Rogue Antivirus has me locked down

View previous topic View next topic Go down

Rogue Antivirus has me locked down

Post by SquishedFlat on 6th December 2010, 7:13 pm

My desktop has one of those rogue antivirus programs, so I'm on my laptop. It will not let me go to any websites or run any programs, even my Webroot and Malwarebytes. Message says i do not have have access or authorization. Numerous pop-ups about fake trojans and other virus-type things and do i want to scan and protect my computer. I can do virtually nothing on the computer. Help!

Thanks,
SquishedFlat

SquishedFlat
Novice
Novice

Posts Posts : 39
Joined Joined : 2010-11-04
OS OS : XP
Protection Protection : Avira, Zone Alarm
Points Points : 22734
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by Belahzur on 6th December 2010, 8:57 pm

Hello.

We need to use the RKill Tool by Grinler

[You must be registered and logged in to see this link.]

  • Please Download Rkill.com. Save it to your Desktop.
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this [You must be registered and logged in to see this link.] if you are not sure how.

  • NOTE: If you are unable to connect to the site to download rkill, then you should download it to a clean computer and copy it to the infected one via a USB flash drive or CDROM.

  • Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Rogue programs.
  • Please be patient while the program looks for various malware programs and ends them.
  • When it has finished, the black window will automatically close and you can continue with the next step.
NOTE: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the rogue program, when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue program. So, please try running Rkill until the malware is no longer running. You will then be able to proceed with the rest of the steps.

If you continue having problems running rkill.com, you can download:
[You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]
which are renamed copies of rkill.com, and try them instead.

Please download TDSSKiller from [You must be registered and logged in to see this link.] and save it to your Desktop.

  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by SquishedFlat on 8th December 2010, 6:45 pm

I copied Rkill to the infected computer via flashdrive and tried numerous times to run it without success. I keep getting messages including 'RKill is infected and cannot be excuted' (I gt the same message for anything I try to run), ' there is a problem with the path or do not have authorization to run' and others all asking if I want to purchase their av program or continue unprotected. It also opens IE and varius porn pages or viagra site.

I also tried the eXplorer.exe with the same results. I just tried booting in safe mode, which worked. Then i ran RKill which apparently worked. I then ran malwarebytes, which found 3 infected files and removed them. I restared in regular mode, thinking I was good to go, but had all the same infected messages and situation as before.

What now?

thanks.

SquishedFlat
Novice
Novice

Posts Posts : 39
Joined Joined : 2010-11-04
OS OS : XP
Protection Protection : Avira, Zone Alarm
Points Points : 22734
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by Belahzur on 9th December 2010, 12:18 am

Hello.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by SquishedFlat on 9th December 2010, 6:23 pm

While I was waiting for your last reply, I logged in via Safe Mode w/ Networking and ran RKill a couple times, followed my Malwarebytes. This time it came back clean. I re-booted and there are no VISABLE signs of whatever was on here.

Should I still run the OTL as you directed or something else to ensure all is well? I am also planning on loading a new firewall ASAP, but will wait for your guidance.

Thank you, thank you, thank you.

SquishedFlat

SquishedFlat
Novice
Novice

Posts Posts : 39
Joined Joined : 2010-11-04
OS OS : XP
Protection Protection : Avira, Zone Alarm
Points Points : 22734
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by Belahzur on 10th December 2010, 1:00 am

Yes, please run OTL.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by SquishedFlat on 10th December 2010, 4:35 pm

OTL logfile created on: 12/10/2010 10:12:19 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Scott\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.00 Mb Total Physical Memory | 54.00 Mb Available Physical Memory | 21.00% Memory free
903.00 Mb Paging File | 371.00 Mb Available in Paging File | 41.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 39.26 Gb Free Space | 52.70% Space Free | Partition Type: NTFS

Computer Name: DH7BJP11 | User Name: Scott | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/10 09:56:13 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Scott\Desktop\OTL.exe
PRC - [2010/11/11 22:13:51 | 001,286,960 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
PRC - [2010/11/11 22:13:47 | 003,066,528 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
PRC - [2010/09/22 13:41:50 | 003,872,776 | ---- | M] (Webroot Software, Inc. ([You must be registered and logged in to see this link.] -- C:\Program Files\Webroot\Security\Current\plugins\antimalware\AEI.exe
PRC - [2010/09/22 13:41:30 | 000,157,536 | ---- | M] (Webroot Software, Inc. ([You must be registered and logged in to see this link.] -- C:\Program Files\Webroot\Security\Current\plugins\antimalware\SSU.exe
PRC - [2010/03/17 15:55:42 | 001,565,696 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Verizon\McciTrayApp.exe
PRC - [2009/03/05 15:14:12 | 002,035,712 | ---- | M] (Ascentive LLC) -- C:\Program Files\Ascentive\ActiveSpeed\AS.exe
PRC - [2008/10/10 04:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008/09/30 13:06:50 | 000,485,208 | ---- | M] (Nikon Corporation) -- C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/02/01 17:33:38 | 001,880,064 | ---- | M] (Verizon) -- C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
PRC - [2006/01/20 13:48:06 | 000,142,416 | R--- | M] (Command Software Systems, Inc.) -- C:\Program Files\Common Files\Command Software\dvpapi.exe
PRC - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\SYSTEM32\HPZipm12.exe
PRC - [2003/08/11 22:30:09 | 000,126,976 | ---- | M] () -- C:\Program Files\Picasa\PicasaMediaDetector.exe
PRC - [2003/04/13 17:00:23 | 000,052,736 | ---- | M] (Macrovision) -- C:\WINDOWS\SYSTEM32\DRIVERS\CDAC11BA.EXE
PRC - [2002/07/11 15:15:20 | 000,270,336 | ---- | M] () -- C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
PRC - [2002/04/10 16:44:04 | 000,679,936 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PRC - [2002/04/03 15:47:38 | 000,290,816 | ---- | M] (Voyetra Turtle Beach, Inc.) -- C:\WINDOWS\SYSTEM32\tbctray.exe


========== Modules (SafeList) ==========

MOD - [2010/12/10 09:56:13 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Scott\Desktop\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/03/17 15:53:28 | 000,198,656 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\Common Files\Motive\McciContextHook_DSR.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/11/11 22:13:47 | 003,066,528 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe -- (WRConsumerService)
SRV - [2010/09/22 13:41:50 | 003,872,776 | ---- | M] (Webroot Software, Inc. ([You must be registered and logged in to see this link.] [Auto | Running] -- C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe -- (WebrootSpySweeperService)
SRV - [2008/10/10 04:45:26 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2006/01/20 13:48:06 | 000,142,416 | R--- | M] (Command Software Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Command Software\dvpapi.exe -- (dvpapi)
SRV - [2004/09/29 11:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\SYSTEM32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2003/04/13 17:00:23 | 000,052,736 | ---- | M] (Macrovision) [Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\CDAC11BA.EXE -- (C-DillaCdaC11BA)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\XTrapD12.sys -- (XTrapD12)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS -- (MRESP50a64)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS -- (MREMP50a64)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Scott\LOCALS~1\Temp\jgameenp.sys -- (jgameenp)
DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\ibbtloam.pel -- (IBBTLOAM)
DRV - [2010/06/17 14:49:10 | 000,182,056 | ---- | M] (Webroot Software, Inc. ([You must be registered and logged in to see this link.] [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\SSIDRV.SYS -- (SSIDRV)
DRV - [2010/06/17 14:49:10 | 000,045,072 | ---- | M] (Webroot Software, Inc. ([You must be registered and logged in to see this link.] [File_System | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ssfmonm.sys -- (SSFMONM)
DRV - [2010/06/17 14:49:10 | 000,024,496 | ---- | M] (Webroot Software, Inc. ([You must be registered and logged in to see this link.] [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\Drivers\SSHRMD.SYS -- (SSHRMD)
DRV - [2010/03/17 15:53:38 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2010/03/17 15:53:22 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2008/04/13 13:45:29 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\gameenum.sys -- (gameenum)
DRV - [2008/04/13 13:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 13:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2006/01/20 13:40:42 | 000,783,984 | R--- | M] (Command Software Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\css-dvp.sys -- (CSS DVP)
DRV - [2003/10/06 13:16:00 | 001,550,043 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys -- (nv)
DRV - [2003/08/29 03:59:24 | 001,101,696 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\BCMSM.sys -- (BCMModem)
DRV - [2003/04/13 17:00:22 | 000,011,376 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\CdaC15BA.SYS -- (CdaC15BA)
DRV - [2002/07/24 15:57:38 | 000,059,440 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2002/07/24 15:57:38 | 000,023,724 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2002/04/10 17:01:12 | 000,024,554 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/04/10 17:01:00 | 000,029,638 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2002/04/10 17:00:44 | 000,117,898 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2k)
DRV - [2002/04/10 16:48:04 | 000,236,032 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp)
DRV - [2002/04/10 16:45:16 | 000,206,336 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2002/04/03 15:51:16 | 000,545,088 | ---- | M] (Voyetra Turtle Beach) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\tbcwdm.sys -- (tbcwdm)
DRV - [2002/04/03 15:51:12 | 000,144,768 | ---- | M] (Voyetra Turtle Beach) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\tbcspud.sys -- (tbcspud)
DRV - [2002/03/21 19:44:32 | 000,019,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\Turtle Beach\Santa Cruz\Control Panel\vtdg46xx.sys -- (vtdg46xx)
DRV - [2001/09/03 17:14:38 | 000,025,454 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\RTL8139.sys -- (rtl8139)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:52:24 | 000,038,144 | ---- | M] (HighPoint Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\hpt3xx.sys -- (hpt3xx)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2001/08/17 12:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4.SYS -- (nv4)
DRV - [2001/08/17 12:11:06 | 000,066,591 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS -- (EL90XBC)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:43902

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1,localho,t,127.0.0.1,*.local"
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 61495
FF - prefs.js..network.proxy.type: 1


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/29 03:01:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/11/19 18:53:54 | 000,000,000 | ---D | M]

[2010/07/15 22:14:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Scott\Application Data\Mozilla\Extensions
[2009/04/14 19:07:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Scott\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/11/02 12:54:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Scott\Application Data\Mozilla\Firefox\Profiles\nglxs7bv.default\extensions
[2010/07/16 09:17:44 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Scott\Application Data\Mozilla\Firefox\Profiles\nglxs7bv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/15 22:11:55 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/11/11 22:20:47 | 000,000,137 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [ActiveSpeed] C:\Program Files\Ascentive\ActiveSpeed\AS.exe (Ascentive LLC)
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe ()
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe ()
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe (Voyetra Turtle Beach, Inc.)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O4 - HKLM..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe (Verizon)
O4 - HKLM..\Run: [WebrootTrayApp] C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe (Webroot Software, Inc. )
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe File not found
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Scott\Start Menu\Programs\IMVU\Run IMVU.lnk File not found
O9 - Extra Button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O15 - HKCU\..Trusted Domains: //@install.mar@ ([]msni in My Computer)
O15 - HKCU\..Trusted Domains: //@mail.mar@ ([]msni in Local intranet)
O15 - HKCU\..Trusted Domains: ebay.com ([my] http in Trusted sites)
O15 - HKCU\..Trusted Domains: ebay.com ([signin] https in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} [You must be registered and logged in to see this link.] (Support.com Configuration Class)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} [You must be registered and logged in to see this link.] (LinkedIn ContactFinderControl)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_10)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} [You must be registered and logged in to see this link.] (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_10)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_10)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: vzTCPConfig [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.252.0.12
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O22 - SharedTaskScheduler: {e3623691-f85d-48d8-8e4d-abe79077f841} - awash - Reg Error: Key error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Scott\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Authentication Packages - (ows\s) - File not found
O30 - LSA: Security Packages - (indows.common-controls_6595b641) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2001/11/15 07:31:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/10 10:11:39 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Scott\Recent
[2010/12/10 09:56:38 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Scott\Desktop\OTL.exe
[2010/11/11 22:17:21 | 000,182,056 | ---- | C] (Webroot Software, Inc. ([You must be registered and logged in to see this link.] -- C:\WINDOWS\System32\drivers\ssidrv.sys
[2010/11/11 22:17:21 | 000,045,072 | ---- | C] (Webroot Software, Inc. ([You must be registered and logged in to see this link.] -- C:\WINDOWS\System32\drivers\ssfmonm.sys
[2010/11/11 22:17:21 | 000,024,496 | ---- | C] (Webroot Software, Inc. ([You must be registered and logged in to see this link.] -- C:\WINDOWS\System32\drivers\sshrmd.sys
[2010/11/11 22:13:57 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{E15A1CA7-D908-4C28-ADCF-C23723A9D28D}
[2010/11/11 22:12:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Webroot
[2008/11/21 11:44:51 | 002,934,272 | ---- | C] (Piriform Ltd) -- C:\Program Files\ccsetup.exe
[2007/07/26 11:16:59 | 049,943,864 | ---- | C] (Apple Inc.) -- C:\Program Files\iTunesSetup.exe
[2007/07/03 19:58:47 | 609,203,729 | ---- | C] (Nexon ) -- C:\Program Files\MSSetup.exe
[2007/04/08 03:54:46 | 013,287,696 | ---- | C] (Webroot Software, Inc. ) -- C:\Program Files\sspsetup1673_.exe
[2006/06/08 11:44:24 | 008,785,512 | ---- | C] (Webroot Software, Inc. ) -- C:\Program Files\sspsetup1673_en.exe
[2006/05/12 11:35:03 | 011,817,800 | ---- | C] (InstallShield Software Corporation) -- C:\Program Files\GoogleEarth.exe
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/10 10:17:01 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{70649BE7-DAF4-4542-A595-8E0468A1A769}.job
[2010/12/10 09:56:13 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Scott\Desktop\OTL.exe
[2010/12/10 09:40:00 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2010/12/10 09:26:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/12/10 08:40:18 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2010/12/10 07:40:15 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At23.job
[2010/12/10 03:41:50 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At16.job
[2010/12/10 02:40:07 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At17.job
[2010/12/10 01:40:04 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At11.job
[2010/12/10 00:40:03 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2010/12/10 00:26:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/12/09 23:40:00 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2010/12/09 22:40:00 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2010/12/09 21:40:00 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At10.job
[2010/12/09 20:40:03 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2010/12/09 19:40:13 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2010/12/09 18:40:13 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At1.job
[2010/12/09 17:40:03 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2010/12/09 16:40:02 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At13.job
[2010/12/09 15:40:03 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2010/12/09 14:40:06 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2010/12/09 13:40:01 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At3.job
[2010/12/09 12:43:22 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At12.job
[2010/12/09 12:21:55 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At24.job
[2010/12/09 12:21:55 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2010/12/09 12:21:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/12/09 12:21:45 | 267,468,800 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/09 02:27:24 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/12/09 02:24:34 | 000,007,015 | ---- | M] () -- C:\Documents and Settings\Scott\Application Data\D4C2.E5F
[2010/12/08 11:10:48 | 000,134,656 | ---- | M] () -- C:\Documents and Settings\Scott\Application Data\dwm.exe
[2010/12/07 10:55:19 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At22.job
[2010/12/07 10:55:19 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At15.job
[2010/12/07 10:55:19 | 000,000,408 | ---- | M] () -- C:\WINDOWS\tasks\At14.job
[2010/12/06 16:07:22 | 000,660,752 | ---- | M] () -- C:\Documents and Settings\Scott\Desktop\rkill.com
[2010/12/05 16:53:57 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2010/12/01 10:20:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/11/12 01:43:10 | 000,012,477 | ---- | M] () -- C:\WINDOWS\System32\234.js
[2010/11/11 22:14:10 | 000,001,968 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Webroot AntiVirus with Spy Sweeper.lnk
[2010/11/11 22:11:57 | 004,687,112 | ---- | M] (Webroot Software, Inc. ) -- C:\Documents and Settings\Scott\My Documents\WRInstallSetup_1.exe
[2010/11/11 21:27:43 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/11/11 21:27:42 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[8 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/09 02:24:03 | 267,468,800 | -HS- | C] () -- C:\hiberfil.sys
[2010/12/08 11:10:48 | 000,134,656 | ---- | C] () -- C:\Documents and Settings\Scott\Application Data\dwm.exe
[2010/12/06 16:07:46 | 000,660,752 | ---- | C] () -- C:\Documents and Settings\Scott\Desktop\rkill.com
[2010/12/05 23:54:53 | 000,007,015 | ---- | C] () -- C:\Documents and Settings\Scott\Application Data\D4C2.E5F
[2010/11/11 22:17:24 | 000,017,472 | ---- | C] () -- C:\WINDOWS\System32\SsiEfr.exe
[2010/11/11 22:14:10 | 000,001,968 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Webroot AntiVirus with Spy Sweeper.lnk
[2010/11/11 21:40:03 | 000,012,477 | ---- | C] () -- C:\WINDOWS\System32\234.js
[2010/11/02 13:44:49 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\Scott\Application Data\completescan
[2010/11/02 12:26:08 | 000,000,010 | ---- | C] () -- C:\Documents and Settings\Scott\Application Data\install
[2010/09/30 16:42:57 | 000,030,424 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2010/09/28 11:45:36 | 000,001,349 | ---- | C] () -- C:\WINDOWS\Mpcwty02.ini
[2010/09/23 09:17:41 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Scott\Local Settings\Application Data\PUTTY.RND
[2010/03/04 09:37:31 | 000,594,160 | ---- | C] () -- C:\WINDOWS\System32\wodCertificate.dll
[2010/03/04 09:36:44 | 000,589,960 | ---- | C] () -- C:\WINDOWS\System32\brgrt.dll
[2009/10/16 13:17:09 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Error Handlers
[2009/10/16 13:17:08 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\Scott\Application Data\Electric Piano
[2009/10/16 13:17:08 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
[2009/06/01 20:45:46 | 000,223,232 | ---- | C] () -- C:\WINDOWS\System32\sqlite3.dll
[2009/06/01 20:45:26 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\SQLiteWrapper.dll
[2007/04/10 23:00:02 | 000,000,016 | ---- | C] () -- C:\WINDOWS\System32\lfd32.ini
[2007/03/20 15:22:59 | 000,111,227 | ---- | C] () -- C:\WINDOWS\System32\drivers\dump_wmimmc.sys.OLD.sys
[2007/02/02 16:52:12 | 000,000,051 | ---- | C] () -- C:\WINDOWS\GunzLauncher.INI
[2007/01/16 16:25:11 | 000,062,967 | ---- | C] () -- C:\Documents and Settings\Scott\Application Data\PatchUpdate_HP_CounterReport_Update_HPSU.log
[2007/01/16 16:25:11 | 000,000,227 | ---- | C] () -- C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
[2007/01/16 16:24:41 | 000,002,073 | ---- | C] () -- C:\Documents and Settings\Scott\Application Data\HPSU_48BitScanUpdate.log
[2007/01/16 16:24:41 | 000,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2007/01/16 16:03:01 | 000,031,164 | ---- | C] () -- C:\Documents and Settings\Scott\Application Data\Update_HP_RedboxHprblog_HPSU.log
[2007/01/16 16:03:01 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2007/01/06 10:22:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\intr32.dll
[2006/12/28 14:15:10 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/08/07 14:50:27 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.Scott.ini
[2006/06/17 11:23:32 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2006/06/08 11:59:40 | 000,102,912 | ---- | C] () -- C:\WINDOWS\System32\islzma.dll
[2006/06/08 11:59:28 | 000,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2006/06/08 11:59:28 | 000,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2005/10/15 17:22:57 | 000,000,337 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2005/10/15 17:19:06 | 000,000,076 | ---- | C] () -- C:\WINDOWS\mbjr.ini
[2005/10/15 17:19:01 | 000,094,720 | ---- | C] () -- C:\WINDOWS\System32\SH30W32.DLL
[2005/08/30 19:59:11 | 000,063,488 | ---- | C] () -- C:\WINDOWS\xobglu16.dll
[2005/08/30 19:59:11 | 000,023,552 | ---- | C] () -- C:\WINDOWS\xobglu32.dll
[2004/12/31 18:59:07 | 000,000,123 | ---- | C] () -- C:\WINDOWS\disney.ini
[2004/06/26 18:40:12 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/04/12 22:17:23 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\IMPLODE.DLL
[2004/04/12 19:38:13 | 000,000,048 | ---- | C] () -- C:\WINDOWS\PerWin.ini
[2004/02/14 13:14:22 | 000,000,043 | ---- | C] () -- C:\WINDOWS\Tlcpromo.ini
[2004/01/20 21:28:23 | 005,452,936 | ---- | C] () -- C:\Program Files\DivX511Bundle.exe
[2004/01/19 01:20:58 | 000,123,392 | ---- | C] () -- C:\Documents and Settings\Scott\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003/10/06 13:16:00 | 000,027,136 | ---- | C] () -- C:\WINDOWS\System32\nvcod.dll
[2003/09/10 20:33:28 | 000,000,551 | ---- | C] () -- C:\WINDOWS\DMI.ini
[2003/09/07 17:11:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2003/07/13 08:52:06 | 000,000,289 | ---- | C] () -- C:\WINDOWS\rbjr.ini
[2003/06/20 07:51:23 | 000,000,069 | ---- | C] () -- C:\WINDOWS\TLCAPPS.INI
[2003/06/15 16:05:46 | 000,000,070 | ---- | C] () -- C:\WINDOWS\VSV.INI
[2003/06/10 15:24:54 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2003/05/27 18:42:29 | 000,000,067 | ---- | C] () -- C:\WINDOWS\KA.INI
[2003/05/27 18:39:56 | 000,000,574 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2003/04/13 17:00:24 | 000,202,752 | ---- | C] () -- C:\WINDOWS\CDAC14BA.DLL
[2003/04/13 17:00:22 | 000,011,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\CdaC15BA.SYS
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/07/24 15:59:26 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2002/07/24 15:50:48 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2002/07/24 14:32:08 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2001/11/15 08:19:38 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2001/11/15 07:31:02 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2001/07/06 14:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

< End of report >

OTL Extras logfile created on: 12/10/2010 10:12:19 AM - Run 1
OTL by OldTimer - Version 3.2.17.3 Folder = C:\Documents and Settings\Scott\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.00 Mb Total Physical Memory | 54.00 Mb Available Physical Memory | 21.00% Memory free
903.00 Mb Paging File | 371.00 Mb Available in Paging File | 41.00% Paging File free
Paging file location(s): C:\pagefile.sys 384 768 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 39.26 Gb Free Space | 52.70% Space Free | Partition Type: NTFS

Computer Name: DH7BJP11 | User Name: Scott | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.js [@ = Reg Error: Key error.] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
jsfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"135:TCP" = 135:TCP:*:Enabled:DCOM(135)

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\America's Army\System\ArmyOps.exe" = C:\Program Files\America's Army\System\ArmyOps.exe:*:Disabled:ArmyOps -- File not found
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Documents and Settings\Scott\Desktop\Matt\My folder for my folderz\My folders\Importint stuff\Funn stuff\My stuff\Gamez\LimeWire\LimeWire.exe" = C:\Documents and Settings\Scott\Desktop\Matt\My folder for my folderz\My folders\Importint stuff\Funn stuff\My stuff\Gamez\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Disabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Disabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Loader -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000000-785F-478A-BAA2-87F1A136068C}" = MSN Encarta Plus Support Files
"{008EF266-872C-4D71-9D9D-C4A9B9B733D7}" = PlayLinc
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{12BDDF23-B1DB-49C8-92D3-3E6841CCED61}" = Microsoft Streets and Trips 2002
"{13F2D4A5-E141-4BBF-898F-E36293348540}" = PC SpeedScan Pro
"{151C555A-A9E7-4A2E-B6D7-165D04A3C956}" = Dell Picture Studio - Dell Image Expert
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{237CD223-1B9D-47E8-A76C-E478B83CCEA2}" = File Uploader
"{2466E904-7E48-4597-9321-722CF02930EB}" = 5600
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java(TM) 6 Update 10
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{2E7595EC-4FB1-4E29-93D4-9083C8A9B107}" = TurboTax ItsDeductible 2005
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36495C59-089C-49D1-BD15-9E5BD86DC9A1}" = ItsDeductible Express
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Dell Modem-On-Hold
"{40ACEAF4-1EB2-45FC-90C3-6810700C0595}" = Verizon PC Security Checkup
"{4F1CECBC-670F-4daa-81D6-944B12450917}" = DIGReqEx
"{546A007F-472A-4107-82AE-2790E2C9C89E}" = PC SpeedScan Pro
"{54E3707F-808E-4fd4-95C9-15D1AB077E5D}" = NewCopy
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{595ED82D-446E-4C0B-B327-216AE31E9471}" = TurboTax 2008 wmdiper
"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch
"{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}" = HP PSC & OfficeJet 5.3.B
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6994491D-D491-48F1-AE1F-E179C1FFFC2F}" = HP Photosmart Essential
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{6D75B1F6-1A91-42F5-B637-FABB5095C830}" = Security Advisor
"{6DA9102E-199F-43A0-A36B-6EF48081A658}" = MobileMe Control Panel
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{75E09F44-A4F1-4992-A002-9F6A63A35923}" = ActiveSpeed
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7850A6D2-CBEA-4728-9877-F1BEDEA9F619}" = AiOSoftware
"{7C9B95B7-B598-4398-B30F-7F6827192E6C}" = ProductContext
"{7DCA3763-701D-45DD-8F6B-A8C3206C0289}" = ActiveSpeed
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{80F24F31-F641-4349-83F3-59E335976D16}" = PC SpeedScan Pro
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8B287B75-DF8D-40C8-9620-8E4492C38EF1}" = Webroot Software
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{91E8A85F-2960-40ED-BA84-7F4567BB00C0}" = Dell | Support
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{95120000-011C-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}" = Apple Mobile Device Support
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{9F7FC79B-3059-4264-9450-39EB368E3220}" = Microsoft Picture It! Library 9
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}" = Microsoft Works 6.0
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A4D58580-EA01-11D3-9318-008048B86EFE}" = Santa Cruz
"{A586D09E-1D2C-11D3-9A6B-00105A98B681}" = Microsoft Picture It! Express 2000
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
"{BFD5AC8A-5884-4da8-9873-3DF8E3DCCE18}" = 5600Trb
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2444FA0-04AA-4221-B652-73713947ED22}" = Anti-Spyware
"{C3A439E4-7303-491F-A678-CEA36A87D517}" = Microsoft Works Suite Add-in for Microsoft Word
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{C769A271-7E1C-48F9-B331-474600DD4C06}" = Microsoft Picture It! Photo 2002
"{CC7984C5-020D-4944-85A0-58D09D4A8BFB}" = 5600_Help
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = Fax
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}" = MSN Messenger 7.5
"{CF5193F7-6B37-11D5-B7D2-00AA00A204F1}" = Microsoft Money 2002 System Pack
"{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}" = Nikon Message Center
"{D3386797-A836-4030-AB5D-4E89F2F15F33}" = Authentium
"{D45E8C45-B601-4A80-AFD8-E16338744DE1}" = ArcSoft Panorama Maker 4
"{DBA8B9E1-C6FF-4624-9598-73D3B41A0900}" = Microsoft Picture It! Express 9
"{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack
"{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}" = iTunes
"{E3436EE2-D5CB-4249-840B-3A0140CC34C3}" = Classic PhoneTools
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E7298FD5-1386-11D5-8D6C-0050DAD32D95}" = Microsoft Money 2002
"{E9757890-7EC5-46C8-99AB-B00F07B6525C}" = Nikon Transfer
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{F1D3D463-023F-4BC6-B0C4-E287E24A635A}" = ActiveSpeed
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{FE57DE70-95DE-4B64-9266-84DA811053DB}" = HP Update
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"BaboViolent 2_is1" = BaboViolent 2.11
"Barrow Hill" = Barrow Hill
"BCM V.92 56K Modem" = BCM V.92 56K Modem
"BREE5" = Brownstone Equation Editor 5
"CCleaner" = CCleaner
"CdaC13Ba" = SafeCast Shared Components
"Defraggler" = Defraggler
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"HPExtendedCapabilities" = HP Extended Capabilities 5.3
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"igLoader" = igLoader
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSN Music Assistant" = MSN Music Assistant
"MSNINST" = MSN
"Nebulae Fighter Special Edition" = Nebulae Fighter Special Edition
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers
"NVIDIA Display Driver" = NVIDIA Display Driver
"Picasa" = Picasa
"PictureIt_POD_v9" = Microsoft Picture It! Library 9
"PictureIt_v9" = Microsoft Picture It! Express 9
"Rp Scan and Clean {40ACEAF4-1EB2-45FC-90C3-6810700C0595}" = Verizon PC Security Checkup
"RSX2DeinstKey" = Intel RSX 3D
"Shockwave" = Shockwave
"SHRThinkingGames" = Schoolhouse Rock Thinking Games
"Spellagories" = Spellagories
"TurboTax 2008" = TurboTax 2008
"TurboTax Deluxe 2004" = TurboTax Deluxe 2004
"TurboTax Deluxe 2005" = TurboTax Deluxe 2005
"TurboTax Deluxe 2007" = TurboTax Deluxe 2007
"TurboTax Deluxe Deduction Maximizer 2006" = TurboTax Deluxe Deduction Maximizer 2006
"Tutor" = Tutor
"unWNW1.0" = Webster's New World Dictionary
"Verizon Help and Support" = Verizon Help and Support Tool
"VZBB" = Verizon Broadband Toolbar
"Webroot Software" = Webroot Software
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2002Setup" = Microsoft Works 2002 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/6/2010 6:58:08 AM | Computer Name = DH7BJP11 | Source = ESENT | ID = 490
Description = wuauclt (2764) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/6/2010 6:58:18 AM | Computer Name = DH7BJP11 | Source = ESENT | ID = 490
Description = wuauclt (2764) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/6/2010 6:58:35 AM | Computer Name = DH7BJP11 | Source = ESENT | ID = 490
Description = wuauclt (2716) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/6/2010 6:58:45 AM | Computer Name = DH7BJP11 | Source = ESENT | ID = 490
Description = wuauclt (2716) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/6/2010 6:59:05 AM | Computer Name = DH7BJP11 | Source = ESENT | ID = 490
Description = wuauclt (3096) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/6/2010 6:59:15 AM | Computer Name = DH7BJP11 | Source = ESENT | ID = 490
Description = wuauclt (3096) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/6/2010 6:59:27 AM | Computer Name = DH7BJP11 | Source = ESENT | ID = 490
Description = wuauclt (3384) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/6/2010 6:59:37 AM | Computer Name = DH7BJP11 | Source = ESENT | ID = 490
Description = wuauclt (3384) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/6/2010 6:59:49 AM | Computer Name = DH7BJP11 | Source = ESENT | ID = 490
Description = wuauclt (2600) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 12/6/2010 6:59:59 AM | Computer Name = DH7BJP11 | Source = ESENT | ID = 490
Description = wuauclt (2600) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

[ System Events ]
Error - 12/9/2010 4:22:12 AM | Computer Name = DH7BJP11 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 12/9/2010 4:22:16 AM | Computer Name = DH7BJP11 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 12/9/2010 4:22:20 AM | Computer Name = DH7BJP11 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 12/9/2010 4:22:23 AM | Computer Name = DH7BJP11 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 12/9/2010 4:22:31 AM | Computer Name = DH7BJP11 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 12/9/2010 4:22:31 AM | Computer Name = DH7BJP11 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 12/9/2010 4:22:34 AM | Computer Name = DH7BJP11 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 12/9/2010 7:12:05 AM | Computer Name = DH7BJP11 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 12/9/2010 1:24:43 PM | Computer Name = DH7BJP11 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NVSvc service.

Error - 12/10/2010 3:37:47 AM | Computer Name = DH7BJP11 | Source = Disk | ID = 262151
Description = The device, \Device\Harddisk0\D, has a bad block.


< End of report >

SquishedFlat
Novice
Novice

Posts Posts : 39
Joined Joined : 2010-11-04
OS OS : XP
Protection Protection : Avira, Zone Alarm
Points Points : 22734
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by Belahzur on 11th December 2010, 12:35 am

Hello.

Download [You must be registered and logged in to see this link.] to your desktop.

  • Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  • It will show a black screen with some data on it.
  • A report called MBRcheckxxxx.txt will be on your desktop
  • Open this report and post its content in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by SquishedFlat on 11th December 2010, 3:16 pm

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xFA032000 \WINDOWS\system32\KDCOM.DLL
0xF9F42000 \WINDOWS\system32\BOOTVID.dll
0xF9AE3000 ACPI.sys
0xFA034000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF9AD2000 pci.sys
0xF9B32000 isapnp.sys
0xF9B42000 SSHRMD.SYS
0xF9AA1000 SSIDRV.SYS
0xF9A74000 \WINDOWS\SYSTEM32\Drivers\NDIS.SYS
0xF9DB2000 \WINDOWS\SYSTEM32\Drivers\TDI.SYS
0xFA036000 intelide.sys
0xF9DBA000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF9B52000 MountMgr.sys
0xF9A55000 ftdisk.sys
0xF9DC2000 PartMgr.sys
0xF9B62000 VolSnap.sys
0xF9A3D000 atapi.sys
0xF9B72000 disk.sys
0xF9B82000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF9A1D000 fltmgr.sys
0xF9A0B000 sr.sys
0xF9DCA000 PxHelp20.sys
0xF99F4000 KSecDD.sys
0xF9967000 Ntfs.sys
0xF994D000 Mup.sys
0xF9B92000 agp440.sys
0xF9DA2000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF857F000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
0xF856B000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF9ED2000 \SystemRoot\System32\DRIVERS\RTL8139.SYS
0xF845E000 \SystemRoot\System32\DRIVERS\BCMSM.sys
0xF843B000 \SystemRoot\System32\DRIVERS\ks.sys
0xF9EDA000 \SystemRoot\System32\Drivers\Modem.SYS
0xF8417000 \SystemRoot\system32\drivers\tbcspud.sys
0xFA088000 \SystemRoot\system32\drivers\tbcos.sys
0xF9EE2000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF9BB2000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF9EEA000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF9EF2000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF9BC2000 \SystemRoot\System32\DRIVERS\serial.sys
0xF90E2000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF8403000 \SystemRoot\System32\DRIVERS\parport.sys
0xF9BD2000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF9BE2000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF9BF2000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF9C02000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF83EA000 \SystemRoot\System32\Drivers\pwd_2k.SYS
0xF9EFA000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF90DA000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF9F02000 \SystemRoot\System32\DRIVERS\usbuhci.sys
0xF83C6000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xFA25B000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF9C12000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF90D2000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF83AF000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF9C22000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF9C32000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF839E000 \SystemRoot\System32\DRIVERS\psched.sys
0xF9C42000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF9F0A000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF9F12000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF9C52000 \SystemRoot\System32\DRIVERS\termdd.sys
0xFA096000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF8340000 \SystemRoot\System32\DRIVERS\update.sys
0xF9FBE000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF9F1A000 \SystemRoot\System32\Drivers\mmc_2K.SYS
0xF9D02000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xFA09C000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF9C72000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF9FE6000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF66C4000 \SystemRoot\system32\drivers\tbcwdm.sys
0xF66A0000 \SystemRoot\system32\drivers\portcls.sys
0xF8735000 \SystemRoot\system32\drivers\drmk.sys
0xF9FFA000 \SystemRoot\System32\DRIVERS\gameenum.sys
0xF53A6000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF9FCA000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xFA050000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF497F000 \SystemRoot\System32\Drivers\Null.SYS
0xFA052000 \SystemRoot\System32\Drivers\Beep.SYS
0xF4F66000 \SystemRoot\System32\drivers\vga.sys
0xFA054000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xFA056000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF44D2000 \SystemRoot\System32\Drivers\cdudf_xp.SYS
0xF4F5E000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF4C05000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF4465000 \SystemRoot\System32\Drivers\UdfReadr_xp.SYS
0xF61EB000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF4440000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF43E7000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF43BF000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF61E3000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF439D000 \SystemRoot\System32\drivers\afd.sys
0xF4B2D000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF4368000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF42D0000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF48C2000 \SystemRoot\System32\Drivers\Fips.SYS
0xF42AA000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF48B2000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF4BBD000 \SystemRoot\System32\DRIVERS\usbccgp.sys
0xF4D7E000 \SystemRoot\System32\DRIVERS\usbscan.sys
0xF47AA000 \SystemRoot\System32\DRIVERS\usbprint.sys
0xF47A2000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF4695000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF4D7A000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xF0484000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xFA0AA000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF1FE7000 \SystemRoot\System32\drivers\Dxapi.sys
0xF4038000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xFA262000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF641A000 \SystemRoot\SYSTEM32\Drivers\SSFMONM.SYS
0xF4D66000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xEE2EE000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF0DB1000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEE289000 \SystemRoot\system32\drivers\wdmaud.sys
0xF63CA000 \SystemRoot\system32\drivers\sysaudio.sys
0xEE383000 \??\C:\WINDOWS\System32\drivers\CdaC15BA.SYS
0xEE0DD000 \SystemRoot\system32\DRIVERS\css-dvp.sys
0xEE0B9000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xEE21B000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xED668000 \SystemRoot\System32\DRIVERS\srv.sys
0xEE041000 \SystemRoot\System32\DRIVERS\secdrv.sys
0xEEF02000 \SystemRoot\System32\Drivers\HTTP.sys
0xEE530000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 72):
0 System Idle Process
4 System
456 C:\WINDOWS\SYSTEM32\smss.exe
520 csrss.exe
544 C:\WINDOWS\SYSTEM32\winlogon.exe
588 C:\WINDOWS\SYSTEM32\services.exe
600 C:\WINDOWS\SYSTEM32\lsass.exe
744 C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
764 C:\WINDOWS\SYSTEM32\svchost.exe
856 svchost.exe
912 C:\WINDOWS\SYSTEM32\svchost.exe
1040 svchost.exe
1200 svchost.exe
1312 C:\WINDOWS\explorer.exe
1376 C:\WINDOWS\SYSTEM32\spoolsv.exe
1600 svchost.exe
1672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
1692 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1716 C:\Program Files\Bonjour\mDNSResponder.exe
1732 C:\WINDOWS\BCMSMMSG.exe
1756 C:\WINDOWS\SYSTEM32\DRIVERS\CDAC11BA.EXE
1796 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
1816 C:\Program Files\Common Files\Command Software\dvpapi.exe
1856 C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
1852 C:\WINDOWS\SYSTEM32\ctfmon.exe
1868 C:\Program Files\Picasa\PicasaMediaDetector.exe
1960 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
1976 C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
2016 C:\Program Files\Ascentive\ActiveSpeed\AS.exe
164 C:\Program Files\Verizon\McciTrayApp.exe
176 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
188 C:\Program Files\Google\Update\GoogleUpdate.exe
212 C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
524 C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
712 C:\WINDOWS\SYSTEM32\tbctray.exe
1096 C:\Program Files\Java\jre6\bin\jqs.exe
1172 C:\Program Files\Common Files\Motive\McciCMService.exe
1572 C:\WINDOWS\SYSTEM32\nvsvc32.exe
1748 C:\WINDOWS\SYSTEM32\HPZipm12.exe
2060 C:\WINDOWS\SYSTEM32\svchost.exe
3352 alg.exe
836 C:\WINDOWS\SYSTEM32\svchost.exe
3168 C:\WINDOWS\SYSTEM32\mshta.exe
2964 C:\WINDOWS\SYSTEM32\mshta.exe
1068 C:\WINDOWS\SYSTEM32\mshta.exe
2744 C:\WINDOWS\SYSTEM32\mshta.exe
432 C:\WINDOWS\SYSTEM32\mshta.exe
3308 C:\WINDOWS\SYSTEM32\mshta.exe
1888 C:\WINDOWS\SYSTEM32\mshta.exe
232 C:\WINDOWS\SYSTEM32\mshta.exe
2136 C:\WINDOWS\SYSTEM32\mshta.exe
1640 C:\WINDOWS\SYSTEM32\mshta.exe
1948 C:\WINDOWS\SYSTEM32\mshta.exe
3400 C:\WINDOWS\SYSTEM32\mshta.exe
2532 C:\WINDOWS\SYSTEM32\mshta.exe
3552 C:\WINDOWS\SYSTEM32\mshta.exe
2368 C:\WINDOWS\SYSTEM32\mshta.exe
2696 C:\WINDOWS\SYSTEM32\mshta.exe
1276 C:\WINDOWS\SYSTEM32\mshta.exe
1164 C:\WINDOWS\SYSTEM32\mshta.exe
2932 C:\WINDOWS\SYSTEM32\mshta.exe
3700 C:\WINDOWS\SYSTEM32\mshta.exe
3792 C:\WINDOWS\SYSTEM32\mshta.exe
2620 C:\WINDOWS\SYSTEM32\mshta.exe
2352 C:\WINDOWS\SYSTEM32\mshta.exe
1280 C:\Program Files\Internet Explorer\iexplore.exe
2116 C:\Program Files\Internet Explorer\iexplore.exe
3912 C:\WINDOWS\SYSTEM32\mshta.exe
2308 C:\WINDOWS\SYSTEM32\mshta.exe
264 C:\WINDOWS\SYSTEM32\mshta.exe
840 C:\WINDOWS\SYSTEM32\mshta.exe
3604 C:\Documents and Settings\Scott\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`01f60800 (NTFS)

PhysicalDrive0 Model Number: ST380021A, Rev: 3.75

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

SquishedFlat
Novice
Novice

Posts Posts : 39
Joined Joined : 2010-11-04
OS OS : XP
Protection Protection : Avira, Zone Alarm
Points Points : 22734
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by Belahzur on 11th December 2010, 5:40 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by SquishedFlat on 13th December 2010, 4:58 pm

Hi.

Just so you know, this log is from a newer version of ComboFix if by chance that matters.

Thanks! SF

ComboFix 10-12-12.03 - Scott 12/13/2010 11:16:51.1.1 - x86
Running from: c:\documents and settings\Scott\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Scott\Application Data\completescan
c:\documents and settings\Scott\Application Data\install
c:\windows\system32\lfd32.ini
c:\windows\system32\msdtc_32.exe
c:\windows\system32\tmp.reg
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-11-13 to 2010-12-13 )))))))))))))))))))))))))))))))
.

2010-12-13 14:56 . 2010-12-13 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2001-08-18 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 11:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 11:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2008-11-21 16:45 . 2008-11-21 16:44 2934272 ----a-w- c:\program files\ccsetup.exe
2007-07-26 16:18 . 2007-07-26 16:16 49943864 ----a-w- c:\program files\iTunesSetup.exe
2007-07-04 01:08 . 2007-07-04 00:58 609203729 ----a-w- c:\program files\MSSetup.exe
2007-04-08 08:54 . 2007-04-08 08:54 13287696 ----a-w- c:\program files\sspsetup1673_.exe
2006-06-08 16:44 . 2006-06-08 16:44 8785512 ----a-w- c:\program files\sspsetup1673_en.exe
2006-05-12 16:35 . 2006-05-12 16:35 11817800 ----a-w- c:\program files\GoogleEarth.exe
2004-01-21 02:28 . 2004-01-21 02:28 5452936 ----a-w- c:\program files\DivX511Bundle.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-14 50688]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"BCMSMMSG"="c:\windows\BCMSMMSG.exe" [2003-08-29 122880]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Dell|Alert"="c:\program files\Dell\Support\Alert\bin\DAMon.exe" [2002-07-11 270336]
"LifeScape Media Detector"="c:\program files\Picasa\PicasaMediaDetector.exe" [2003-08-12 126976]
"nwiz"="c:\windows\system32\nwiz.exe" [2003-10-06 741376]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"VerizonServicepoint.exe"="c:\program files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 1880064]
"ActiveSpeed"="c:\program files\Ascentive\ActiveSpeed\AS.exe" [2009-03-05 2035712]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2002-04-03 290816]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)

R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [1/1/1980 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [1/1/1980 545088]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/3/2010 2:22 AM 135664]
S2 IBBTLOAM;IBBTLOAM;\??\c:\windows\system32\ibbtloam.pel --> c:\windows\system32\ibbtloam.pel [?]
S3 jgameenp;jgameenp;\??\c:\docume~1\Scott\LOCALS~1\Temp\jgameenp.sys --> c:\docume~1\Scott\LOCALS~1\Temp\jgameenp.sys [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [7/24/2002 3:54 PM 19232]
.
Contents of the 'Scheduled Tasks' folder

2010-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 07:21]

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 07:21]

2010-12-13 c:\windows\Tasks\User_Feed_Synchronization-{70649BE7-DAF4-4542-A595-8E0468A1A769}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:43902
uInternet Settings,ProxyOverride =
mSearchURL = [You must be registered and logged in to see this link.]
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Scott\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: ebay.com\my
Trusted Zone: ebay.com\signin
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\nglxs7bv.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61495
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: [You must be registered and logged in to see this link.] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
SafeBoot-svcWRSSSDK



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-12-13 11:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IBBTLOAM]
"ImagePath"="\??\c:\windows\system32\ibbtloam.pel"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,52,75,9a,61,3f,56,48,b4,be,a1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,52,75,9a,61,3f,56,48,b4,be,a1,\

[HKEY_USERS\S-1-5-21-1180395095-4025279379-689279713-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-13 11:44:56
ComboFix-quarantined-files.txt 2010-12-13 16:44
ComboFix2.txt 2007-05-13 15:40

Pre-Run: 42,601,910,272 bytes free
Post-Run: 42,734,387,200 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /bootlog

- - End Of File - - 35A465DFD2344AD242FDA451F7A2E2F6

SquishedFlat
Novice
Novice

Posts Posts : 39
Joined Joined : 2010-11-04
OS OS : XP
Protection Protection : Avira, Zone Alarm
Points Points : 22734
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by Belahzur on 13th December 2010, 11:48 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    Driver::
    jgameenp

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:43902
    uInternet Settings,ProxyOverride =

    Firefox::
    FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\nglxs7bv.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 61495
    FF - prefs.js: network.proxy.type - 1
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by SquishedFlat on 14th December 2010, 6:03 pm

ComboFix 10-12-13.07 - Scott 12/14/2010 12:03:34.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.95 [GMT -5:00]
Running from: c:\documents and settings\Scott\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Scott\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JGAMEENP
-------\Service_jgameenp


((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
.

2010-12-13 14:56 . 2010-12-13 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2001-08-18 11:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-18 11:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-18 11:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-18 11:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2008-11-21 16:45 . 2008-11-21 16:44 2934272 ----a-w- c:\program files\ccsetup.exe
2007-07-26 16:18 . 2007-07-26 16:16 49943864 ----a-w- c:\program files\iTunesSetup.exe
2007-07-04 01:08 . 2007-07-04 00:58 609203729 ----a-w- c:\program files\MSSetup.exe
2007-04-08 08:54 . 2007-04-08 08:54 13287696 ----a-w- c:\program files\sspsetup1673_.exe
2006-06-08 16:44 . 2006-06-08 16:44 8785512 ----a-w- c:\program files\sspsetup1673_en.exe
2006-05-12 16:35 . 2006-05-12 16:35 11817800 ----a-w- c:\program files\GoogleEarth.exe
2004-01-21 02:28 . 2004-01-21 02:28 5452936 ----a-w- c:\program files\DivX511Bundle.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-14 50688]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"BCMSMMSG"="c:\windows\BCMSMMSG.exe" [2003-08-29 122880]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 679936]
"Dell|Alert"="c:\program files\Dell\Support\Alert\bin\DAMon.exe" [2002-07-11 270336]
"LifeScape Media Detector"="c:\program files\Picasa\PicasaMediaDetector.exe" [2003-08-12 126976]
"nwiz"="c:\windows\system32\nwiz.exe" [2003-10-06 741376]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"VerizonServicepoint.exe"="c:\program files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 1880064]
"ActiveSpeed"="c:\program files\Ascentive\ActiveSpeed\AS.exe" [2009-03-05 2035712]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TraySantaCruz"="c:\windows\system32\tbctray.exe" [2002-04-03 290816]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)

R3 tbcspud;Santa Cruz Driver;c:\windows\SYSTEM32\DRIVERS\tbcspud.sys [1/1/1980 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\SYSTEM32\DRIVERS\tbcwdm.sys [1/1/1980 545088]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/3/2010 2:22 AM 135664]
S2 IBBTLOAM;IBBTLOAM;\??\c:\windows\system32\ibbtloam.pel --> c:\windows\system32\ibbtloam.pel [?]
S3 vtdg46xx;vtdg46xx;c:\progra~1\TURTLE~1\SANTAC~1\CONTRO~1\vtdg46xx.sys [7/24/2002 3:54 PM 19232]
.
Contents of the 'Scheduled Tasks' folder

2010-12-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 07:21]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-03 07:21]

2010-12-14 c:\windows\Tasks\User_Feed_Synchronization-{70649BE7-DAF4-4542-A595-8E0468A1A769}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
mSearchURL = [You must be registered and logged in to see this link.]
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Scott\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: ebay.com\my
Trusted Zone: ebay.com\signin
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\nglxs7bv.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: [You must be registered and logged in to see this link.] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-12-14 12:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\IBBTLOAM]
"ImagePath"="\??\c:\windows\system32\ibbtloam.pel"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,52,75,9a,61,3f,56,48,b4,be,a1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,55,52,75,9a,61,3f,56,48,b4,be,a1,\

[HKEY_USERS\S-1-5-21-1180395095-4025279379-689279713-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3464)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\drivers\CDAC11BA.EXE
c:\program files\Common Files\Command Software\dvpapi.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\System32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-14 12:39:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-14 17:39
ComboFix2.txt 2010-12-13 16:44
ComboFix3.txt 2007-05-13 15:40

Pre-Run: 42,764,333,056 bytes free
Post-Run: 42,653,917,184 bytes free

- - End Of File - - BAE65D99BDD3132647A1C1796B2BABD3

SquishedFlat
Novice
Novice

Posts Posts : 39
Joined Joined : 2010-11-04
OS OS : XP
Protection Protection : Avira, Zone Alarm
Points Points : 22734
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by Belahzur on 14th December 2010, 11:15 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by SquishedFlat on 15th December 2010, 8:07 am

Hello.
You didn't say post the log, but here it is. Can I now assume it is squeaky clean?

Thanks a billion!
Squished Flat

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=7ce0f5bb02f19a479fdfd63af4e515e4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-15 05:13:06
# local_time=2010-12-15 12:13:06 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=95971
# found=1
# cleaned=1
# scan_time=5078
C:\Documents and Settings\Scott\Desktop\Unused Desktop Shortcuts\Ascentive\ActiveSpeed.setup.exe

SquishedFlat
Novice
Novice

Posts Posts : 39
Joined Joined : 2010-11-04
OS OS : XP
Protection Protection : Avira, Zone Alarm
Points Points : 22734
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rogue Antivirus has me locked down

Post by Belahzur on 15th December 2010, 11:08 pm

Hello.

I see that you are running BitTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 9.4.1
    BitTorrent DNA
    Java(TM) 6 Update 10

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Click the "Download JRE" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u23-windows-i586.exe that you downloaded to install the newest version.

Then download and install [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum