Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Many problems: vundo, rootkit, zlob, nasty little buggers [Solved]

Started by epaddison , Jan 09 2009 12:05 PM

This topic is locked

#1
epaddison

Posted 09 January 2009 - 12:05 PM

Member

Member
13 posts

Hello!

I hope something can be done to save this computer! It (at work) was running AVG anti-virus, but still got infected. I've ran MalwareBytes and Avast scans, and they come up with (at varying times) vundo trojans, rootkit, and zlob type viruses. I just ran a MalywareBytes scan, and it said it was clean, but then I ran Avast and it found the rootkit one.

I disconnected it from the network right away, but it repeatedly brings up the virus scanner alerts and doesn't respond when I tell it to delete or move to chest. Any and all help would be appreciated!

Many thanks!

EP

My HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:59 AM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSDE 2000\MSSQL$METRIX\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061117
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.homepager.../www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061117
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdqyi.exe] C:\WINDOWS\system32\kdqyi.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKLM\..\Policies\Explorer\Run: [QuickTime Task] C:\Program Files\WebMediaViewer\qttask.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexp...om/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IExplorer Security - {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexp...om/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://www3.clicktim...tivexviewer.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9241 bytes

#2
Essexboy

Posted 09 January 2009 - 01:45 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi there Tech Guyess (?)

Lets clear the elements I can see and then look for those that I can't

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdqyi.exe] C:\WINDOWS\system32\kdqyi.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
:Files
C:\WINDOWS\system32\kdqyi.exe

:Commands
[purity]
[emptytemp]
```
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

FINALLY FOR NOW

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All Users
Check the Radio button for Rootkit check YES
Under Additional Scans check the following:
- File - Lop Check
- File - Purity Scan
- Evnt - EventViewer Errors/Warnings (last 10)
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#3
epaddison

Posted 09 January 2009 - 04:04 PM

Member

Topic Starter
Member
13 posts

Thanks very much, see logs attached below.

Elaine, TG

========== FILES ==========
C:\WINDOWS\system32\kdqyi.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\toolbox_healer50147.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\~DF8C7D.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_55c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_9fc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01092009_132940

Files moved on Reboot...
C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\toolbox_healer50147.log moved successfully.
C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\~DF8C7D.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
File C:\WINDOWS\temp\Perflib_Perfdata_55c.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_9fc.dat not found!

------------------OT scan it

[code=auto:0]OTScanIt2 logfile created on: 1/9/2009 1:36:12 PM - Run 1
OTScanIt2 by OldTimer - Version 1.0.6.2 Folder = C:\Documents and Settings\TUlogin1\Desktop\OTScanIt2
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

958.42 Mb Total Physical Memory | 469.00 Mb Available Physical Memory | 48.93% Memory free
2.26 Gb Paging File | 1.82 Gb Available in Paging File | 80.41% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.46 Gb Total Space | 59.53 Gb Free Space | 83.30% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 1.86 Gb Total Space | 1.86 Gb Free Space | 99.94% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TU2
Current User Name: TUlogin1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

[Processes - Safe List]
aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\AluSchedulerSvc.exe -> [2006/07/25 18:03:42 | 00,100,032 | ---- | M] (Symantec Corporation)
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> [2008/07/19 07:38:34 | 00,078,008 | ---- | M] (ALWIL Software)
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> [2008/07/19 07:38:04 | 00,250,040 | ---- | M] (ALWIL Software)
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [2008/07/19 07:38:28 | 00,147,640 | ---- | M] (ALWIL Software)
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> [2008/07/23 07:25:45 | 00,348,344 | ---- | M] (ALWIL Software)
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [2008/07/19 07:25:06 | 00,016,056 | ---- | M] (ALWIL Software)
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> [2008/01/07 15:19:42 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.)
avgcc.exe -> %ProgramFiles%\Grisoft\AVG7\avgcc.exe -> [2008/11/25 11:16:24 | 00,579,072 | ---- | M] (GRISOFT, s.r.o.)
avgemc.exe -> %ProgramFiles%\Grisoft\AVG7\avgemc.exe -> [2008/11/25 11:16:26 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.)
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> [2008/01/07 15:19:44 | 00,049,664 | ---- | M] (GRISOFT, s.r.o.)
avgw.exe -> %ProgramFiles%\Grisoft\AVG7\avgw.exe -> [2008/01/07 15:19:44 | 00,219,136 | ---- | M] (GRISOFT, s.r.o.)
dmxlauncher.exe -> %ProgramFiles%\Dell\Media Experience\DMXLauncher.exe -> [2005/10/05 01:12:00 | 00,094,208 | ---- | M] ()
dsagnt.exe -> %ProgramFiles%\Dell Support\DSAgnt.exe -> [2006/08/28 19:57:12 | 00,395,776 | ---- | M] (Gteko Ltd.)
hpwuschd2.exe -> %ProgramFiles%\Hewlett-Packard\HP Software Update\hpwuSchd2.exe -> [2004/01/07 13:02:26 | 00,049,152 | ---- | M] (Hewlett-Packard Company)
javaw.exe -> %ProgramFiles%\Hewlett-Packard\Toolbox\jre\bin\javaw.exe -> [2006/12/02 15:00:10 | 00,020,572 | ---- | M] ()
jusched.exe -> %ProgramFiles%\Java\jre1.6.0_05\bin\jusched.exe -> [2008/02/22 03:25:21 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
lmiguardian.exe -> %ProgramFiles%\LogMeIn\x86\LMIGuardian.exe -> [2008/10/20 09:22:25 | 00,087,360 | ---- | M] (LogMeIn, Inc.)
lmiguardian.exe -> %ProgramFiles%\LogMeIn\x86\LMIGuardian.exe -> [2008/10/20 09:22:25 | 00,087,360 | ---- | M] (LogMeIn, Inc.)
logmein.exe -> %ProgramFiles%\LogMeIn\x86\LogMeIn.exe -> [2008/02/28 14:31:50 | 00,063,040 | ---- | M] (LogMeIn, Inc.)
logmeinsystray.exe -> %ProgramFiles%\LogMeIn\x86\LogMeInSystray.exe -> [2008/02/28 14:31:50 | 00,063,048 | ---- | M] (LogMeIn, Inc.)
mdm.exe -> %CommonProgramFiles%\Microsoft Shared\VS7DEBUG\MDM.EXE -> [2003/06/19 21:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation)
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> [2006/08/23 17:12:44 | 00,155,715 | ---- | M] (NVIDIA Corporation)
otscanit2.exe -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe -> [2009/01/09 09:03:22 | 00,485,376 | ---- | M] (OldTimer Tools)
ramaint.exe -> %ProgramFiles%\LogMeIn\x86\ramaint.exe -> [2008/10/20 09:23:10 | 00,116,032 | ---- | M] (LogMeIn, Inc.)
reader_sl.exe -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> [2005/09/23 21:05:26 | 00,029,696 | ---- | M] (Adobe Systems Incorporated)
realsched.exe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> [2007/01/05 12:09:10 | 00,185,896 | ---- | M] (RealNetworks, Inc.)
rundll32.exe -> %SystemRoot%\system32\rundll32.exe -> [2008/04/13 16:12:33 | 00,033,280 | ---- | M] (Microsoft Corporation)
sqlservr.exe -> %ProgramFiles%\MSDE 2000\MSSQL$METRIX\Binn\sqlservr.exe -> [2002/12/17 17:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation)
statusclient.exe -> %ProgramFiles%\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe -> [2004/02/27 09:29:24 | 00,061,440 | ---- | M] (Hewlett-Packard)
stsystra.exe -> %SystemRoot%\stsystra.exe -> [2006/08/15 07:38:14 | 00,282,624 | ---- | M] (SigmaTel, Inc.)
wdfmgr.exe -> %SystemRoot%\system32\wdfmgr.exe -> [2004/09/15 10:27:54 | 00,038,912 | ---- | M] (Microsoft Corporation)
wscntfy.exe -> %SystemRoot%\system32\wscntfy.exe -> [2008/04/13 16:12:41 | 00,013,824 | ---- | M] (Microsoft Corporation)

[Win32 Services - Safe List]
(aspnet_state) ASP.NET State Service [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -> [2004/07/14 23:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation)
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> [2008/07/19 07:25:06 | 00,016,056 | ---- | M] (ALWIL Software)
(Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\AluSchedulerSvc.exe -> [2006/07/25 18:03:42 | 00,100,032 | ---- | M] (Symantec Corporation)
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> [2008/07/19 07:38:28 | 00,147,640 | ---- | M] (ALWIL Software)
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> [2008/07/19 07:38:04 | 00,250,040 | ---- | M] (ALWIL Software)
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> [2008/07/23 07:25:45 | 00,348,344 | ---- | M] (ALWIL Software)
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgamsvr.exe -> [2008/01/07 15:19:42 | 00,418,816 | ---- | M] (GRISOFT, s.r.o.)
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgupsvc.exe -> [2008/01/07 15:19:44 | 00,049,664 | ---- | M] (GRISOFT, s.r.o.)
(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG7\avgemc.exe -> [2008/11/25 11:16:26 | 00,406,528 | ---- | M] (GRISOFT, s.r.o.)
(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_0.EXE -> [2006/07/25 18:03:42 | 02,119,360 | ---- | M] (Symantec Corporation)
(LMIMaint) LogMeIn Maintenance Service [Win32_Own | Auto | Running] -> %ProgramFiles%\LogMeIn\x86\ramaint.exe -> [2008/10/20 09:23:10 | 00,116,032 | ---- | M] (LogMeIn, Inc.)
(LogMeIn) LogMeIn [Win32_Own | Auto | Running] -> %ProgramFiles%\LogMeIn\x86\LogMeIn.exe -> [2008/02/28 14:31:50 | 00,063,040 | ---- | M] (LogMeIn, Inc.)
(MDM) Machine Debug Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Microsoft Shared\VS7DEBUG\MDM.EXE -> [2003/06/19 21:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation)
(MSSQL$METRIX) MSSQL$METRIX [Win32_Own | Auto | Running] -> %ProgramFiles%\MSDE 2000\MSSQL$METRIX\Binn\sqlservr.exe -> [2002/12/17 17:26:22 | 07,520,337 | ---- | M] (Microsoft Corporation)
(MSSQLServerADHelper) MSSQLServerADHelper [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe -> [2002/12/17 17:23:30 | 00,066,112 | ---- | M] (Microsoft Corporation)
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> [2006/08/23 17:12:44 | 00,155,715 | ---- | M] (NVIDIA Corporation)
(ose) Office Source Engine [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Microsoft Shared\Source Engine\OSE.EXE -> [2003/07/28 10:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation)
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Stopped] -> %SystemRoot%\system32\HPZipm12.exe -> [2003/10/22 10:19:22 | 00,065,536 | ---- | M] (HP)
(SQLAgent$METRIX) SQLAgent$METRIX [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\MSDE 2000\MSSQL$METRIX\Binn\sqlagent.EXE -> [2002/12/17 17:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation)
(UMWdf) Windows User Mode Driver Framework [Win32_Own | Auto | Running] -> %SystemRoot%\system32\wdfmgr.exe -> [2004/09/15 10:27:54 | 00,038,912 | ---- | M] (Microsoft Corporation)

[Driver Services - Safe List]
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> %SystemRoot%\system32\drivers\aavmker4.sys -> [2008/07/19 07:32:15 | 00,026,944 | ---- | M] (ALWIL Software)
(AliIde) AliIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\aliide.sys -> [2001/08/17 11:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.)
(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\amdagp.sys -> [2008/04/13 10:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.)
(AmdK8) AMD Processor Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\AmdK8.sys -> [2006/06/19 02:37:34 | 00,036,864 | ---- | M] (Advanced Micro Devices)
(asc) asc [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\asc.sys -> [2001/08/17 11:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.)
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\asc3550.sys -> [2001/08/17 11:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.)
(aswFsBlk) aswFsBlk [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\aswFsBlk.sys -> [2008/07/19 07:37:42 | 00,020,560 | ---- | M] (ALWIL Software)
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\aswmon2.sys -> [2008/07/19 07:37:21 | 00,094,416 | ---- | M] (ALWIL Software)
(aswRdr) aswRdr [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\aswRdr.sys -> [2008/07/19 07:33:42 | 00,023,152 | ---- | M] (ALWIL Software)
(aswSP) avast! Self Protection [Kernel | System | Running] -> %SystemRoot%\system32\drivers\aswSP.sys -> [2008/07/19 07:35:18 | 00,078,416 | ---- | M] (ALWIL Software)
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> %SystemRoot%\system32\drivers\aswTdi.sys -> [2008/07/19 07:32:36 | 00,042,912 | ---- | M] (ALWIL Software)
(Avg7Core) AVG7 Kernel [Kernel | System | Running] -> %SystemRoot%\system32\drivers\avg7core.sys -> [2008/01/07 15:19:46 | 00,821,856 | ---- | M] (GRISOFT, s.r.o.)
(Avg7RsW) AVG7 Wrap Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\avg7rsw.sys -> [2008/01/07 15:19:51 | 00,004,224 | ---- | M] (GRISOFT, s.r.o.)
(Avg7RsXP) AVG7 Resident Driver XP [Kernel | System | Running] -> %SystemRoot%\system32\drivers\avg7rsxp.sys -> [2008/01/07 15:19:52 | 00,027,776 | ---- | M] (GRISOFT, s.r.o.)
(AvgClean) AVG7 Clean Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\avgclean.sys -> [2008/11/25 11:16:30 | 00,010,760 | ---- | M] (GRISOFT, s.r.o.)
(AvgTdi) AVG Network Redirector [Kernel | Auto | Running] -> %SystemRoot%\system32\drivers\avgtdi.sys -> [2008/01/07 15:19:53 | 00,004,960 | ---- | M] (GRISOFT, s.r.o.)
(bcm4sbxp) Broadcom 440x 10/100 Integrated Controller XP Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\bcm4sbxp.sys -> [2006/08/14 11:29:44 | 00,044,544 | ---- | M] (Broadcom Corporation)
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\cmdide.sys -> [2001/08/17 11:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.)
(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dac2w2k.sys -> [2001/08/17 11:52:16 | 00,179,584 | ---- | M] (Mylex Corporation)
(DSproct) DSproct [Kernel | On_Demand | Running] -> %ProgramFiles%\Dell Support\GTAction\triggers\DSproct.sys -> [2006/01/10 09:07:58 | 00,004,864 | ---- | M] (GTek Technologies Ltd.)
(E100B) Intel(R) PRO Adapter Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\e100b325.sys -> [2001/08/17 10:12:10 | 00,117,760 | ---- | M] (Intel Corporation)
(eeCtrl) Symantec Eraser Control driver [Kernel | System | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\eeCtrl.sys -> [2006/12/04 01:00:00 | 00,387,384 | ---- | M] (Symantec Corporation)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\hdaudbus.sys -> [2008/04/13 08:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(kbdhid) Keyboard HID Driver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\kbdhid.sys -> [2008/04/13 10:39:48 | 00,014,592 | ---- | M] (Microsoft Corporation)
(LMIInfo) LogMeIn Kernel Information Provider [Kernel | Auto | Running] -> %ProgramFiles%\LogMeIn\x86\rainfo.sys -> [2008/02/28 14:31:52 | 00,012,856 | ---- | M] (LogMeIn, Inc.)
(lmimirr) lmimirr [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\lmimirr.sys -> [2008/02/28 14:31:08 | 00,010,144 | ---- | M] (LogMeIn, Inc.)
(LMIRfsClientNP) LMIRfsClientNP [File_System | Disabled | Stopped] -> %SystemRoot%\system32\LMIRfsClientNP.dll -> [2008/10/20 09:22:30 | 00,083,288 | ---- | M] (LogMeIn, Inc.)
(LMIRfsDriver) LogMeIn Remote File System Driver [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\LMIRfsDriver.sys -> [2008/10/20 09:22:31 | 00,047,640 | ---- | M] (LogMeIn, Inc.)
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\mraid35x.sys -> [2001/08/17 11:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.)
(Ndisprot) ArcNet NDIS Protocol Driver [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\ndisprot.sys -> [2008/12/04 15:57:27 | 00,027,904 | ---- | M] (Windows (R) Codename Longhorn DDK provider)
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> [2006/08/23 17:12:38 | 03,959,712 | ---- | M] (NVIDIA Corporation)
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> [2004/08/04 03:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.)
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\pxhelp20.sys -> [2004/08/02 00:03:00 | 00,020,576 | ---- | M] (Sonic Solutions)
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\ql1080.sys -> [2001/08/17 11:52:20 | 00,040,320 | ---- | M] (QLogic Corporation)
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\ql12160.sys -> [2001/08/17 11:52:20 | 00,045,312 | ---- | M] (QLogic Corporation)
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\ql1280.sys -> [2001/08/17 11:52:18 | 00,049,024 | ---- | M] (QLogic Corporation)
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> [2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\sisagp.sys -> [2008/04/13 10:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation)
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\sparrow.sys -> [2001/08/17 12:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.)
(STHDA) SigmaTel High Definition Audio CODEC [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\sthda.sys -> [2006/08/15 07:38:14 | 01,171,464 | ---- | M] (SigmaTel, Inc.)
(symc810) symc810 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\symc810.sys -> [2001/08/17 12:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.)
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\symc8xx.sys -> [2001/08/17 12:07:36 | 00,032,640 | ---- | M] (LSI Logic)
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\sym_hi.sys -> [2001/08/17 12:07:40 | 00,028,384 | ---- | M] (LSI Logic)
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\sym_u3.sys -> [2001/08/17 12:07:42 | 00,030,688 | ---- | M] (LSI Logic)
(ultra) ultra [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\ultra.sys -> [2001/08/17 11:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.)

[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> http://windiwsfsearch.com ->
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" -> ->
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons ->
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> http://windiwsfsearch.com ->
HKEY_LOCAL_MACHINE\: Main\\"SearchMigratedDefaultName" -> Search ->
HKEY_LOCAL_MACHINE\: Main\\"SearchMigratedDefaultURL" -> http://windiwsfsearch.com/search?q={searchTerms} ->
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk ->
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\"Default_Page_URL" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061117 ->
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> http://windiwsfsearch.com ->
HKEY_LOCAL_MACHINE\: Search\\"Start Page" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061117 ->
HKEY_LOCAL_MACHINE\: SearchURL\w\\"" -> http://windiwsfsearch.com/search?q=%s ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\"Default_Page_URL" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061117 ->
HKEY_CURRENT_USER\: Main\\"Default_Search_URL" -> http://windiwsfsearch.com ->
HKEY_CURRENT_USER\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\"Search Page" -> http://windiwsfsearch.com ->
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultName" -> Search ->
HKEY_CURRENT_USER\: Main\\"SearchMigratedDefaultURL" -> http://windiwsfsearch.com/search?q={searchTerms} ->
HKEY_CURRENT_USER\: Main\\"Start Page" -> http://www.homepagereset.com/?cm=82401&lt=1&it=2008-11-21%2013%3A09%3A57&dt=2008-12-04%2015%3A56%3A57&q=http://www.gmail.com/ ->
HKEY_CURRENT_USER\: Search\\"SearchAssistant" -> http://windiwsfsearch.com ->
HKEY_CURRENT_USER\: SearchURL\w\\"" -> http://windiwsfsearch.com/search?q=%s ->
HKEY_CURRENT_USER\: "ProxyEnable" -> 0 ->
HKEY_CURRENT_USER\: "ProxyOverride" -> <local> ->
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> ->
HKEY_USERS\.DEFAULT\: Main\\"Default_Page_URL" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061117 ->
HKEY_USERS\.DEFAULT\: Main\\"Start Page" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061117 ->
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> ->
HKEY_USERS\S-1-5-18\: Main\\"Default_Page_URL" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061117 ->
HKEY_USERS\S-1-5-18\: Main\\"Start Page" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061117 ->
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> ->
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\] > -> ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\: Main\\"Default_Page_URL" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061117 ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\: Main\\"Default_Search_URL" -> http://windiwsfsearch.com ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\: Main\\"Search Page" -> http://windiwsfsearch.com ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\: Main\\"SearchMigratedDefaultName" -> Search ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\: Main\\"SearchMigratedDefaultURL" -> http://windiwsfsearch.com/search?q={searchTerms} ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\: Main\\"Start Page" -> http://www.homepagereset.com/?cm=82401&lt=1&it=2008-11-21%2013%3A09%3A57&dt=2008-12-04%2015%3A56%3A57&q=http://www.gmail.com/ ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\: Search\\"SearchAssistant" -> http://windiwsfsearch.com ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\: SearchURL\w\\"" -> http://windiwsfsearch.com/search?q=%s ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\: "ProxyEnable" -> 0 ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\: "ProxyOverride" -> <local> ->
< FireFox Settings [Default Profile] > -> C:\Documents and Settings\TUlogin1\Application Data\Mozilla\FireFox\Profiles\navnja6u.default\prefs.js ->
browser.search.defaultenginename -> "Google" ->
browser.search.defaulturl -> "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=" ->
browser.search.selectedEngine -> "Google" ->
browser.startup.homepage -> "www.tenantsunion.org" ->
browser.startup.homepage_override.mstone -> "rv:1.8.1.14" ->
< HOSTS File > (734 bytes and 19 lines) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\ssv.dll [SSVHelper Class] -> [2008/02/22 03:25:19 | 00,509,328 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\] > -> HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"avast!" -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe [C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe] -> [2008/07/19 07:38:34 | 00,078,008 | ---- | M] (ALWIL Software)
"AVG7_CC" -> [C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP] -> File not found
"DMXLauncher" -> %ProgramFiles%\Dell\Media Experience\DMXLauncher.exe [C:\Program Files\Dell\Media Experience\DMXLauncher.exe] -> [2005/10/05 01:12:00 | 00,094,208 | ---- | M] ()
"HP Software Update" -> %ProgramFiles%\Hewlett-Packard\HP Software Update\hpwuSchd2.exe ["C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"] -> [2004/01/07 13:02:26 | 00,049,152 | ---- | M] (Hewlett-Packard Company)
"LogMeIn GUI" -> %ProgramFiles%\LogMeIn\x86\LogMeInSystray.exe ["C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"] -> [2008/02/28 14:31:50 | 00,063,048 | ---- | M] (LogMeIn, Inc.)
"NvCplDaemon" -> %SystemRoot%\system32\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> [2006/08/23 17:12:40 | 07,630,848 | ---- | M] (NVIDIA Corporation)
"NvMediaCenter" -> %SystemRoot%\system32\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> [2006/08/23 17:12:42 | 00,086,016 | ---- | M] (NVIDIA Corporation)
"nwiz" -> %SystemRoot%\system32\nwiz.exe [nwiz.exe /install] -> [2006/08/23 17:12:46 | 01,617,920 | ---- | M] ()
"QuickTime Task" -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> [2006/11/17 21:08:52 | 00,098,304 | ---- | M] (Apple Computer, Inc.)
"SigmatelSysTrayApp" -> %SystemRoot%\stsystra.exe [stsystra.exe] -> [2006/08/15 07:38:14 | 00,282,624 | ---- | M] (SigmaTel, Inc.)
"StatusClient 2.6" -> %ProgramFiles%\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe [C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto] -> [2004/02/27 09:29:24 | 00,061,440 | ---- | M] (Hewlett-Packard)
"SunJavaUpdateSched" -> %ProgramFiles%\Java\jre1.6.0_05\bin\jusched.exe ["C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"] -> [2008/02/22 03:25:21 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.)
"TkBellExe" -> %CommonProgramFiles%\Real\Update_OB\realsched.exe ["C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot] -> [2007/01/05 12:09:10 | 00,185,896 | ---- | M] (RealNetworks, Inc.)
"TomcatStartup 2.5" -> %ProgramFiles%\Hewlett-Packard\Toolbox\hpbpsttp.exe [C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe] -> [2004/05/20 08:40:45 | 00,188,416 | ---- | M] (Hewlett-Packard)
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"DellSupport" -> ["C:\Program Files\Dell Support\DSAgnt.exe" /startup] -> File not found
"MSMSGS" -> %ProgramFiles%\Messenger\msmsgs.exe ["C:\Program Files\Messenger\msmsgs.exe" /background] -> [2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
"updateMgr" -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe ["C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1] -> [2006/03/30 15:45:08 | 00,313,472 | R--- | M] (Adobe Systems Incorporated)
< Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AVG7_Run" -> %ProgramFiles%\Grisoft\AVG7\avgw.exe [C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE] -> [2008/01/07 15:19:44 | 00,219,136 | ---- | M] (GRISOFT, s.r.o.)
< Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AVG7_Run" -> %ProgramFiles%\Grisoft\AVG7\avgw.exe [C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE] -> [2008/01/07 15:19:44 | 00,219,136 | ---- | M] (GRISOFT, s.r.o.)
< Run [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AVG7_Run" -> %ProgramFiles%\Grisoft\AVG7\avgw.exe [C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE] -> [2008/01/07 15:19:44 | 00,219,136 | ---- | M] (GRISOFT, s.r.o.)
< Run [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"AVG7_Run" -> %ProgramFiles%\Grisoft\AVG7\avgw.exe [C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE] -> [2008/01/07 15:19:44 | 00,219,136 | ---- | M] (GRISOFT, s.r.o.)
< Run [HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\] > -> HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
"DellSupport" -> ["C:\Program Files\Dell Support\DSAgnt.exe" /startup] -> File not found
"MSMSGS" -> %ProgramFiles%\Messenger\msmsgs.exe ["C:\Program Files\Messenger\msmsgs.exe" /background] -> [2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
"updateMgr" -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe ["C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1] -> [2006/03/30 15:45:08 | 00,313,472 | R--- | M] (Adobe Systems Incorporated)
< Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup ->
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk -> %ProgramFiles%\Adobe\Acrobat 7.0\Reader\reader_sl.exe -> [2005/09/23 21:05:26 | 00,029,696 | ---- | M] (Adobe Systems Incorporated)
%AllUsersProfile%\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk -> %CommonProgramFiles%\Intuit\QuickBooks\QBUpdate\qbupdate.exe -> [2007/11/06 16:40:54 | 00,815,104 | ---- | M] (Intuit Inc.)
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup ->
< LogMeInRemoteUser Startup Folder > -> C:\Documents and Settings\LogMeInRemoteUser\Start Menu\Programs\Startup ->
< LogMeInRemoteUser.TU2 Startup Folder > -> C:\Documents and Settings\LogMeInRemoteUser.TU2\Start Menu\Programs\Startup ->
< LogMeInRemoteUser.TU2.000 Startup Folder > -> C:\Documents and Settings\LogMeInRemoteUser.TU2.000\Start Menu\Programs\Startup ->
< LogMeInRemoteUser.TU2.001 Startup Folder > -> C:\Documents and Settings\LogMeInRemoteUser.TU2.001\Start Menu\Programs\Startup ->
< TUlogin1 Startup Folder > -> C:\Documents and Settings\TUlogin1\Start Menu\Programs\Startup ->
< TUlogin2 Startup Folder > -> C:\Documents and Settings\TUlogin2\Start Menu\Programs\Startup ->
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
\run\\"QuickTime Task" -> %ProgramFiles%\WebMediaViewer\qttask.exe [C:\Program Files\WebMediaViewer\qttask.exe] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
\\"dontdisplaylastusername" -> [0] -> File not found
\\"legalnoticecaption" -> [] -> File not found
\\"legalnoticetext" -> [] -> File not found
\\"shutdownwithoutlogon" -> [1] -> File not found
\\"undockwithoutlogon" -> [1] -> File not found
< CurrentVersion Policy Settings - Explorer [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006] > -> HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" -> [145] -> File not found
< Internet Explorer Menu Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> %ProgramFiles%\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000] -> [2005/05/26 23:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\] > -> HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> %ProgramFiles%\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000] -> [2005/05/26 23:06:54 | 10,095,808 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Menu: Sun Java Console] -> [2008/02/22 03:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{3B8FB116-D358-48A3-A5C7-DB84F15CBB04}:Exec [HKLM] -> [Menu: IExplorer Security] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Button: Research] -> [2003/07/14 20:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> %SystemRoot%\network diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2008/04/13 10:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Button: Messenger] -> [2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 03:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 20:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 03:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 20:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 03:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 20:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\] > -> HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> %ProgramFiles%\Java\jre1.6.0_05\bin\npjpi160_05.dll [Sun Java Console] -> [2008/02/22 03:25:19 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> %ProgramFiles%\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2003/07/14 20:57:08 | 00,040,512 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger] -> [2008/04/13 16:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\] > -> HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\] > -> HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_USERS\S-1-5-21-1988760053-2413646245-3906135195-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{2DEF4530-8CE6-41C9-84B6-A54536C90213} [HKLM] -> http://www3.clicktime.com/crystalreportviewers/activeXViewer/activexviewer.cab [Crystal Report Viewer Control 9] ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Java Plug-in 1.6.0_05] ->
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab [Java Plug-in 1.5.0_06] ->
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab [Java Plug-in 1.5.0_09] ->
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab [Java Plug-in 1.6.0_03] ->
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Java Plug-in 1.6.0_05] ->
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab [Java Plug-in 1.6.0_05] ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab [Shockwave Flash Object] ->
{FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} [HKLM] -> https://secure.logmein.com/activex/ractrl.cab?lmi=100 [Performance Viewer Activex Control] ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{1E0C4466-5B8F-47BF-8E84-341E04493CC1} -> () ->
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mi

#4
Essexboy

Posted 09 January 2009 - 04:11 PM

GeekU Moderator

Retired Staff
69,964 posts

Could you attach the log please as most of it is missing

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#5
epaddison

Posted 14 January 2009 - 02:19 PM

Member

Topic Starter
Member
13 posts

I'm sorry, I'm unclear about which log I'm missing. Is it the scanit or the moveit log? I'm thinking it's the scan it log. The log is more than what I posted in my last reply?
Thank you.

Edited by epaddison, 14 January 2009 - 02:20 PM.

#6
epaddison

Posted 14 January 2009 - 03:41 PM

Member

Topic Starter
Member
13 posts

Okay, here it is:

OTScanIt_2.Txt 140.28KB 234 downloads

#7
Essexboy

Posted 14 January 2009 - 03:54 PM

GeekU Moderator

Retired Staff
69,964 posts

OK I have a found the possible culprit. But first you need to uninstall one of your Antivirus programmes as two is not better

Anti-Virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

If you choose to install more than one Anti-Virus program on your computer, then only one of them should be active in memory at a time.

There are basically two types of these programs:
On-Access and On-Demand

On-Access Scanners
As the name implies, are scanners that run in the background all the time the PC is turned on and running. The main function of an On-Access scanner is to monitor activity on your machine.

On-Demand Scanners
As the name implies, are scanners that only run when you ask them to.
Such as:
Online Scans and scanners that run on your machine but are not actively scanning your machine

THEN

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#8
epaddison

Posted 14 January 2009 - 04:42 PM

Member

Topic Starter
Member
13 posts

Okay, here we go.

I 'pared down' the anti-virus programs, and ran ComboFix. Log attached.

combofix_log.txt 10.8KB 135 downloads

Attached Files

combofix_log.txt 10.8KB 246 downloads

#9
Essexboy

Posted 14 January 2009 - 05:05 PM

GeekU Moderator

Retired Staff
69,964 posts

OK some more to kill

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Processes
explorer.exe

:Services
Ndisprot
F7D0A401FF42E585 

:Reg
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\F7D0A401FF42E585]

:Files
c:\windows\system32\drivers\ndisprot.sys
c:\documents and settings\TUlogin1\F7D0A401FF42E585
c:\program files\WebMediaViewer

:Commands
[purity]
[emptytemp]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

THEN

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#10
epaddison

Posted 14 January 2009 - 08:08 PM

Member

Topic Starter
Member
13 posts

Okay, Here is OT moveit log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
Service Ndisprot stopped successfully.
Service Ndisprot deleted successfully.
Service F7D0A401FF42E585 stopped successfully.
Service F7D0A401FF42E585 deleted successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\System\ControlSet001\Services\F7D0A401FF42E585\\ not found.
========== FILES ==========
c:\windows\system32\drivers\ndisprot.sys moved successfully.
c:\documents and settings\TUlogin1\F7D0A401FF42E585 moved successfully.
File/Folder c:\program files\WebMediaViewer not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21485.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21486.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21487.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21488.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21489.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21490.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21491.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21492.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21493.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21495.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21496.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21497.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21498.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21499.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21500.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21501.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\toolbox_healer21494.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\~DFBBA0.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\~DFBF81.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_21c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_560.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01142009_153426

Files moved on Reboot...
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21485.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21486.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21487.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21488.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21489.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21490.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21491.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21492.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21493.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21495.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21496.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21497.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21498.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21499.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21500.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\jar_cache21501.tmp not found!
C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\toolbox_healer21494.log moved successfully.
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\~DFBBA0.tmp not found!
File C:\DOCUME~1\TUlogin1\LOCALS~1\Temp\~DFBF81.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_21c.dat not found!
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_560.dat scheduled to be moved on reboot.

------------------------------

Now, Malwarebytes log:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

1/14/2009 6:04:52 PM
mbam-log-2009-01-14 (18-04-52).txt

Scan type: Quick Scan
Objects scanned: 67927
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\z444.z444mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\z444.z444mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0b385ee3-ee18-4c69-bf55-6b6b406ef591} (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://windiwsfsearch.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://windiwsfsearch.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearc...q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://windiwsfsearc...q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://windiwsfsearch.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\512686 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

#11
Essexboy

Posted 15 January 2009 - 03:06 PM

GeekU Moderator

Retired Staff
69,964 posts

Could you now post a new Hijackthis log and let me know how your system is running

#12
epaddison

Posted 15 January 2009 - 06:32 PM

Member

Topic Starter
Member
13 posts

I just ran an Avast scan and it's still coming up with numerous findings, all saying they're rootkit.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:15 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MSDE 2000\MSSQL$METRIX\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.homepager.../www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061117
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://www3.clicktim...tivexviewer.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6972 bytes

#13
epaddison

Posted 15 January 2009 - 06:58 PM

Member

Topic Starter
Member
13 posts

Hi,

I just wanted to update that I'll be on vacation for the next 4 days and away from the computer. I also wanted to say thank you so very much for all your help with this.

Elaine

#14
Essexboy

Posted 16 January 2009 - 10:07 AM

GeekU Moderator

Retired Staff
69,964 posts

No problem Elaine just PM me when you get back. First a question - is your computer a Dell ?

And a programme for you to run on return

Download RootRepeal.zip and unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#15
epaddison

Posted 20 January 2009 - 03:22 PM

Member

Topic Starter
Member
13 posts

Hi, back again...

I am working on a Dell Dimension ...

When I first ran the RootRepeal, it shut down and I got the following generated message:

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x0040e77a
Attempt to read from address: 0x00bba004

I ran it a second time and got the following log: (Am I missing something here? This seems short to me.)

Thanks!
Elaine

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/01/20 12:56
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF41FA000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79DD000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB912A000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\software.LOG
Status: Size mismatch (API: 20480, Raw: 1024)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4242618

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf42424d4

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf42429b2

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf42420ac

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf42425ae

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4241fec

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf4242050

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf42426ce

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf424268e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf424280e