Win32 on XP

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Win32 on XP

Post by brick on 17th August 2010, 4:33 pm

Our family computer [an XP] has recently have been slowing down, we ran ESET and found Win32 viruses on the computer, we removed them but it doesn't seem like it fixed anything. Is there anything you can do to help? We have Secunia, Avast, Cookienator, and Spyblaster on the computer.

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 18th August 2010, 6:02 am

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.] (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 18th August 2010, 4:01 pm

here are the logs

ComboFix 10-08-17.04 - David and Marla 08/18/2010 11:30:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.261 [GMT -4:00]
Running from: c:\documents and settings\David and Marla\desktop\combo-fix.exe
Command switches used :: /killall
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\David and Marla\Application Data\.#
c:\documents and settings\David and Marla\Application Data\.#\MBX@A94@3F3F70.###
c:\documents and settings\David and Marla\Application Data\.#\MBX@A94@3F3FA0.###
c:\documents and settings\David and Marla\Cookies\gicizo.db
c:\documents and settings\David and Marla\Cookies\ubif._dl
C:\NORTON~1.EXE
C:\restore
c:\windows\jestertb.dll
c:\windows\Tasks\jwjzywem.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_$SYS$DRMSERVER
-------\Legacy_CD_PROXY
-------\Service_$sys$DRMServer


((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.

2010-08-17 17:10 . 2010-08-17 17:12 -------- d-----w- c:\program files\QuickTime
2010-08-17 17:10 . 2010-08-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-19 23:42 . 2010-07-19 23:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 20:32 . 2008-12-24 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-08-17 13:32 . 2010-06-08 23:54 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-15 15:54 . 2009-04-01 22:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-15 15:54 . 2010-06-08 17:37 -------- d-----w- c:\program files\SpywareBlaster
2010-07-19 15:05 . 2008-10-22 12:56 -------- d-----w- c:\program files\Messenger Plus! Live
2010-07-13 15:08 . 2010-07-13 15:08 -------- d-----w- c:\program files\Teaching Textbooks
2010-07-07 16:58 . 2010-07-07 16:58 -------- d-----w- c:\documents and settings\David and Marla\Application Data\Amazon
2010-07-07 16:57 . 2010-07-07 16:57 -------- d-----w- c:\program files\Amazon
2010-07-02 17:23 . 2009-01-24 18:10 -------- d-----w- c:\documents and settings\David and Marla\Application Data\Yahoo!
2010-07-02 17:20 . 2008-10-16 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-02 17:20 . 2009-01-24 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-02 17:20 . 2008-10-16 11:40 -------- d-----w- c:\program files\Yahoo!
2010-06-30 12:31 . 2005-12-13 16:38 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2010-07-13 15:57 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-05-23 17:36 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-05-23 17:38 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-05-23 17:38 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-05-23 17:38 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-05-23 17:38 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-05-23 17:38 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-05-23 17:38 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-05-23 17:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-24 12:22 . 2005-10-21 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2005-12-13 16:38 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2005-12-13 16:38 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2005-12-13 16:36 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41 . 2005-12-13 16:37 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-11 17:24 . 2010-06-11 17:24 53632 ----a-w- c:\documents and settings\David and Marla\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-06-08 23:31 . 2010-06-08 23:31 61440 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c20da02-n\decora-sse.dll
2010-06-08 23:31 . 2010-06-08 23:31 12800 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c20da02-n\decora-d3d.dll
2010-06-08 23:31 . 2010-06-08 23:31 503808 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-25673c6a-n\msvcp71.dll
2010-06-08 23:31 . 2010-06-08 23:31 499712 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-25673c6a-n\jmc.dll
2010-06-08 23:31 . 2010-06-08 23:31 348160 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-25673c6a-n\msvcr71.dll
2010-06-08 23:29 . 2010-06-08 23:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-08 23:25 . 2010-06-08 23:25 79488 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-06-08 23:25 . 2010-06-08 23:25 152576 ----a-w- c:\documents and settings\David and Marla\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-05-28 11:04 . 2010-05-28 11:04 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-23 17:44 . 2009-12-15 01:41 0 ----a-w- c:\documents and settings\David and Marla\Local Settings\Application Data\prvlcl.dat
2009-08-21 14:54 . 2009-08-21 14:54 18046 ----a-w- c:\program files\Common Files\quhuc.scr
2009-08-21 14:54 . 2009-08-21 14:54 16954 ----a-w- c:\program files\Common Files\ufusegiq.pif
2009-08-21 14:54 . 2009-08-21 14:54 12451 ----a-w- c:\program files\Common Files\qajaci.reg
2009-08-21 14:54 . 2009-08-21 14:54 10705 ----a-w- c:\program files\Common Files\enivofoky.lib
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cookienator"="c:\program files\Cookienator\cookienator.exe" [2009-10-19 1333472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-09-13 46592]
"SiS Tray"="c:\windows\system32\sistray.EXE" [2006-03-09 262144]
"SiSPower"="SiSPower.dll" [2006-03-09 49152]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\David and Marla\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-5-28 911920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\WINDOWS\\system32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmjswx.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [10/06/2004 10:11 AM 18432]
R1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [10/07/2004 3:57 AM 11904]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/23/2010 1:38 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/23/2010 1:38 PM 17744]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [05/28/2010 7:04 AM 14896]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-24 16:53]
.
.
------- Supplementary Scan -------
.
uSearch Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = localhost;
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\David and Marla\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-SiS KHooker - c:\windows\system32\khooker.exe
HKLM-Run-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
AddRemove-Blue's Art Time Activities - c:\hegames\ArtTime\Uninst.isu
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\David and Marla\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-18 11:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3889389676-2448089655-718245918-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(744)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\windows\system32\lxdmcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\HPZipm12.exe
c:\windows\system32\ScsiAccess.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
.
**************************************************************************
.
Completion time: 2010-08-18 11:58:21 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-18 15:58

Pre-Run: 13,539,303,424 bytes free
Post-Run: 13,763,870,720 bytes free

- - End Of File - - 7E055476C48AA24F354B3ACCE7A7F0D3

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 18th August 2010, 6:27 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    Code:
    http://www.GeekPolice.net/-f11/-t23363.htm

    Killall::

    Collect::
    c:\program files\Common Files\quhuc.scr
    c:\program files\Common Files\ufusegiq.pif
    c:\program files\Common Files\qajaci.reg
    c:\program files\Common Files\enivofoky.lib

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = localhost;

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 18th August 2010, 8:21 pm

here are the combo fix logs

ComboFix 10-08-17.04 - David and Marla 08/18/2010 15:28:57.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.232 [GMT -4:00]
Running from: c:\documents and settings\David and Marla\Desktop\combo-fix.exe
Command switches used :: c:\documents and settings\David and Marla\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\program files\Common Files\enivofoky.lib
file zipped: c:\program files\Common Files\qajaci.reg
file zipped: c:\program files\Common Files\quhuc.scr
file zipped: c:\program files\Common Files\ufusegiq.pif
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\enivofoky.lib
c:\program files\Common Files\qajaci.reg
c:\program files\Common Files\quhuc.scr
c:\program files\Common Files\ufusegiq.pif

.
((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.

2010-08-17 17:10 . 2010-08-17 17:12 -------- d-----w- c:\program files\QuickTime
2010-08-17 17:10 . 2010-08-17 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-19 23:42 . 2010-07-19 23:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 20:32 . 2008-12-24 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-08-17 13:32 . 2010-06-08 23:54 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-08-15 15:54 . 2009-04-01 22:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-15 15:54 . 2010-06-08 17:37 -------- d-----w- c:\program files\SpywareBlaster
2010-07-19 15:05 . 2008-10-22 12:56 -------- d-----w- c:\program files\Messenger Plus! Live
2010-07-13 15:08 . 2010-07-13 15:08 -------- d-----w- c:\program files\Teaching Textbooks
2010-07-07 16:58 . 2010-07-07 16:58 -------- d-----w- c:\documents and settings\David and Marla\Application Data\Amazon
2010-07-07 16:57 . 2010-07-07 16:57 -------- d-----w- c:\program files\Amazon
2010-07-02 17:23 . 2009-01-24 18:10 -------- d-----w- c:\documents and settings\David and Marla\Application Data\Yahoo!
2010-07-02 17:20 . 2008-10-16 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-07-02 17:20 . 2009-01-24 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-02 17:20 . 2008-10-16 11:40 -------- d-----w- c:\program files\Yahoo!
2010-06-30 12:31 . 2005-12-13 16:38 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2010-07-13 15:57 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-05-23 17:36 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-05-23 17:38 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-05-23 17:38 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-05-23 17:38 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-05-23 17:38 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-05-23 17:38 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-05-23 17:38 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-05-23 17:38 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-24 12:22 . 2005-10-21 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2005-12-13 16:38 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2005-12-13 16:38 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2005-12-13 16:36 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41 . 2005-12-13 16:37 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-08 23:29 . 2010-06-08 23:30 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-28 11:04 . 2010-05-28 11:04 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-05-23 17:44 . 2009-12-15 01:41 0 ----a-w- c:\documents and settings\David and Marla\Local Settings\Application Data\prvlcl.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cookienator"="c:\program files\Cookienator\cookienator.exe" [2009-10-19 1333472]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-09-13 46592]
"SiS Tray"="c:\windows\system32\sistray.EXE" [2006-03-09 262144]
"SiSPower"="SiSPower.dll" [2006-03-09 49152]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\David and Marla\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2010-5-28 911920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\WINDOWS\\system32\\lxdmcoms.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmtime.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\lxdmFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdmjswx.exe"=
"c:\\Program Files\\Lexmark 5000 Series\\frun.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [10/06/2004 10:11 AM 18432]
R1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [10/07/2004 3:57 AM 11904]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [05/23/2010 1:38 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/23/2010 1:38 PM 17744]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [05/28/2010 7:04 AM 14896]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-08-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-24 16:53]
.
.
------- Supplementary Scan -------
.
uSearch Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\David and Marla\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-18 15:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3889389676-2448089655-718245918-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1704)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\windows\system32\lxdmcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SOUNDMAN.EXE
c:\windows\System32\HPZipm12.exe
c:\windows\system32\ScsiAccess.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
.
**************************************************************************
.
Completion time: 2010-08-18 16:05:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-18 20:05
ComboFix2.txt 2010-08-18 15:58

Pre-Run: 13,736,275,968 bytes free
Post-Run: 13,667,176,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 8A44B38DBA5BCCC9DE8103F4E0F5A91E

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 18th August 2010, 9:10 pm

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
Alternate link: [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 18th August 2010, 9:36 pm

here are the Malwarebytes logs

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4447

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

08/18/2010 5:34:10 PM
mbam-log-2010-08-18 (17-34-10).txt

Scan type: Quick scan
Objects scanned: 129024
Time elapsed: 11 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 18th August 2010, 9:40 pm

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

  • Double-click on MBRCheck.exe to run it.
  • It will open a black window...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
  • Please copy and paste the contents of that log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 18th August 2010, 10:53 pm

here are the logs

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF79C8000 \WINDOWS\system32\KDCOM.DLL
0xF78D8000 \WINDOWS\system32\BOOTVID.dll
0xF7479000 ACPI.sys
0xF79CA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7468000 pci.sys
0xF74C8000 isapnp.sys
0xF7A90000 pciide.sys
0xF7748000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF74D8000 MountMgr.sys
0xF7449000 ftdisk.sys
0xF7750000 PartMgr.sys
0xF74E8000 VolSnap.sys
0xF7431000 atapi.sys
0xF74F8000 disk.sys
0xF7508000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF7411000 fltmgr.sys
0xF73FF000 sr.sys
0xF73E8000 KSecDD.sys
0xF73D5000 WudfPf.sys
0xF7348000 Ntfs.sys
0xF731B000 NDIS.sys
0xF7518000 Combo-Fix.sys
0xF7758000 SISAGP.sys
0xF7301000 Mup.sys
0xF7760000 $sys$cor.sys
0xF7668000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF5EC5000 \SystemRoot\System32\DRIVERS\sisgrp.sys
0xF5EB1000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF796C000 \??\C:\WINDOWS\system32\$sys$filesystem\crater.sys
0xF7678000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF7688000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF7698000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF5E8E000 \SystemRoot\System32\DRIVERS\ks.sys
0xF5DF0000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF5DCC000 \SystemRoot\system32\drivers\portcls.sys
0xF76A8000 \SystemRoot\system32\drivers\drmk.sys
0xF77F0000 \SystemRoot\System32\DRIVERS\usbohci.sys
0xF5DA8000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF77F8000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF7800000 \SystemRoot\System32\DRIVERS\sisnic.sys
0xF7808000 \SystemRoot\System32\DRIVERS\DM9PCI5.SYS
0xF5D13000 \SystemRoot\System32\DRIVERS\ltmdmnt.sys
0xF7820000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7830000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF76B8000 \SystemRoot\System32\DRIVERS\serial.sys
0xF7980000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF5CFF000 \SystemRoot\System32\DRIVERS\parport.sys
0xF76C8000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7840000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7AB8000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF76D8000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF798C000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF5CE8000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF76E8000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF76F8000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7860000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF5CD7000 \SystemRoot\System32\DRIVERS\psched.sys
0xF7708000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7870000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7880000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF7718000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF7888000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF79DA000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF5C79000 \SystemRoot\System32\DRIVERS\update.sys
0xF79A0000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF7728000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7558000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF79E0000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF78A8000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF79E4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7578000 \SystemRoot\system32\DRIVERS\DcCam.sys
0xF2C2F000 \SystemRoot\system32\DRIVERS\EXPORTIT.SYS
0xF7AD8000 \SystemRoot\System32\Drivers\Null.SYS
0xF78C8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF78D0000 \SystemRoot\System32\drivers\vga.sys
0xF79EA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79EE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7780000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7790000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6B85000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF2BFC000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF2BA3000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF5F95000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xF2B55000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF2B2D000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF5F85000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF2B0B000 \SystemRoot\System32\drivers\afd.sys
0xF5F75000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF7964000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF5F55000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7970000 \SystemRoot\system32\drivers\srvkp.sys
0xF2A40000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF7984000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF29D0000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF5F45000 \SystemRoot\System32\Drivers\Fips.SYS
0xF29A9000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF77B0000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF5F25000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF2969000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79F6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6B95000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77D8000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B44000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\SiSGRV.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF293D000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xF7638000 \SystemRoot\system32\drivers\dcfs2k.sys
0xF5F15000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
0xF2811000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF268A000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xF241D000 \SystemRoot\system32\drivers\wdmaud.sys
0xF25D2000 \SystemRoot\system32\drivers\sysaudio.sys
0xF220A000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF7A10000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF20C3000 \SystemRoot\System32\DRIVERS\srv.sys
0xF204B000 \SystemRoot\System32\DRIVERS\secdrv.sys
0xF1BB5000 \SystemRoot\System32\Drivers\HTTP.sys
0xF7848000 \??\C:\DOCUME~1\DAVIDA~1\LOCALS~1\Temp\mbr.sys
0xF7878000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xF7A50000 \SystemRoot\system32\DRIVERS\psi_mf.sys
0xF77D0000 \??\C:\combo-fix\catchme.sys
0xF7A4E000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xF1812000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 32):
0 System Idle Process
4 System
484 C:\WINDOWS\system32\smss.exe
540 csrss.exe
568 C:\WINDOWS\system32\winlogon.exe
612 C:\WINDOWS\system32\services.exe
624 C:\WINDOWS\system32\lsass.exe
784 C:\WINDOWS\system32\svchost.exe
832 svchost.exe
944 C:\WINDOWS\system32\svchost.exe
980 C:\WINDOWS\system32\svchost.exe
1112 svchost.exe
1132 svchost.exe
1300 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
196 C:\WINDOWS\system32\spoolsv.exe
1556 svchost.exe
1840 C:\Program Files\Java\jre6\bin\jqs.exe
776 C:\WINDOWS\system32\drivers\KodakCCS.exe
1580 C:\WINDOWS\system32\lxdmcoms.exe
1636 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1340 C:\WINDOWS\SOUNDMAN.EXE
1684 C:\WINDOWS\system32\HPZipm12.exe
1480 C:\WINDOWS\system32\sistray.exe
852 C:\WINDOWS\system32\ScsiAccess.EXE
1824 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
380 C:\WINDOWS\system32\svchost.exe
1380 C:\Program Files\Secunia\PSI\psi.exe
2200 C:\WINDOWS\system32\ctfmon.exe
2580 alg.exe
1704 C:\WINDOWS\explorer.exe
1976 C:\Program Files\Messenger\msmsgs.exe
3324 C:\Documents and Settings\David and Marla\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD400EB-00CPF0, Rev: 06.04G06

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 19th August 2010, 7:05 pm

Fix using MBRCheck.exe

Run MBRCheck.exe again by double-clicking on it.
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Enter 'Y' and then press Enter.
  • When asked: 'Enter your choice:', select option 2 (Restore the MBR of a physical disk with a standard boot code) and press the Enter key.
  • Now the program will ask: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
  • Enter 0 and press the Enter key.
  • The program will show Available MBR codes followed by a list of operating systems as shown below:
    Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel
    Please select the MBR code to write to this drive:
  • Please select your version of Windows from the list and enter the corresponding number and then press Enter.
  • When prompted for confirmation: "Do you want to fix the MBR code?". Type the full word Yes (not Y or the fix will not work) and press Enter.
  • Left-click on the title bar (where program name and path is written).
  • From the menu chose Edit -> Select All.
  • Press the Enter key to copy selected text.
  • Open Notepad, paste that text into it and save to your desktop as MBRCheck.txt.
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.
  • If your computer does not restart on its own, please restart it manually.

Important Note: The Master Boot Record contains the Partition Table for the hard disk and a a little executable code for the boot start. While fixing the [You must be registered and logged in to see this link.] is generally safe, there is a small risk of damaging the MBR, which may cause the computer to not boot up or it may corrupt a partition.

The following are signs of a damaged MBR:
  • Invalid Partition Table
  • Missing Operating System
  • Error loading operating system


If it is the worst case scenario, and your computer cannot boot, please take note of the following:

Please have your Windows CD available, which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the [You must be registered and logged in to see this link.] before proceeding with the above fix. Then, if any problems occur, the links below explain how to use and repair the MBR:

If you do not have a Windows CD available, please let me know. You will need access to a computer that can burn CDs.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 19th August 2010, 7:54 pm

we are not getting the option for y or n. It pulls up the mbrcheck screen, a few lines and ends with "done!" press ENTER to exit.

thanks

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 19th August 2010, 7:55 pm

Download [You must be registered and logged in to see this link.] to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: [You must be registered and logged in to see this link.]
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press Enter
  • Open a Notepad and press CTRL V
  • Post the output back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 19th August 2010, 8:24 pm

here is it

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 19th August 2010, 8:29 pm

Please open Notepad and enter in the following:
@echo off
start remover.exe fix \.\PhysicalDrive0
exit
Then, click File > Save as...
Save as remove.bat to the same location as remover.exe.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on remove.bat.

Please re-run remover.exe and post a new log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 19th August 2010, 8:39 pm

here it is

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 19th August 2010, 8:43 pm

How is your computer running at this point?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 19th August 2010, 8:54 pm

still slow on start up. ( I used the restart command to test) Freezes up when trying to open firefox. But the switch from one screen to another seems somewhat faster.

brick

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 20th August 2010, 8:26 am

The MBR didn't get fixed correctly. We shall try this once more.

Please open Notepad and copy and paste the following:
@echo off
start remover.exe fix \.\PhysicalDrive0
exit
Then, click File > Save as...
Save as remove.bat to the same location as remover.exe.
Choose Save as type... All Files.
Click Save.

Then, exit Notepad.

Double-click on remove.bat.

Please re-run remover.exe and post a new log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 20th August 2010, 3:13 pm

Here are the logs

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

CreateFile() ERROR 2
ERROR: Can't open physical disk device.

Done;
Press any key to quit...

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 21st August 2010, 5:44 am

Do you have an XP cd?

We need to do a data-safe recovery.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 21st August 2010, 5:43 pm

No, I am sorry we don't.

brick

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 21st August 2010, 8:54 pm

Download [You must be registered and logged in to see this link.] and save it somewhere you can find it.

Download [You must be registered and logged in to see this link.] and install it.

Start MagicISO. When it asks you to register, just close that window...the
program should remain open. Click on "File" and then on "Open"...navigate to the RC.ISO file you downloaded, select it, and click "Open".

Click "File" on the toolbar and choose "Save As". Name the file RCplus and save it somewhere you can find it.

Put a blank CD-R disk in your CD burner and close the tray...when the AutoPlay window opens, close it.

Click "Tools" on the toolbar and choose "Burn CD/DVD with ISO". In the CD/DVD Image file area, click the little folder, navigate to the newly created
RCplus.iso image file, and click "Open". In the CD/DVD Writing Speed
drop-down menu, choose the top 8X setting. Format should have "Mode 1"
selected...if not, select it. Click on the "Burn It!" button.

Once this disk is burned, put it in the machine you're working on and restart. Boot to the CD and enter the Recovery Console.

When there, do this:

type in "fixmbr" and hit Enter.



Type 'y' if asked to, and allow it to do it's job.

Once it's done that and shows the next bit for another command, type "exit"

This will reboot your machine again, allow it to boot normally this time.

Once done, re-run Remover.exe and post a new log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 21st August 2010, 10:26 pm

here it is

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 22nd August 2010, 5:31 am

Good.

How is the computer running now?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 23rd August 2010, 1:47 pm

Good Monday morning DragonMaster Jay,
I started up the computer this morning and it was even more slow than yesterday. I pulled up the window task manager and at the top of application was a program that looks like the windows messenger live icon, yet a little different with the title of 'xxx'. This is the same program that prompted us to run the eset scanner 2 weeks ago and thus finding a variety of win 32 virus. I gather this virus is back?
What do we do next?
Thanks for your continue help
*********
(note) after posting this I went back to desk top and it still wont open firefox browser. It is listed as non responsive. I also can not close the browser. After a while it finally closed and then I was able to end the "xxx" task as well. Clearly, something is going on....

brick

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 24th August 2010, 8:41 pm

Please download [You must be registered and logged in to see this link.] to your Desktop. (If you already have it downloaded, then just follow the instructions below).
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\*.sys
    %systemroot%\system32\drivers\*.dll
    %systemroot%\system32\drivers\*.ini
    %systemroot%\system32\drivers\*.exe
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %SYSTEMDRIVE%\*.*
    %PROGRAMFILES%\*.
    %appdata%\*.*
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    disk.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    usbstor.sys
    /md5stop
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) and paste (Edit->Paste) the contents of these files, one at a time


Note: in the event that OTL fails to run, please use alternate download links to try again:

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302989
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 24th August 2010, 9:22 pm

This is the OTL Logs

OTL logfile created on: 08/24/2010 5:00:19 PM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\David and Marla\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

479.00 Mb Total Physical Memory | 253.00 Mb Available Physical Memory | 53.00% Memory free
874.00 Mb Paging File | 607.00 Mb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 12.63 Gb Free Space | 33.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FRITSCH
Current User Name: David and Marla
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/24 16:58:24 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David and Marla\Desktop\OTL.exe
PRC - [2010/07/24 11:48:15 | 000,014,808 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/06/28 16:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/05/31 07:18:16 | 000,323,976 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
PRC - [2010/05/28 07:04:52 | 000,911,920 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/12/07 10:37:36 | 000,598,696 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdmcoms.exe
PRC - [2006/03/09 04:03:56 | 000,262,144 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\sistray.exe
PRC - [2004/09/29 13:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2003/06/18 10:54:10 | 000,294,972 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\KodakCCS.exe
PRC - [2003/02/04 09:22:30 | 000,181,312 | ---- | M] () -- C:\WINDOWS\system32\ScsiAccess.EXE
PRC - [2002/09/13 15:57:43 | 000,046,592 | ---- | M] (Avance Logic, Inc.) -- C:\WINDOWS\SOUNDMAN.EXE


========== Modules (SafeList) ==========

MOD - [2010/08/24 16:58:24 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David and Marla\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2007/03/26 14:03:20 | 000,057,344 | ---- | M] (BillP Studios) -- C:\Program Files\BillP Studios\WinPatrol\patrolpro.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/06/28 16:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/08/05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/12/01 12:01:02 | 000,033,752 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) Helper) getPlus(R)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Disabled | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/12/07 10:37:36 | 000,598,696 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxdmcoms.exe -- (lxdm_device)
SRV - [2007/12/07 10:37:27 | 000,098,984 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdmserv.exe -- (lxdmCATSCustConnectService)
SRV - [2004/09/29 13:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/06/18 10:54:10 | 000,294,972 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\WINDOWS\system32\drivers\KodakCCS.exe -- (KodakCCS)
SRV - [2003/02/04 09:22:30 | 000,181,312 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\ScsiAccess.EXE -- (ScsiAccess)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABProcEnum.sys -- (SABProcEnum)
DRV - File not found [Kernel | System | Stopped] -- C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys -- (SABKUTIL)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\combo-fix\catchme.sys -- (catchme)
DRV - [2010/06/28 16:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/06/28 16:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/06/28 16:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/06/28 16:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/06/28 16:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/28 16:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/05/28 07:04:52 | 000,014,896 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2009/08/05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2007/01/26 22:09:40 | 000,068,954 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\jl2005c.sys -- (JL2005C)
DRV - [2006/03/09 21:26:14 | 000,245,248 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
DRV - [2006/03/09 04:25:30 | 000,012,160 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
DRV - [2005/07/04 08:52:50 | 000,018,432 | ---- | M] (First 4 Internet) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\$sys$cor.sys -- ($sys$cor)
DRV - [2005/07/04 06:51:37 | 000,011,904 | ---- | M] (First 4 Internet) [Kernel | System | Running] -- C:\WINDOWS\system32\$sys$filesystem\crater.sys -- ($sys$crater)
DRV - [2004/08/04 01:41:35 | 000,606,684 | ---- | M] (LT) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ltmdmnt.sys -- (ltmodem5)
DRV - [2003/06/18 10:53:08 | 000,138,485 | ---- | M] (Eastman Kodak Company) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\ExportIt.sys -- (Exportit)
DRV - [2003/06/18 10:53:08 | 000,063,002 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DcPtp.sys -- (DcPTP)
DRV - [2003/06/18 10:53:08 | 000,061,568 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DcFpoint.sys -- (DcFpoint)
DRV - [2003/06/18 10:53:08 | 000,038,997 | ---- | M] (Eastman Kodak Company) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\DCFS2k.sys -- (DCFS2K)
DRV - [2003/06/18 10:53:08 | 000,036,826 | ---- | M] (Eastman Kodak Company) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\DcCam.sys -- (DcCam)
DRV - [2003/06/18 10:53:08 | 000,008,058 | ---- | M] (Eastman Kodak Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DcLps.sys -- (DcLps)
DRV - [2002/09/13 15:55:13 | 000,659,356 | ---- | M] (Avance Logic, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Avance AC97 Audio (WDM)
DRV - [2002/07/10 18:39:34 | 000,032,256 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisnic.sys -- (SISNIC)
DRV - [2001/09/28 11:52:04 | 000,027,008 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SISAGP.sys -- (sisagp)
DRV - [2001/08/17 16:11:42 | 000,029,696 | ---- | M] (CNet Technology, Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Live Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 82 26 1F 2A 73 3C CB 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.defaulturl: "http://www.bing.com/search?FORM=IEFM1&q="
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.suggest.enabled: false
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.cnn.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:7
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.5.3
FF - prefs.js..extensions.enabledItems: {35106bca-6c78-48c7-ac28-56df30b51d2d}:1.2.4
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119091315
FF - prefs.js..extensions.enabledItems: {6C4BAFB6-2AC2-4405-A98D-546B55B3AE92}:1.8.62
FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p="


FF - HKLM\software\mozilla\Firefox\extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/22 11:01:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/17 13:12:29 | 000,000,000 | ---D | M]

[2008/10/15 10:39:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Extensions
[2010/08/24 12:34:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\extensions
[2010/05/28 17:12:17 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/12/18 13:23:56 | 000,000,000 | ---D | M] (PopupMaster) -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2d}
[2010/02/17 12:25:48 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/06/30 20:40:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\extensions\{6C4BAFB6-2AC2-4405-A98D-546B55B3AE92}
[2009/09/22 14:48:44 | 000,000,000 | ---D | M] (iFox) -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\extensions\{a81bafeb-b6ed-4501-aa17-15a2b3857e56}
[2006/11/24 21:30:26 | 000,000,000 | ---D | M] (rubyFox) -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\extensions\{b31ac1df-926d-44b1-aeeb-8c732e0b9b1e}
[2009/01/18 20:35:04 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}
[2006/11/24 21:26:16 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\extensions\{e8cba685-830c-1283-6314-a6ae605cc7be}
[2010/04/13 15:05:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\extensions\personas@christopher.beard
[2009/09/01 18:03:02 | 000,002,163 | ---- | M] () -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\searchplugins\bing.xml
[2009/07/19 10:00:10 | 000,001,911 | ---- | M] () -- C:\Documents and Settings\David and Marla\Application Data\Mozilla\Firefox\Profiles\luomhhjy.default\searchplugins\bleach-wiki-en.xml
[2010/08/24 12:34:27 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/08 19:30:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/08 19:29:42 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2006/10/16 13:01:15 | 000,221,184 | ---- | M] (Virtools SA) -- C:\Program Files\Mozilla Firefox\plugins\npvirtools.dll

O1 HOSTS File: ([2010/08/18 15:39:17 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.exe (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Avance Logic, Inc.)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - HKCU..\Run: [Cookienator] C:\Program Files\Cookienator\cookienator.exe (CodeFromThe70s.org)
O4 - Startup: C:\Documents and Settings\David and Marla\Start Menu\Programs\Startup\Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (Secunia)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\David and Marla\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\David and Marla\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/18 00:24:52 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found


SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: vsmon - Service
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error.
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608555} - Internet Explorer Classes for Java
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {233C1507-6A77-46A4-9443-F871F945D258} - Adobe Shockwave Director 10.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Adobe Shockwave Director 10.4
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error.
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error.
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ae594d5e-dd07-4e54-8252-daa5aebbd4ec} - KB905915
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Flash Player 8
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: VIDC.IV41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.JDCT - C:\WINDOWS\System32\jl_jdct.drv (JEILIN Tech.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/08/24 16:58:35 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\David and Marla\Desktop\OTL.exe
[2010/08/21 17:57:44 | 000,000,000 | ---D | C] -- C:\Program Files\MagicISO
[2010/08/19 16:22:34 | 000,081,920 | ---- | C] (eSage Lab) -- C:\Documents and Settings\David and Marla\Desktop\remover.exe
[2010/08/19 15:34:10 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/08/18 15:19:17 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/18 11:25:24 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/08/18 11:25:24 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/08/18 11:25:24 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/08/18 11:25:24 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/08/18 11:23:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/18 11:23:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/08/17 13:10:47 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/08/17 13:10:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2010/08/10 05:15:58 | 000,094,208 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2010/08/10 05:15:58 | 000,069,632 | ---- | C] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2009/04/22 19:06:22 | 000,434,176 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdmhcp.dll
[2009/04/22 19:06:21 | 001,200,128 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdmserv.dll
[2009/04/22 19:06:21 | 000,950,272 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdmusb1.dll
[2009/04/22 19:06:21 | 000,647,168 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdmpmui.dll
[2009/04/22 19:06:21 | 000,565,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdmlmpm.dll
[2009/04/22 19:06:21 | 000,356,352 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdminpa.dll
[2009/04/22 19:06:21 | 000,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdmiesc.dll
[2009/04/22 19:06:21 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdmprox.dll
[2009/04/22 19:06:20 | 000,663,552 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdmhbn3.dll
[2009/04/22 19:06:19 | 000,860,160 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdmcomc.dll
[2009/04/22 19:06:19 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdmcomm.dll
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
[21 C:\Documents and Settings\David and Marla\My Documents\*.tmp files -> C:\Documents and Settings\David and Marla\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/24 16:58:24 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\David and Marla\Desktop\OTL.exe
[2010/08/24 14:53:09 | 000,042,496 | ---- | M] () -- C:\Documents and Settings\David and Marla\My Documents\S.P.E.A.R.doc
[2010/08/24 12:14:29 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\David and Marla\My Documents\~$P.E.A.R.doc
[2010/08/24 11:18:17 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/08/24 10:45:22 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/24 10:44:39 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/24 10:43:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/24 10:43:57 | 502,849,536 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/23 23:38:07 | 007,077,888 | -H-- | M] () -- C:\Documents and Settings\David and Marla\NTUSER.DAT
[2010/08/23 23:38:07 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\David and Marla\ntuser.ini
[2010/08/23 19:42:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/08/22 23:01:08 | 000,096,256 | ---- | M] () -- C:\Documents and Settings\David and Marla\My Documents\Living on a paryer..doc
[2010/08/21 15:22:48 | 000,002,269 | ---- | M] () -- C:\Documents and Settings\David and Marla\Desktop\Cookienator.lnk
[2010/08/20 11:10:23 | 000,000,056 | ---- | M] () -- C:\Documents and Settings\David and Marla\Desktop\remove.bat
[2010/08/19 16:21:53 | 000,036,833 | ---- | M] () -- C:\Documents and Settings\David and Marla\Desktop\bootkit_remover.rar
[2010/08/19 15:36:14 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\David and Marla\Desktop\MBRCheck.exe
[2010/08/18 15:39:48 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/18 15:39:17 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/18 15:19:27 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/08/18 11:24:29 | 003,819,088 | R--- | M] () -- C:\Documents and Settings\David and Marla\Desktop\combo-fix.exe
[2010/08/15 20:06:24 | 000,046,592 | ---- | M] () -- C:\Documents and Settings\David and Marla\My Documents\falling angels.doc
[2010/08/12 12:32:35 | 000,139,648 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/12 11:38:07 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\David and Marla\My Documents\~$rvest moon ToT.doc
[2010/08/12 11:29:46 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/08/12 11:26:49 | 000,000,783 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/08/12 11:19:20 | 000,505,774 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/12 11:19:20 | 000,444,360 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/12 11:19:20 | 000,072,252 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/10 23:11:19 | 000,518,656 | ---- | M] () -- C:\Documents and Settings\David and Marla\My Documents\Letters in timed.doc
[2010/08/10 22:03:25 | 000,165,836 | ---- | M] () -- C:\Documents and Settings\David and Marla\My Documents\cr 003.jpg
[2010/08/10 22:02:44 | 000,199,533 | ---- | M] () -- C:\Documents and Settings\David and Marla\My Documents\cr 002.jpg
[2010/08/10 22:01:52 | 000,186,995 | ---- | M] () -- C:\Documents and Settings\David and Marla\My Documents\cr 001.jpg
[2010/08/10 21:59:31 | 000,215,668 | ---- | M] () -- C:\Documents and Settings\David and Marla\My Documents\cr.jpg
[2010/08/10 05:15:58 | 000,094,208 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTimeVR.qtx
[2010/08/10 05:15:58 | 000,069,632 | ---- | M] (Apple Inc.) -- C:\WINDOWS\System32\QuickTime.qts
[2010/08/09 23:12:50 | 004,291,912 | -H-- | M] () -- C:\Documents and Settings\David and Marla\Local Settings\Application Data\IconCache.db
[2010/08/09 14:27:47 | 000,297,984 | ---- | M] () -- C:\Documents and Settings\David and Marla\My Documents\Harvest moon ToT.doc
[2010/08/08 14:02:34 | 000,012,288 | ---- | M] () -- C:\Documents and Settings\David and Marla\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/02 17:44:48 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\David and Marla\My Documents\~$ving on a paryer..doc
[2010/08/01 10:41:03 | 000,011,057 | ---- | M] () -- C:\Documents and Settings\All Users\lxdm
[2010/08/01 10:39:25 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\David and Marla\My Documents\old folksjuly2010.xls
[2010/07/29 18:08:15 | 000,093,184 | ---- | M] () -- C:\Documents and Settings\David and Marla\My Documents\Darkblood.doc
[2010/07/27 02:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\shell32.dll
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
[21 C:\Documents and Settings\David and Marla\My Documents\*.tmp files -> C:\Documents and Settings\David and Marla\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/24 12:14:29 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\David and Marla\My Documents\~$P.E.A.R.doc
[2010/08/21 17:53:17 | 000,042,496 | ---- | C] () -- C:\Documents and Settings\David and Marla\My Documents\S.P.E.A.R.doc
[2010/08/20 11:10:23 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\David and Marla\Desktop\remove.bat
[2010/08/19 16:22:03 | 000,036,833 | ---- | C] () -- C:\Documents and Settings\David and Marla\Desktop\bootkit_remover.rar
[2010/08/19 15:36:34 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\David and Marla\Desktop\MBRCheck.exe
[2010/08/18 15:19:27 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/08/18 15:19:21 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/18 11:25:24 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/18 11:25:24 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/08/18 11:25:24 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/08/18 11:25:24 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/08/18 11:25:24 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/08/18 11:19:29 | 003,819,088 | R--- | C] () -- C:\Documents and Settings\David and Marla\Desktop\combo-fix.exe
[2010/08/12 11:38:07 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\David and Marla\My Documents\~$rvest moon ToT.doc
[2010/08/10 22:03:06 | 000,165,836 | ---- | C] () -- C:\Documents and Settings\David and Marla\My Documents\cr 003.jpg
[2010/08/10 22:02:26 | 000,199,533 | ---- | C] () -- C:\Documents and Settings\David and Marla\My Documents\cr 002.jpg
[2010/08/10 21:59:59 | 000,186,995 | ---- | C] () -- C:\Documents and Settings\David and Marla\My Documents\cr 001.jpg
[2010/08/10 21:59:12 | 000,215,668 | ---- | C] () -- C:\Documents and Settings\David and Marla\My Documents\cr.jpg
[2010/08/07 21:06:35 | 000,518,656 | ---- | C] () -- C:\Documents and Settings\David and Marla\My Documents\Letters in timed.doc
[2010/08/02 17:44:48 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\David and Marla\My Documents\~$ving on a paryer..doc
[2010/08/01 10:39:25 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\David and Marla\My Documents\old folksjuly2010.xls
[2009/12/14 21:41:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\David and Marla\Local Settings\Application Data\prvlcl.dat
[2009/08/21 10:54:05 | 000,018,885 | ---- | C] () -- C:\WINDOWS\System32\acylowi.dll
[2009/08/21 10:54:05 | 000,018,474 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ymysad._sy
[2009/08/21 10:54:05 | 000,017,451 | ---- | C] () -- C:\Documents and Settings\David and Marla\Local Settings\Application Data\jypu.bin
[2009/04/22 19:11:15 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdmvs.dll
[2009/04/22 19:11:12 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\lxdmcoin.dll
[2009/04/22 19:10:19 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdmdrs.dll
[2009/04/22 19:10:19 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxdmcaps.dll
[2009/04/22 19:10:18 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdmcnv4.dll
[2009/04/22 19:09:22 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXDMPMON.DLL
[2009/04/22 19:09:22 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXDMFXPU.DLL
[2009/04/22 19:09:02 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdmoem.dll
[2009/04/22 19:06:39 | 000,000,060 | -H-- | C] () -- C:\WINDOWS\System32\lxdmrwrd.ini
[2009/04/22 19:06:22 | 000,348,160 | ---- | C] () -- C:\WINDOWS\System32\lxdminst.dll
[2009/04/22 19:06:20 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdmgrd.dll
[2008/12/25 12:32:57 | 000,095,496 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2008/12/25 12:32:31 | 000,081,418 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2008/12/08 12:10:33 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\TVModeLib.dll
[2008/12/08 12:10:33 | 000,034,915 | ---- | C] () -- C:\WINDOWS\System32\1_ssetup.ini
[2008/12/08 12:10:33 | 000,016,819 | ---- | C] () -- C:\WINDOWS\System32\sunistlog.ini
[2008/12/08 12:08:51 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\setuplib.dll
[2008/12/04 11:06:55 | 000,000,024 | ---- | C] () -- C:\WINDOWS\wldtlk5.ini
[2008/09/29 09:00:49 | 000,000,638 | ---- | C] () -- C:\WINDOWS\tlknw5.ini
[2008/09/29 08:54:02 | 000,000,011 | ---- | C] () -- C:\WINDOWS\mathadv.ini
[2008/09/29 08:53:34 | 000,000,027 | ---- | C] () -- C:\WINDOWS\encore_launcher.ini
[2007/03/30 14:31:20 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\dec_jl6.dll
[2006/03/01 13:56:33 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2006/03/01 13:56:33 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2006/03/01 13:56:32 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2006/02/08 16:55:40 | 000,001,016 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2006/01/26 13:04:49 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/26 19:19:54 | 000,000,138 | ---- | C] () -- C:\Documents and Settings\David and Marla\Local Settings\Application Data\fusioncache.dat
[2005/12/26 18:11:50 | 000,003,977 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2005/12/18 22:53:25 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/12/18 11:17:28 | 000,000,068 | ---- | C] () -- C:\WINDOWS\Disney.ini
[2005/12/17 20:29:23 | 000,012,288 | ---- | C] () -- C:\Documents and Settings\David and Marla\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/09/28 20:27:38 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2002/09/18 00:37:08 | 000,000,795 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2002/09/18 00:04:22 | 000,001,836 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2000/09/08 17:53:50 | 000,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll
[1999/01/22 06:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1997/06/13 21:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\iyvu9_32.dll

========== Custom Scans ==========


< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\*.exe /lockedfiles >
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2002/09/17 17:10:15 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2002/09/17 17:10:14 | 000,606,208 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2002/09/17 17:10:14 | 000,389,120 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\*.sys >
[2002/08/29 08:00:00 | 000,009,029 | ---- | M] () -- C:\WINDOWS\system32\ansi.sys
[2002/08/29 08:00:00 | 000,027,097 | ---- | M] () -- C:\WINDOWS\system32\country.sys
[2002/08/29 08:00:00 | 000,004,768 | ---- | M] () -- C:\WINDOWS\system32\himem.sys
[2002/08/29 08:00:00 | 000,042,809 | ---- | M] () -- C:\WINDOWS\system32\key01.sys
[2002/08/29 08:00:00 | 000,042,537 | ---- | M] () -- C:\WINDOWS\system32\keyboard.sys
[2002/08/29 08:00:00 | 000,027,866 | ---- | M] () -- C:\WINDOWS\system32\ntdos.sys
[2002/08/29 08:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos404.sys
[2002/08/29 08:00:00 | 000,029,370 | ---- | M] () -- C:\WINDOWS\system32\ntdos411.sys
[2002/08/29 08:00:00 | 000,029,274 | ---- | M] () -- C:\WINDOWS\system32\ntdos412.sys
[2002/08/29 08:00:00 | 000,029,146 | ---- | M] () -- C:\WINDOWS\system32\ntdos804.sys
[2004/08/04 01:45:08 | 000,033,840 | ---- | M] () -- C:\WINDOWS\system32\ntio.sys
[2004/08/04 01:45:14 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio404.sys
[2004/08/04 01:45:10 | 000,035,648 | ---- | M] () -- C:\WINDOWS\system32\ntio411.sys
[2004/08/04 01:45:15 | 000,035,424 | ---- | M] () -- C:\WINDOWS\system32\ntio412.sys
[2004/08/04 01:45:12 | 000,034,560 | ---- | M] () -- C:\WINDOWS\system32\ntio804.sys
[2008/04/13 14:44:59 | 000,017,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\watchdog.sys
[2010/06/23 09:44:04 | 001,851,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\win32k.sys
[5 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\system32\drivers\*.dll >
[2008/04/13 20:11:48 | 000,004,255 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv01nt5.dll
[2008/04/13 20:11:48 | 000,003,967 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv02nt5.dll
[2008/04/13 20:11:48 | 000,003,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv05nt5.dll
[2008/04/13 20:11:48 | 000,003,647 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv07nt5.dll
[2008/04/13 20:11:48 | 000,003,135 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv08nt5.dll
[2008/04/13 20:11:48 | 000,003,711 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv09nt5.dll
[2008/04/13 20:11:48 | 000,003,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\adv11nt5.dll
[2008/04/13 20:11:50 | 000,021,183 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv01nt5.dll
[2008/04/13 20:11:50 | 000,011,359 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv02nt5.dll
[2008/04/13 20:11:50 | 000,025,471 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv04nt5.dll
[2008/04/13 20:11:50 | 000,014,143 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv06nt5.dll
[2008/04/13 20:11:50 | 000,017,279 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\atv10nt5.dll
[2008/04/13 20:11:50 | 000,015,423 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
[2008/04/13 20:12:05 | 000,003,901 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\siint5.dll
[2008/04/13 20:12:08 | 000,011,325 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\system32\drivers\vchnt5.dll

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >
[2003/06/18 10:54:10 | 000,294,972 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\KodakCCS.exe

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/05/02 23:38:35 | 000,113,664 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lxdmdrpp.dll
[2007/04/09 13:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll

< %SYSTEMDRIVE%\*.* >
[2008/12/08 10:55:28 | 000,006,129 | ---- | M] () -- C:\0x0409.ini
[2009/10/19 15:28:24 | 000,000,000 | ---- | M] () -- C:\AILog.txt
[2002/09/18 00:24:52 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2006/01/02 11:04:00 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/08/18 15:19:27 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/08/18 16:05:22 | 000,015,788 | ---- | M] () -- C:\ComboFix.txt
[2002/09/18 00:24:52 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/12/08 10:55:32 | 002,516,480 | ---- | M] () -- C:\Driver Detective.msi
[2009/10/11 18:50:01 | 000,000,000 | ---- | M] () -- C:\DTSHDSpOut.txt
[2010/05/07 06:08:48 | 000,035,774 | ---- | M] () -- C:\EasyShare.dmp
[2009/01/23 15:01:42 | 000,005,113 | ---- | M] () -- C:\hel.exe
[2010/08/24 10:43:57 | 502,849,536 | -HS- | M] () -- C:\hiberfil.sys
[2002/09/18 00:24:52 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/05/23 10:16:39 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2002/09/18 00:24:52 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/01/02 10:54:20 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/11/11 10:17:22 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/08/24 16:37:59 | 490,733,568 | -HS- | M] () -- C:\pagefile.sys
[2010/01/02 00:43:44 | 000,200,192 | ---- | M] () -- C:\Part.doc
[2010/05/23 10:10:41 | 000,000,404 | ---- | M] () -- C:\rkill.log
[2008/12/08 10:55:28 | 000,002,389 | ---- | M] () -- C:\Setup.INI
[2008/12/08 10:55:28 | 000,283,607 | ---- | M] () -- C:\setup.isn
[2010/06/08 17:13:27 | 000,061,504 | ---- | M] () -- C:\silver.jpg
[2008/12/08 12:10:27 | 000,000,094 | ---- | M] () -- C:\SiSSetup.txt
[2008/12/08 12:10:27 | 000,002,389 | ---- | M] () -- C:\SiSSetup1.ini
[2008/12/08 12:10:27 | 000,000,000 | ---- | M] () -- C:\SiSUnist.ini
[2008/12/07 07:55:55 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2008/12/08 08:02:14 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2008/12/22 08:15:21 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2008/12/23 00:13:10 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2008/12/24 06:15:28 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/01/08 06:31:56 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/01/09 08:28:55 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/01/23 16:32:11 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/01/23 16:32:11 | 000,000,148 | -H-- | M] () -- C:\sqmdata08.sqm
[2008/11/16 08:36:03 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2008/12/01 06:04:10 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2008/12/01 12:36:41 | 000,000,172 | -H-- | M] () -- C:\sqmdata11.sqm
[2008/12/01 12:41:27 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2008/12/01 16:55:52 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2008/12/02 06:33:26 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2008/12/03 09:26:51 | 000,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2008/12/04 09:55:40 | 000,000,268 | -H-- | M] () -- C:\sqmdata16.sqm
[2008/12/05 06:17:45 | 000,000,268 | -H-- | M] () -- C:\sqmdata17.sqm
[2008/12/06 07:54:25 | 000,000,268 | -H-- | M] () -- C:\sqmdata18.sqm
[2008/12/06 07:54:26 | 000,000,136 | -H-- | M] () -- C:\sqmdata19.sqm
[2008/12/07 07:55:55 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2008/12/08 08:02:14 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2008/12/22 08:15:19 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2008/12/23 00:13:09 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2008/12/24 06:15:28 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/01/08 06:31:56 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/01/09 08:28:55 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/01/23 16:32:11 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/01/23 16:32:11 | 000,000,136 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2008/11/16 08:36:02 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2008/12/01 06:04:10 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2008/12/01 12:36:41 | 000,000,172 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2008/12/01 12:41:27 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2008/12/01 16:55:51 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2008/12/02 06:33:25 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2008/12/03 09:26:50 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2008/12/04 09:55:39 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2008/12/05 06:17:45 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2008/12/06 07:54:24 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2008/12/06 07:54:25 | 000,000,136 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2010/01/03 12:59:31 | 000,000,162 | -H-- | M] () -- C:\~$Part.doc

< %PROGRAMFILES%\*. >
[2009/04/22 19:08:27 | 000,000,000 | ---D | M] -- C:\Program Files\Abbyy FineReader 6.0 Sprint
[2010/06/11 13:24:40 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2010/05/23 13:35:43 | 000,000,000 | ---D | M] -- C:\Program Files\Alwil Software
[2010/07/07 12:57:45 | 000,000,000 | ---D | M] -- C:\Program Files\Amazon
[2010/06/08 20:25:11 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2009/04/15 16:22:32 | 000,000,000 | ---D | M] -- C:\Program Files\Audacity
[2009/12/11 17:31:00 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2010/05/23 13:48:14 | 000,000,000 | ---D | M] -- C:\Program Files\Barbie(R) idesign(TM) Ultimate Stylist(TM)
[2010/06/08 13:44:48 | 000,000,000 | ---D | M] -- C:\Program Files\BillP Studios
[2009/12/24 06:21:55 | 000,000,000 | ---D | M] -- C:\Program Files\CheckPoint
[2009/12/15 17:50:35 | 000,000,000 | ---D | M] -- C:\Program Files\Circle Developement
[2010/08/18 15:36:26 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2002/09/18 00:19:42 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2010/06/08 13:43:16 | 000,000,000 | ---D | M] -- C:\Program Files\Cookienator
[2010/05/02 18:41:02 | 000,000,000 | ---D | M] -- C:\Program Files\Datel
[2009/04/13 22:14:22 | 000,000,000 | ---D | M] -- C:\Program Files\Disney
[2008/09/25 22:39:22 | 000,000,000 | ---D | M] -- C:\Program Files\Disney Interactive
[2009/10/20 05:51:12 | 000,000,000 | ---D | M] -- C:\Program Files\Dvd Ref
[2006/08/16 18:57:56 | 000,000,000 | ---D | M] -- C:\Program Files\EA SPORTS
[2010/04/28 11:36:52 | 000,000,000 | ---D | M] -- C:\Program Files\Edu-Track
[2010/05/21 11:41:41 | 000,000,000 | ---D | M] -- C:\Program Files\ESET
[2009/05/08 18:51:27 | 000,000,000 | ---D | M] -- C:\Program Files\Flex Designs, Ltd
[2010/06/10 22:58:16 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2010/05/23 14:17:52 | 000,000,000 | ---D | M] -- C:\Program Files\HP
[2009/12/23 18:38:11 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/08/12 11:10:54 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/06/08 19:29:19 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2009/12/25 11:25:53 | 000,000,000 | ---D | M] -- C:\Program Files\JL2005C
[2008/11/28 08:50:39 | 000,000,000 | ---D | M] -- C:\Program Files\Kodak
[2009/04/29 18:01:19 | 000,000,000 | ---D | M] -- C:\Program Files\Lexmark 5000 Series
[2009/05/09 06:10:20 | 000,000,000 | ---D | M] -- C:\Program Files\Lexmark Toolbar
[2010/02/25 10:45:07 | 000,000,000 | ---D | M] -- C:\Program Files\Lucas Learning
[2010/08/21 17:58:18 | 000,000,000 | ---D | M] -- C:\Program Files\MagicISO
[2010/05/23 10:16:35 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/11/11 10:56:59 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2010/07/19 11:05:51 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger Plus! Live
[2008/09/28 22:16:10 | 000,000,000 | ---D | M] -- C:\Program Files\MessengerPlus! 3
[2009/02/21 08:54:11 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2006/01/26 13:02:26 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2008/09/29 03:33:40 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2002/09/18 00:25:17 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2009/12/23 12:13:36 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Games
[2006/01/26 13:01:41 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2009/09/01 17:51:47 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office Outlook Connector
[2009/04/22 10:51:32 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office2K
[2009/02/21 08:50:03 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2009/01/23 18:51:02 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Sync Framework
[2006/01/26 13:01:39 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2006/02/10 11:31:14 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2006/01/26 13:00:53 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2010/08/12 11:05:24 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/08/13 11:45:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2009/08/22 00:02:25 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2005/12/13 22:02:23 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2002/09/18 00:18:27 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2006/11/18 11:13:21 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2008/11/11 10:21:19 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2008/11/27 07:55:32 | 000,000,000 | ---D | M] -- C:\Program Files\Norton AntiVirus
[2010/05/23 14:18:52 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Security Scan
[2009/01/18 20:35:07 | 000,000,000 | ---D | M] -- C:\Program Files\NOS
[2002/09/18 00:21:35 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/05/12 11:06:26 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/08/17 13:12:28 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/08/22 00:02:11 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/06/08 13:33:32 | 000,000,000 | ---D | M] -- C:\Program Files\Secunia
[2008/12/08 12:09:44 | 000,000,000 | ---D | M] -- C:\Program Files\SiS Compatible VGA V2.22
[2008/12/25 12:33:03 | 000,000,000 | ---D | M] -- C:\Program Files\SiS VGA Utilities V3.73
[2008/12/25 12:33:04 | 000,000,000 | ---D | M] -- C:\Program Files\sisagp
[2002/09/28 19:58:51 | 000,000,000 | ---D | M] -- C:\Program Files\SiSLan
[2008/12/08 12:10:13 | 000,000,000 | ---D | M] -- C:\Program Files\SiSVGA
[2006/07/13 23:25:47 | 000,000,000 | ---D | M] -- C:\Program Files\SmartDraw 7
[2009/04/22 10:51:43 | 000,000,000 | ---D | M] -- C:\Program Files\Snapshot Viewer
[2010/08/15 11:54:32 | 000,000,000 | ---D | M] -- C:\Program Files\SpywareBlaster
[2010/03/07 09:45:55 | 000,000,000 | ---D | M] -- C:\Program Files\Stamps.com Internet Postage
[2009/08/22 10:46:34 | 000,000,000 | ---D | M] -- C:\Program Files\SuperAdBlocker.com
[2010/06/07 11:56:07 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2010/07/13 11:08:37 | 000,000,000 | ---D | M] -- C:\Program Files\Teaching Textbooks
[2002/09/18 00:35:34 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2006/10/16 13:01:16 | 000,000,000 | ---D | M] -- C:\Program Files\Virtools
[2009/09/01 17:47:55 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2009/01/23 18:48:56 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2009/01/23 18:33:51 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live Toolbar
[2010/05/23 18:50:37 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2010/05/23 18:50:34 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2008/11/11 10:21:13 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2005/12/14 16:21:49 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2009/05/08 18:42:33 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2008/12/01 12:45:21 | 000,000,000 | ---D | M] -- C:\Program Files\WinZip
[2002/09/18 00:25:18 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2010/07/02 13:20:30 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!
[2008/11/26 11:21:04 | 000,000,000 | -H-D | M] -- C:\Program Files\Zero G Registry

< %appdata%\*.* >
[2002/09/17 17:11:36 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\David and Marla\Application Data\desktop.ini


< MD5 for: AGP440.SYS >
[2006/01/02 10:47:32 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/11/11 10:07:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2006/01/02 10:47:32 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/11/11 10:07:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 02:07:41 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys



brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 24th August 2010, 9:22 pm

< MD5 for: ATAPI.SYS >
[2002/08/29 15:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2006/01/02 10:47:32 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/11/11 10:07:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2002/08/29 08:00:00 | 010,158,890 | R--- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:atapi.sys
[2006/01/02 10:47:32 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/11/11 10:07:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 01:59:42 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: DISK.SYS >
[2002/08/29 15:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:disk.sys
[2006/01/02 10:47:32 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2008/11/11 10:07:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2002/08/29 08:00:00 | 010,158,890 | R--- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:disk.sys
[2006/01/02 10:47:32 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:disk.sys
[2008/11/11 10:07:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2004/08/04 01:59:54 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 03:56:42 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 03:56:44 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 03:56:44 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USBSTOR.SYS >
[2002/08/29 15:00:00 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:usbstor.sys
[2006/01/02 10:47:32 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2008/11/11 10:07:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:usbstor.sys
[2002/08/29 08:00:00 | 010,158,890 | R--- | M] () .cab file -- C:\WINDOWS\I386\sp1.cab:usbstor.sys
[2006/01/02 10:47:32 | 022,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:usbstor.sys
[2008/11/11 10:07:52 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:usbstor.sys
[2004/08/04 02:08:46 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\$NtServicePackUninstall$\usbstor.sys
[2008/04/13 14:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\ServicePackFiles\i386\usbstor.sys
[2008/04/13 14:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\system32\drivers\usbstor.sys

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-08-12 15:32:01

========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by brick on 24th August 2010, 9:23 pm

Here are the Extra logs.

OTL Extras logfile created on: 08/24/2010 5:00:19 PM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\David and Marla\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

479.00 Mb Total Physical Memory | 253.00 Mb Available Physical Memory | 53.00% Memory free
874.00 Mb Paging File | 607.00 Mb Available in Paging File | 69.00% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 12.63 Gb Free Space | 33.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FRITSCH
Current User Name: David and Marla
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] --

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe" = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe:*:Disabled:backWeb-7288971 -- ()
"C:\WINDOWS\system32\lxdmcoms.exe" = C:\WINDOWS\system32\lxdmcoms.exe:*:Enabled:5000 Series Server -- ( )
"C:\Program Files\Lexmark 5000 Series\lxdmmon.exe" = C:\Program Files\Lexmark 5000 Series\lxdmmon.exe:*:Enabled:Printer Device Monitor -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdmpswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdmpswx.exe:*:Enabled:Printer Status Window Interface -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdmtime.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdmtime.exe:*:Enabled:Lexmark Connect Time Executable -- (Lexmark International, Inc.)
"C:\Program Files\Lexmark 5000 Series\lxdmFax.exe" = C:\Program Files\Lexmark 5000 Series\lxdmFax.exe:*:Enabled:Fax Solutions Software -- ()
"C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdmjswx.exe" = C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdmjswx.exe:*:Enabled:Job Status Window Interface -- ()
"C:\Program Files\Lexmark 5000 Series\frun.exe" = C:\Program Files\Lexmark 5000 Series\frun.exe:*:Enabled:Printing Application -- ()
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Age of Empires II\EMPIRES2.ICD" = C:\Program Files\Microsoft Games\Age of Empires II\EMPIRES2.ICD:*:Enabled:Age of Empires II -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\AGE2_X1.ICD" = C:\Program Files\Microsoft Games\Age of Empires II\age2_x1\AGE2_X1.ICD:*:Enabled:Age of Empires II Expansion -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
"{015E4B8A-29B5-4AE3-BD08-38220FADFF4C}" = aspi
"{091D12F7-A074-4AFE-8401-072E8494D873}" = Clouded Horizons Character Creation Utility
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{334396FB-DF73-45A7-94FD-0C576FA87B32}" = Edu-Track Home School
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{432C3720-37BF-4BD7-8E49-F38E090246D0}" = CR2
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{469730CC-78DF-4CD3-B286-562D459EA619}" = ESSCAM
"{48C82F7A-F100-4DAB-A310-8E18BF2159E1}" = ESSvpot
"{49FC50FC-F965-40D9-89B4-CBFF80941033}" = Windows Movie Maker 2.0
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{698AC01B-DF0C-4BCE-940C-EB29AD23A560}" = Stamps.com
"{69BD6399-3D8F-45B7-81D9-819361F5101D}" = PCDLNCH
"{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{87843A41-7808-4F2E-B13F-25C1E67CF2FD}" = ESShelp
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}" = CCHelp
"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}" = ESSvpaht
"{A6F18A67-B771-4191-8A33-36D2E742D6D9}" = ESSANUP
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A93944F2-D2D4-4750-BFE7-9A288FEAF2CF}" = Apple Application Support
"{ABE068DF-8DC4-4947-ABFC-DD2B40850225}" = SFR2
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BF307EDA-A176-4D83-9775-D337810CF7A7}" = Cookienator
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}" = SFR
"{CA60320D-6A16-49C8-A34F-84EEF4799567}" = ESSTUTOR
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}" = getPlus(R) for Adobe
"{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}" = ESSAdpt
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DB79F660-2822-11D5-B232-0050DACD394D}" = Disney's Phonics Quest
"{DC226AC9-0314-496C-BE6A-B6A132628466}" = SiSAGP driver
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{EB900AF8-CC61-4E15-871B-98D1EA3E8025}" = QuickTime
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}" = OTtBP
"Action Replay Code Manager_is1" = Action Replay Code Manager
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Age of Empires 2.0" = Microsoft Age of Empires II
"Age of Empires Gold 1.0" = Microsoft Age of Empires Gold
"Age of Empires II: The Conquerors Expansion 1.0" = Microsoft Age of Empires II: The Conquerors Expansion
"Amazon MP3 Downloader" = Amazon MP3 Downloader 1.0.10
"Audacity_is1" = Audacity 1.2.6
"avast5" = avast! Free Antivirus
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dual Mode Camera_is1" = Uninstall Dual Mode Camera
"ESET Online Scanner" = ESET Online Scanner v3
"Google Updater" = Google Updater
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{334396FB-DF73-45A7-94FD-0C576FA87B32}" = Edu-Track Home School
"InstallShield_{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III
"Lexmark 5000 Series" = Lexmark 5000 Series
"Magic ISO Maker v5.5 (build 0281)" = Magic ISO Maker v5.5 (build 0281)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Math 6 Teaching Textbook" = Math 6 Teaching Textbook
"Messenger Plus! Live" = Messenger Plus! Live
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MsgPlus! Plugin" = Messenger Plus! 3 & Sponsor
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Secunia PSI" = Secunia PSI
"SiS 650_651_M650_M652_740" = SiS 650_651_M650_M652_740
"SiS VGA Driver" = SiS VGA Utilities
"SiSLan" = SiS 900 PCI Fast Ethernet Adapter Driver
"SpywareBlaster_is1" = SpywareBlaster 4.3
"Stamps.com" = Stamps.com
"Star Wars DroidWorks" = Star Wars DroidWorks
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinPatrol" = WinPatrol
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update
"YInstHelper" = Yahoo! Install Manager

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 08/13/2010 11:01:48 AM | Computer Name = FRITSCH | Source = Application Hang | ID = 1002
Description = Hanging application WinPatrolEx.exe, version 18.1.2010.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/15/2010 8:02:23 AM | Computer Name = FRITSCH | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3855, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 08/15/2010 8:02:23 AM | Computer Name = FRITSCH | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.2.3855, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 08/16/2010 10:27:33 AM | Computer Name = FRITSCH | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3855, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 08/17/2010 8:56:11 AM | Computer Name = FRITSCH | Source = Application Hang | ID = 1002
Description = Hanging application msnmsgr.exe, version 14.0.8089.726, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/17/2010 12:17:47 PM | Computer Name = FRITSCH | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3855, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 08/21/2010 8:58:06 PM | Computer Name = FRITSCH | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.8326.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/23/2010 10:06:42 AM | Computer Name = FRITSCH | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3855, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 08/24/2010 4:04:32 PM | Computer Name = FRITSCH | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.3.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 08/24/2010 4:04:53 PM | Computer Name = FRITSCH | Source = Application Hang | ID = 1002
Description = Hanging application spywareblaster.exe, version 4.3.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 08/22/2010 11:13:21 AM | Computer Name = FRITSCH | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep SABKUTIL

Error - 08/23/2010 9:39:22 AM | Computer Name = FRITSCH | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 08/23/2010 9:39:22 AM | Computer Name = FRITSCH | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxdmCATSCustConnectService
service to connect.

Error - 08/23/2010 9:39:22 AM | Computer Name = FRITSCH | Source = Service Control Manager | ID = 7000
Description = The lxdmCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 08/23/2010 9:39:24 AM | Computer Name = FRITSCH | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep SABKUTIL

Error - 08/23/2010 7:46:17 PM | Computer Name = FRITSCH | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.10.103 for the Network Card with network
address 0008A17B9ACA has been denied by the DHCP server 192.168.10.1 (The DHCP Server
sent a DHCPNACK message).

Error - 08/24/2010 10:44:51 AM | Computer Name = FRITSCH | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 08/24/2010 10:44:51 AM | Computer Name = FRITSCH | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the lxdmCATSCustConnectService
service to connect.

Error - 08/24/2010 10:44:51 AM | Computer Name = FRITSCH | Source = Service Control Manager | ID = 7000
Description = The lxdmCATSCustConnectService service failed to start due to the
following error: %%1053

Error - 08/24/2010 10:44:53 AM | Computer Name = FRITSCH | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Beep SABKUTIL


< End of report >

brick
Intermediate
Intermediate

Posts Posts : 130
Joined Joined : 2010-06-09
Gender Gender : Female
OS OS : xp
Protection Protection : avast
Points Points : 25747
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 on XP

Post by Dr Jay on 25th August 2010, 9:23 am


  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


  • Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14314
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302989
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by brick on 25th August 2010, 3:17 pm

    this is it

    Running from: C:\Documents and Settings\David and Marla\Desktop\Win32kDiag.exe

    Log file at : C:\Documents and Settings\David and Marla\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\WINDOWS'...





    Finished!


    brick
    Intermediate
    Intermediate

    Posts Posts : 130
    Joined Joined : 2010-06-09
    Gender Gender : Female
    OS OS : xp
    Protection Protection : avast
    Points Points : 25747
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by brick on 25th August 2010, 7:19 pm

    Dragonmaster Jay,
    I wanted to let you know about this...we have 2 desktop computers and 2 laptop computers. All 4 have the msn live. Just today, three of the computers were being used with the msn live. The desktop you are working on is the only one that has this msn live icon with the three xxx on the task manager screen. The other two do not. When my son and I canceled the live icon with the three xxx on it, it closed his msn line. I don't know if this has anything to do with the computer and it's issues, but I thought it was worth mentioning.
    thanks

    brick

    8/26/10 Thursday 8:54 am...booted up desktop and after 10 minutes it still will not open any browsers. Also tried to open secunia, it won't completely open it and won't let me close it either.

    brick
    Intermediate
    Intermediate

    Posts Posts : 130
    Joined Joined : 2010-06-09
    Gender Gender : Female
    OS OS : xp
    Protection Protection : avast
    Points Points : 25747
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by Dr Jay on 26th August 2010, 7:59 pm

    I would say it was doing a triple chat, but I am not sure about that part.

    Please use Internet Explorer and run a [You must be registered and logged in to see this link.]

    • Please check I agree with the Terms and Conditions and click Start Here
    • You will need to allow an Active X install for the scan to run.
    • Leave the scanning options at default and click Start Scan
    Please post the results in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14314
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302989
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by brick on 26th August 2010, 10:23 pm

    Dragonmaster Jay,
    here is the report from the scan.
    As to the other topic on the triple x msn icon running in the task manager window; I don't think the fact that three people chatting had anything to do with it because when starting the computer in the morning it is already running on the task manager window with no one chatting much less the msn live accounts even signed in. No, I feel this is something that should not be there, especially considering none of the other three computers have such item running but do have the live msn. Just a thought.....

    thanks

    brick

    BitDefender Online Scanner







    Scan report generated at: Thu, Aug 26, 2010 - 18:13:24









    Scan path: A:\;C:\;D:\;















    Statistics

    Time


    01:30:28

    Files


    213682

    Folders


    7164

    Boot Sectors


    0

    Archives


    11792

    Packed Files


    9022







    Results

    Identified Viruses


    1

    Infected Files


    1

    Suspect Files


    0

    Warnings


    0

    Disinfected


    0

    Deleted Files


    1







    Engines Info

    Virus Definitions


    6271642

    Engine build


    AVCORE v2.1 Windows/i386 11.0.0.33 (Jun 18 2010)

    Scan plugins


    18

    Archive plugins


    44

    Unpack plugins


    10

    E-mail plugins


    6

    System plugins


    4







    Scan Settings

    First Action


    Disinfect

    Second Action


    Delete

    Heuristics


    Yes

    Enable Warnings


    Yes

    Scanned Extensions


    *;

    Exclude Extensions




    Scan Emails


    Yes

    Scan Archives


    Yes

    Scan Packed


    Yes

    Scan Files


    Yes

    Scan Boot


    Yes








    Scanned File


    Status

    C:\System Volume Information\_restore{FF8DE937-E04B-4680-8F88-61226D7E946D}\RP893\A0200074.sys


    Infected with: Rootkit.38920

    C:\System Volume Information\_restore{FF8DE937-E04B-4680-8F88-61226D7E946D}\RP893\A0200074.sys


    Deleted






















    brick
    Intermediate
    Intermediate

    Posts Posts : 130
    Joined Joined : 2010-06-09
    Gender Gender : Female
    OS OS : xp
    Protection Protection : avast
    Points Points : 25747
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by Dr Jay on 27th August 2010, 7:56 pm

    Save these instructions so you can have access to them while in Safe Mode.

    Please click [You must be registered and logged in to see this link.] to download AVP Tool by Kaspersky.
    • Save it to your desktop.
    • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    • Double click the setup file to run it.
    • Click Next to continue.
    • Accept the License agreement and click on next.
    • It will, by default, install it to your desktop folder. Click Next.
    • It will then open a box There will be a tab that says Automatic scan.
    • Under Automatic scan make sure these are checked.
    • Hidden Startup Objects
    • System Memory
    • Disk Boot Sectors.
    • My Computer.
    • Also any other drives (Removable that you may have)
    Leave the rest of the settings as they appear as default.
    • Then click on Scan at the to right hand Corner.
    • It will automatically Neutralize any objects found.
    • If some objects are left un-neutralized then click the button that says Neutralize all
    • If it says it cannot be neutralized then choose the delete option when prompted.
    • After that is done click on the reports button at the bottom and save it to file name it Kas.
    • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

      Note: This tool will self uninstall when you close it so please save the log before closing it.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14314
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302989
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by brick on 28th August 2010, 12:36 am

    Dragonmaster Jay,
    Just finished the scan. The only thing that popped up half way through the scan was a small box that said "detected: killdrv.exe/killdrv.img.password protected"

    When the scan finished my son and I displayed the report, but for the life of us we can not figure out a way to save it and copy it, there is no place to select or save. The only line on the report says:
    " Autoscan: completed 13 minutes ago (events: 150218, objects: 147476, time: 02:17:24)"

    Now the computer is frozen in safe mode. We can not close the report. At this point I am going to bring up the task manager and close it.
    We are also going to reboot the computer out of safe mode until we hear from you next.
    *************
    Computer booted up in regular mode, the report came up on screen, still no way to copy report but I have minimized it for further reference.

    thanks

    brick


    Last edited by brick on 28th August 2010, 12:49 am; edited 1 time in total (Reason for editing : more information)

    brick
    Intermediate
    Intermediate

    Posts Posts : 130
    Joined Joined : 2010-06-09
    Gender Gender : Female
    OS OS : xp
    Protection Protection : avast
    Points Points : 25747
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by Dr Jay on 29th August 2010, 1:27 am

    Take a screenshot of infected results, if possible.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14314
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302989
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by brick on 30th August 2010, 12:40 pm

    Sorry Dragonmaster Jay,
    By the time we got your message, it was the next day....screen shot is not possible.

    On a side note, I discovered why the desktop has this message live icon with three xxx's.. apparently this desktop has the messenger live plus rather than just the messenger live.

    brick


    Last edited by brick on 30th August 2010, 12:42 pm; edited 1 time in total (Reason for editing : more information)

    brick
    Intermediate
    Intermediate

    Posts Posts : 130
    Joined Joined : 2010-06-09
    Gender Gender : Female
    OS OS : xp
    Protection Protection : avast
    Points Points : 25747
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by Dr Jay on 31st August 2010, 4:59 am

    Remove Messenger Plus, and let me know if that disappears.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14314
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302989
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by brick on 31st August 2010, 4:13 pm

    Good afternoon Dragonmaster Jay,

    sorry for the delayed response, our internet service was out last night until this afternoon. (sigh) I just removed the messenger live plus from the desktop and sure enough the icon is now not running on the task manager window. ( that is good) also noted that when I restarted the computer it came up must faster and opened the malware program faster too. My oldest son, informed me that messenger live plus is an add on, and that the other computers do have the add on, but none of the others had it running constantly....which furthers my belief that it was a problem on the desktop at hand.
    At this moment, it is removed from the desktop, desktop restarted, and now we are running a quick scan of malwarebytes....we are then going to redownload the messenger live plus and see what happens. Ideally we should not have it running constantly....if all goes well. I will get back to you after that is done...

    brick

    brick
    Intermediate
    Intermediate

    Posts Posts : 130
    Joined Joined : 2010-06-09
    Gender Gender : Female
    OS OS : xp
    Protection Protection : avast
    Points Points : 25747
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by brick on 31st August 2010, 7:01 pm

    Dragonmaster Jay,
    We finished the malware scan, quick scan and it only took 17 minutes, much faster than recently. We re downloaded the windows live plus, restarted computer, open the windows live, closed it, opened it again and all the time checking the task manager window. At no time did the icon show up with the three xxx's. Again, furthering my belief there was a virus or something connected to what we had.
    What would you like us to do now?
    thanks!

    brick


    Last edited by brick on 31st August 2010, 7:02 pm; edited 1 time in total (Reason for editing : correct spelling)

    brick
    Intermediate
    Intermediate

    Posts Posts : 130
    Joined Joined : 2010-06-09
    Gender Gender : Female
    OS OS : xp
    Protection Protection : avast
    Points Points : 25747
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by Dr Jay on 31st August 2010, 7:15 pm

    Please do a scan with [You must be registered and logged in to see this link.]

    Click on the Accept button and install any components it needs.

    • The program will install and then begin downloading the latest definition files.
    • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
    • This will start the program and scan your system.
    • The scan will take a while, so be patient and let it run.
    • Once the scan is complete, click on View scan report
    • Now, click on the Save Report as button.
    • Save the file to your desktop.
    • Copy and paste that information in your next post.

    Note: If the scan freezes for more than 30 minutes, stop the scan, and report back to me.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14314
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302989
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by brick on 1st September 2010, 11:38 am

    Dragonmaster Jay,
    It is 7:30 am Wednesday. We started the Kraspersky scan yesterday afternoon. It took 3 hours to download the virus stuff, then it finally started scanning. At 11 pm last night it was at 82%. We went to bed. This morning it was still at 82%. I shut the computer down. I am going to attempt to re run the scan this morning.

    brick

    8 am attempt number two....attempted to run scan using firefox, keeps giving me a message that java internet service is interupted....that happened yesterday so I used internet explorer...we had better luck but then again it did freeze...

    8:01 am just noted the part where it said if the scan freezes for more than 30 minutes to report back to you...will not attempt anymore scans until I hear from you....( I did see that yesterday, but have not yet had morning coffee...working at a disadvantage right now (smile))


    Last edited by brick on 1st September 2010, 12:02 pm; edited 2 times in total (Reason for editing : more information)

    brick
    Intermediate
    Intermediate

    Posts Posts : 130
    Joined Joined : 2010-06-09
    Gender Gender : Female
    OS OS : xp
    Protection Protection : avast
    Points Points : 25747
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by Dr Jay on 1st September 2010, 10:15 pm

    ESET Online Scan

    Please run a free online scan with the [You must be registered and logged in to see this link.]
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14314
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302989
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by brick on 2nd September 2010, 2:09 am

    I believe this is it.

    C:\Documents and Settings\David and Marla\Application Data\Sun\Java\Deployment\cache\6.0\5\232ff0c5-5fd71aa1 multiple threats deleted - quarantined
    C:\Documents and Settings\David and Marla\Desktop\MsgPlusLive-485.exe a variant of Win32/MessengerPlus application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{FF8DE937-E04B-4680-8F88-61226D7E946D}\RP899\A0200635.exe a variant of Win32/MessengerPlus application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{FF8DE937-E04B-4680-8F88-61226D7E946D}\RP899\A0200636.exe a variant of Win32/MessengerPlus application cleaned by deleting - quarantined
    C:\System Volume Information\_restore{FF8DE937-E04B-4680-8F88-61226D7E946D}\RP917\A0203383.exe a variant of Win32/MessengerPlus application cleaned by deleting - quarantined

    brick
    Intermediate
    Intermediate

    Posts Posts : 130
    Joined Joined : 2010-06-09
    Gender Gender : Female
    OS OS : xp
    Protection Protection : avast
    Points Points : 25747
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by brick on 2nd September 2010, 12:16 pm

    Good morning Dragonmaster Jay,
    We posted the eset scan above last night around 10:30 pm, This morning we tried to boot up the computer and it is taking f o r e v e r! ( the actual computer booted up rather quickly but it seems to get stuck on the start up stuff and won't open the firefox browser) Then we get a script warning for something called Script:chrome://global/ content/global overlay.js:114....I don't know what that is...but it doesn't sound good...
    now another warning script: [You must be registered and logged in to see this link.]

    -----------------------
    ( it has now been 15 minutes of trying to open firefox...window task manager closed it all down but we still can not open the firefox...) getting a non responsive plug in warning. we had to shut it down completely and re boot it. It seems to be running in a circle of confusion.

    now a full 36 minutes have passed. I have shut computer down and rebooted and still it will not open firefox. It has never been so unresponsive....this is frustrating.
    ---------
    after 45 minutes I managed to open the winpatrol and look at the start up items. I canceled 2 Adoble speedlauncher programs and 1 windows live messenger and 1 windows messenger programs. Firefox finally came up. My son and I closed it down then relaunched it and it came up very quickly. I don't know if disabling those 4 programs made a difference or if the computer, finally 'warmed up' enough to respond.

    thanks for your time and effort,

    brick


    Last edited by brick on 2nd September 2010, 12:53 pm; edited 4 times in total (Reason for editing : more information)

    brick
    Intermediate
    Intermediate

    Posts Posts : 130
    Joined Joined : 2010-06-09
    Gender Gender : Female
    OS OS : xp
    Protection Protection : avast
    Points Points : 25747
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by Dr Jay on 4th September 2010, 4:30 am

    Messenger Live Plus has not had a good reputation for a long time. I would recommend removing it permanently.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14314
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302989
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by brick on 4th September 2010, 1:14 pm

    Dragonmaster Jay,
    this morning (saturday) the desktop is signed on, very slowly it came up and going from screen to screen is slow. then avast brought up a screen that said it detected a potential malicious file in a 'storesession'. ( at the time my daughter was on msn) The eset scan you had us run found 5 virus type stuff...what do we do next?

    thanks

    brick

    brick
    Intermediate
    Intermediate

    Posts Posts : 130
    Joined Joined : 2010-06-09
    Gender Gender : Female
    OS OS : xp
    Protection Protection : avast
    Points Points : 25747
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by Dr Jay on 4th September 2010, 6:34 pm

    Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Do NOT perform a scan yet

    • Double-click on drweb-cureit.exe to start the program.
      An Express Scan of your PC notice will appear.
    • Under Start the Express Scan Now, Click OK to start the scan.
      This is a short scan that will scan the files currently running in memory.
      If something is found, click the Yes button when it asks you if you want to cure it.
    • Once the short scan has finished, Click Options > Change settings
    • Choose the Scan tab and UNcheck Heuristic analysis
    • Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
    • Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
    • When finished, a message will be displayed at the bottom advising if any viruses were found.
    • Click Yes to all if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can see the icon next to the files found.
      If so, click it, then click the next icon right below and select Move incurable.
      (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
    • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
    • Save the DrWeb.csv report to your Desktop.
    • Exit Dr.Web Cureit when you have finished.
    • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14314
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302989
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Win32 on XP

    Post by brick on 6th September 2010, 1:14 pm

    Good morning Dragonmaster Jay,
    The scan took most of yesterday late afternoon and well into the night. But it ran and here is my attempt at using notepad to copy and paste the information. ( usually my oldest son helps me with that stuff) I remembered to reboot the computer first.

    thanks for the help

    brick




    f29bcdf-2abb006d\yahoo/InfoCtrl.class;C:\Documents and Settings\David and Marla\Application Data\Sun\Java\Deployment\cache\6.0\31\f29bcdf-2abb006d;Java.Downloader.30;;


    f29bcdf-2abb006d\yahoo/InfoCtrl.class;C:\Documents and Settings\David and Marla\Application Data\Sun\Java\Deployment\cache\6.0\31\f29bcdf-2abb006d;Java.Downloader.30;;
    f29bcdf-2abb006d;C:\Documents and Settings\David and Marla\Application Data\Sun\Java\Deployment\cache\6.0\31;Archive contains infected objects;Moved.;

    brick
    Intermediate
    Intermediate

    Posts Posts : 130
    Joined Joined : 2010-06-09
    Gender Gender : Female
    OS OS : xp
    Protection Protection : avast
    Points Points : 25747
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Page 1 of 2 1, 2  Next

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum