode just now. MSE was turned off, and I had been routed to a proxy server again.

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Sat 03 Jul 2010, 2:56 am

Also, for what it's worth, I searched manually and was able to find the object C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c}. If Goored was meant to delete it, I'm not sure why it didn't see it.

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by Belahzur on Sat 03 Jul 2010, 8:04 am

Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Sat 03 Jul 2010, 1:03 pm

OK, done:

ComboFix 10-07-01.02 - User 07/02/2010 21:54:37.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1426 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\User\Local Settings\Application Data\hjdrukcbe
c:\documents and settings\User\Local Settings\Application Data\hjdrukcbe\dcyrqcmtssd.exe
C:\LOG15.tmp
C:\LOG1A8.tmp
C:\LOG1C.tmp
C:\LOG3.tmp
C:\LOG4.tmp
C:\LOG50.tmp
C:\LOG58.tmp
C:\LOG8.tmp
C:\LOGA8F.tmp
C:\LOGC89.tmp
C:\LOGD.tmp
C:\LOGF.tmp
C:\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))
.

2010-07-01 00:22 . 2010-07-01 00:22 -------- d-----w- C:\_OTL
2010-06-30 01:59 . 2010-06-30 01:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Helios
2010-06-30 01:14 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 01:14 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 00:35 . 2010-06-30 00:35 -------- d-----w- c:\program files\Trend Micro
2010-06-30 00:24 . 2010-06-30 00:24 69632 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-21 23:36 . 2010-06-21 23:36 27630760 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUPDATER\msgup1000_1270_us_u1.exe
2010-06-21 23:35 . 2010-06-15 00:23 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUPDATER\yupdater.exe
2010-06-11 20:42 . 2010-06-12 02:02 -------- d--h--w- c:\windows\$hf_mig$
2010-06-09 00:57 . 2010-06-09 00:57 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2abd5dec-n\msvcp71.dll
2010-06-09 00:57 . 2010-06-09 00:57 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2abd5dec-n\jmc.dll
2010-06-09 00:57 . 2010-06-09 00:57 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2abd5dec-n\msvcr71.dll
2010-06-03 15:00 . 2010-06-03 15:00 69632 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-03 14:46 . 2010-06-03 14:46 -------- d-----w- c:\windows\Recent
2010-06-03 14:32 . 2010-06-03 14:32 37248 ----a-w- c:\windows\system32\drivers\ISAPNP.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 01:46 . 2010-05-25 23:25 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-30 01:26 . 2007-06-01 21:39 2644 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-30 01:15 . 2010-06-01 18:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 00:24 . 2010-06-01 20:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-27 15:52 . 2008-12-28 14:25 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-06-22 02:32 . 2010-03-01 22:50 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-06-21 23:35 . 2008-04-29 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-06-21 23:35 . 2010-03-01 22:51 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-06-12 02:02 . 2007-07-23 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-11 01:04 . 2007-07-14 21:58 -------- d-----w- c:\program files\GURPS Character Assistant 4
2010-06-02 19:42 . 2010-06-02 12:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-02 19:42 . 2010-06-02 12:42 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2010-06-02 19:42 . 2007-11-18 21:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-02 19:41 . 2007-07-20 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-02 19:41 . 2007-07-20 23:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-02 17:58 . 2010-06-02 17:58 -------- d-----w- c:\program files\Alwil Software
2010-06-02 17:58 . 2010-06-02 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-02 12:42 . 2010-06-02 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-01 18:56 . 2010-06-01 18:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-01 17:37 . 2009-10-03 05:35 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-01 14:56 . 2007-05-08 23:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-01 14:13 . 2008-10-24 17:29 -------- d-----w- c:\program files\CCleaner
2010-05-30 15:30 . 2009-03-21 12:33 -------- d-----w- c:\program files\Mystery Case Files - Ravenhearst
2010-05-25 23:28 . 2010-05-25 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-25 23:24 . 2010-05-25 23:24 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-16 12:28 . 2010-05-16 12:28 55287536 ----a-w- c:\documents and settings\User\Application Data\LEGO Company\LEGO Digital Designer\setupLDD-PC-3_1_3.exe
2010-05-08 22:19 . 2010-05-08 22:19 30656856 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2010-05-08 22:19 . 2010-05-08 22:19 6173016 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagPlugin.exe
2010-05-06 00:00 . 2009-03-25 01:30 -------- d-----w- c:\documents and settings\User\Application Data\U3
2010-05-04 17:20 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-07-13 22:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 17:21 . 2010-04-24 17:21 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-24 17:17 . 2010-04-24 17:17 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-20 05:30 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-14 19:25 . 2010-04-14 19:25 50 ----a-w- c:\windows\system32\bridf06a.dat
2010-04-14 19:24 . 2010-04-14 19:23 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-04-01 02:47 . 2008-03-15 21:15 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2010-02-04 00:11 . 2007-08-04 00:54 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2010-02-04 00:11 . 2007-08-04 00:54 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2010-02-04 00:11 . 2007-08-04 00:54 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2010-02-04 00:11 . 2007-08-04 00:54 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2010-02-04 00:11 . 2007-08-04 00:54 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-22 16:05 2353176 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-10-15 2920632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2008-03-28 9142272]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-04-11 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="nwiz.exe" [2009-05-01 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-05-03 550232]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-23 6110528]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Common Files\\Motive\\McciServiceHost.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56107:TCP"= 56107:TCP:Pando Media Booster
"56107:UDP"= 56107:UDP:Pando Media Booster

R2 McciServiceHost;McciServiceHost;c:\program files\Common Files\Motive\McciServiceHost.exe [11/12/2009 2:42 PM 299008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/14/2009 7:14 PM 135664]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/31/2009 6:33 PM 18560]
S3 idrmkl;idrmkl;\??\c:\docume~1\User\LOCALS~1\Temp\idrmkl.sys --> c:\docume~1\User\LOCALS~1\Temp\idrmkl.sys [?]
S3 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [8/3/2007 8:54 PM 708688]
.
Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-14 23:13]

2010-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-14 23:13]

2010-07-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\mrrorkfs.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-02 21:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1275210071-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0b,b3,d4,2d,b1,14,6b,ab,4f,2d,14,e9,14,2f,17,87,28,43,90,fa,2e,06,16,
4f,27,57,3e,2f,ed,c1,fa,6a,16,a6,e3,87,25,67,b2,a1,93,a5,6d,ec,a2,64,ca,a7,\
"??"=hex:47,00,8e,e2,f2,c2,e1,37,8f,a9,ce,11,88,bb,31,08

[HKEY_USERS\S-1-5-21-343818398-1275210071-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:49,2b,1c,a9,0a,67,67,79,2d,12,57,62,de,fe,58,e7,9a,35,c1,02,c8,
15,63,5d,31,e0,91,6a,46,16,36,d0,11,f8,4e,99,63,25,6e,fa,f4,5f,28,61,a6,9e,\
"rkeysecu"=hex:1f,30,d6,89,ee,f1,40,7a,c9,96,f2,c3,16,79,2b,b3
.
Completion time: 2010-07-02 22:00:39
ComboFix-quarantined-files.txt 2010-07-03 02:00

Pre-Run: 187,508,535,296 bytes free
Post-Run: 187,919,237,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 235234623B35736A0B3FF6FEDA66BA2E

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by Belahzur on Sun 04 Jul 2010, 9:42 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    Driver::
    idrmkl

    DDS::
    uInternet Settings,ProxyOverride =

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

AV Suite

Post by Phaedrus on Sun 04 Jul 2010, 10:12 am

Worked a treat.

Would Super AntiSpyware have worked? Also, any clues where this devilish "mal ware" came from?

Phaedrus

Phaedrus

Unborn
Unborn

Posts : 1
Joined : 2010-07-04
Operating System : XP Pro

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Sun 04 Jul 2010, 1:18 pm

OK, here's the latest one from ComboFix:

ComboFix 10-07-01.02 - User 07/03/2010 21:59:43.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1529 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IDRMKL
-------\Service_idrmkl


((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))
.

2010-07-03 21:44 . 2010-07-03 21:44 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PCHealth
2010-07-03 01:50 . 2010-07-03 02:00 -------- d-----w- C:\Combo-Fix
2010-07-01 00:22 . 2010-07-01 00:22 -------- d-----w- C:\_OTL
2010-06-30 01:59 . 2010-06-30 01:59 -------- d-----w- c:\documents and settings\Administrator\Application Data\Helios
2010-06-30 01:14 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-30 01:14 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 00:35 . 2010-06-30 00:35 -------- d-----w- c:\program files\Trend Micro
2010-06-30 00:24 . 2010-06-30 00:24 69632 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-21 23:36 . 2010-06-21 23:36 27630760 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUPDATER\msgup1000_1270_us_u1.exe
2010-06-21 23:35 . 2010-06-15 00:23 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUPDATER\yupdater.exe
2010-06-11 20:42 . 2010-06-12 02:02 -------- d--h--w- c:\windows\$hf_mig$
2010-06-09 00:57 . 2010-06-09 00:57 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2abd5dec-n\msvcp71.dll
2010-06-09 00:57 . 2010-06-09 00:57 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2abd5dec-n\jmc.dll
2010-06-09 00:57 . 2010-06-09 00:57 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-2abd5dec-n\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-03 21:37 . 2008-12-28 14:25 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-07-03 21:35 . 2010-05-25 23:25 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-06-30 01:26 . 2007-06-01 21:39 2644 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-30 01:15 . 2010-06-01 18:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-30 00:24 . 2010-06-01 20:36 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-06-22 02:32 . 2010-03-01 22:50 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2010-06-21 23:35 . 2008-04-29 23:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-06-21 23:35 . 2010-03-01 22:51 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2010-06-12 02:02 . 2007-07-23 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-11 01:04 . 2007-07-14 21:58 -------- d-----w- c:\program files\GURPS Character Assistant 4
2010-06-03 15:00 . 2010-06-03 15:00 69632 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-03 14:32 . 2010-06-03 14:32 37248 ----a-w- c:\windows\system32\drivers\ISAPNP.SYS
2010-06-02 19:42 . 2010-06-02 12:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-02 19:42 . 2010-06-02 12:42 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2010-06-02 19:42 . 2007-11-18 21:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-06-02 19:41 . 2007-07-20 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-02 19:41 . 2007-07-20 23:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-02 17:58 . 2010-06-02 17:58 -------- d-----w- c:\program files\Alwil Software
2010-06-02 17:58 . 2010-06-02 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-02 12:42 . 2010-06-02 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-01 18:56 . 2010-06-01 18:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-06-01 17:37 . 2009-10-03 05:35 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-01 14:56 . 2007-05-08 23:07 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-01 14:13 . 2008-10-24 17:29 -------- d-----w- c:\program files\CCleaner
2010-05-30 15:30 . 2009-03-21 12:33 -------- d-----w- c:\program files\Mystery Case Files - Ravenhearst
2010-05-25 23:28 . 2010-05-25 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-25 23:24 . 2010-05-25 23:24 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-16 12:28 . 2010-05-16 12:28 55287536 ----a-w- c:\documents and settings\User\Application Data\LEGO Company\LEGO Digital Designer\setupLDD-PC-3_1_3.exe
2010-05-08 22:19 . 2010-05-08 22:19 30656856 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2010-05-08 22:19 . 2010-05-08 22:19 6173016 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagPlugin.exe
2010-05-06 00:00 . 2009-03-25 01:30 -------- d-----w- c:\documents and settings\User\Application Data\U3
2010-05-04 17:20 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-07-13 22:22 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2006-02-28 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 17:21 . 2010-04-24 17:21 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-24 17:17 . 2010-04-24 17:17 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-04-20 05:30 . 2006-02-28 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-14 19:25 . 2010-04-14 19:25 50 ----a-w- c:\windows\system32\bridf06a.dat
2010-04-14 19:24 . 2010-04-14 19:23 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2009-04-01 02:47 . 2008-03-15 21:15 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2010-02-04 00:11 . 2007-08-04 00:54 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2010-02-04 00:11 . 2007-08-04 00:54 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2010-02-04 00:11 . 2007-08-04 00:54 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2010-02-04 00:11 . 2007-08-04 00:54 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2010-02-04 00:11 . 2007-08-04 00:54 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-04 02:06 . 2010-07-04 02:06 16384 c:\windows\Temp\Perflib_Perfdata_ac.dat
+ 2010-07-04 02:06 . 2010-07-04 02:06 16384 c:\windows\Temp\Perflib_Perfdata_250.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-22 16:05 2353176 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-10-15 2920632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2008-03-28 9142272]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-04-11 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="nwiz.exe" [2009-05-01 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-05-03 550232]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-06-23 6110528]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Common Files\\Motive\\McciServiceHost.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56107:TCP"= 56107:TCP:Pando Media Booster
"56107:UDP"= 56107:UDP:Pando Media Booster

R2 McciServiceHost;McciServiceHost;c:\program files\Common Files\Motive\McciServiceHost.exe [11/12/2009 2:42 PM 299008]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/14/2009 7:14 PM 135664]
S3 EraserUtilDrv11010;EraserUtilDrv11010;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11010.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/31/2009 6:33 PM 18560]
S3 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [8/3/2007 8:54 PM 708688]
.
Contents of the 'Scheduled Tasks' folder

2010-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2010-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-14 23:13]

2010-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-14 23:13]

2010-07-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\mrrorkfs.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-03 22:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1275210071-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:0b,b3,d4,2d,b1,14,6b,ab,4f,2d,14,e9,14,2f,17,87,28,43,90,fa,2e,06,16,
4f,27,57,3e,2f,ed,c1,fa,6a,16,a6,e3,87,25,67,b2,a1,93,a5,6d,ec,a2,64,ca,a7,\
"??"=hex:47,00,8e,e2,f2,c2,e1,37,8f,a9,ce,11,88,bb,31,08

[HKEY_USERS\S-1-5-21-343818398-1275210071-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:49,2b,1c,a9,0a,67,67,79,2d,12,57,62,de,fe,58,e7,9a,35,c1,02,c8,
15,63,5d,31,e0,91,6a,46,16,36,d0,11,f8,4e,99,63,25,6e,fa,f4,5f,28,61,a6,9e,\
"rkeysecu"=hex:1f,30,d6,89,ee,f1,40,7a,c9,96,f2,c3,16,79,2b,b3
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2208)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Brother\Brmfcmon\BrMfimon.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-03 22:10:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-04 02:10
ComboFix2.txt 2010-07-03 02:00

Pre-Run: 187,874,418,688 bytes free
Post-Run: 187,804,852,224 bytes free

- - End Of File - - E6E1CB95C9268348FD76DB648F2623A4



Every infection that has turned up since we started this thread has been in the past two weeks, since I took my PC into the shop to get it disinfected and they talked me into ditching Norton and using MSE. Norton wasn't perfect, but I never got this kind of multi-front assault in the space of two weeks -- with completely innocuous web-surfing (I promise). Is this a quality issue with MSE? Should I go back to Norton? Or is it more likely that the shop missed something that has compromised my security?

And once again, thanks for sticking with me.

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by Belahzur on Mon 05 Jul 2010, 11:20 am

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Tue 06 Jul 2010, 2:53 am

ESET Online Scanner log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=7.00.6000.17055 (vista_gdr.100414-0533)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=9ebce94334ee0742999c29f0a837a7c3
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-05 03:50:12
# local_time=2010-07-05 11:50:12 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 1919689 1919689 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 100 100 0 7854195 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=134135
# found=0
# cleaned=0
# scan_time=2196

If there were a rootkit infection, would this have likely found it? I ran it with "Enable Anti-Stealth Technology" run as well.

Also, I still have HitMan Pro installed from a previous attempt to get rid of infections -- could MSE be getting suppressed when I boot up because HitMan is doing its initial scan?

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by Belahzur on Tue 06 Jul 2010, 8:09 am

Possibly, if you don't want hitman, uninstall it.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Wed 07 Jul 2010, 11:06 am

So is that ESET scan clean? Any other steps to follow, or am I good as far as you can tell? (he asked hopefully)

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by Belahzur on Wed 07 Jul 2010, 11:39 am

Hello.
Yeah, the ESET log is clean.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by OhioPuppy on Wed 07 Jul 2010, 12:14 pm

Great -- thanks once again for sticking with me~

OhioPuppy

Newbie Surfer
Newbie Surfer

Posts : 15
Joined : 2010-06-30
Operating System : Windows XP Professional

View user profile

Back to top Go down

Re: AV Security Suite won't go away!

Post by Sponsored content Today at 11:11 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum