Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijacked Internet access by New.Net [Solved]

Started by Kyleweatherly93 , Nov 19 2009 04:17 PM

This topic is locked

#1
Kyleweatherly93

Posted 19 November 2009 - 04:17 PM

Member

Member
29 posts

This is the log of the infected machine. I have tried many different attempts to clear the malware but nothing has worked. i Now come to you with an answer to my problem.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:48 PM, on 11/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINNT\System32\svchost.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\WINNT\system32\wuauclt.exe
G:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garpal.wednet.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.garpal.wednet.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {2C929DE8-0CF2-696E-B27F-C8B4563BF7F4} - (no file)
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll
O2 - BHO: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.garpal.wednet.edu
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130276248593
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.co...0.20/tukati.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = garpal.wednet.edu
O17 - HKLM\Software\..\Telephony: DomainName = garpal.wednet.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{8049E482-0FBF-48FA-9F44-B9AB12B4ADE2}: NameServer = 10.10.20.3,10.10.20.23
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = garpal.wednet.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{8049E482-0FBF-48FA-9F44-B9AB12B4ADE2}: NameServer = 10.10.20.3,10.10.20.23
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = garpal.wednet.edu
O17 - HKLM\System\CS2\Services\Tcpip\..\{8049E482-0FBF-48FA-9F44-B9AB12B4ADE2}: NameServer = 10.10.20.3,10.10.20.23
O20 - Winlogon Notify: DfLogon - C:\WINNT\SYSTEM32\LogonDll.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Miscrosoft Updates Service 4 (MsUpdate4) - Unknown owner - C:\WINNT\System32\msupd4.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

--
End of file - 6753 bytes

#2
Onaipian

Posted 19 November 2009 - 06:00 PM

Notepad warrior

Retired Staff
2,130 posts

Hello, Kyleweatherly93!

Welcome to GeekstoGo! I'm piano9playa5 and will be assisting you with your malware problems. If you have any questions, ask away! Just a few tips to make things go smoothly:

Please be patient. I am still in training and there may be delays between posts.
I must check everything with a moderator before posting.
Don't run tools you see being used in another topic. Running tools unsupervised can be dangerous.
Copy\Paste logs in your replies, rather than attaching them, unless I instruct you to do otherwise.
This makes things easier for me, and the moderator looking over this topic.
Ensure "WordWrap" is disabled in Notepad.
- Click Start > All Programs > Accessories > Notepad.
- Click Format > Word Wrap (if checked, if not, leave it)
To everyone except Kyleweatherly93: The instructions following were created specifically for Kyleweatherly93, please do not perform these steps unless instructed by a Trusted Helper.

I'll post back some instructions shortly.

#3
Onaipian

Posted 20 November 2009 - 12:43 PM

Notepad warrior

Retired Staff
2,130 posts

Hello.

Please download OTL to your desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scans/Fixes box at the bottom, paste in the following:
netsvcs
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
%SYSTEMDRIVE%\comres.dll /s /md5
Then click the Quick Scan button at the top. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

#4
Kyleweatherly93

Posted 23 November 2009 - 03:36 PM

Member

Topic Starter
Member
29 posts

Hello and thank you for the assistance. I myself is enrolled in the geeks to go program. I would like to say congrats in getting this far in the program, it takes a lot of work to get to the level you are at. Okay back on topic....How would you like me to post the logs. I can either post each separate txt file in two separate posts or try and fit them in one. Whichever makes your job easier.

#5
Onaipian

Posted 23 November 2009 - 07:59 PM

Notepad warrior

Retired Staff
2,130 posts

It really doesn't matter.

Two separate posts would be great.

I myself is enrolled in the geeks to go program. I would like to say congrats in getting this far in the program, it takes a lot of work to get to the level you are at.

Thanks!

Remember to go at your own pace. It's not a race. (That semi-rhymes.. hahaha)

#6
Kyleweatherly93

Posted 25 November 2009 - 12:22 PM

Member

Topic Starter
Member
29 posts

OTL logfile created on: 11/25/2009 9:16:30 AM - Run 1
OTL by OldTimer - Version 3.1.10.1 Folder = G:\
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.73 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 76.58% Memory free
1.94 Gb Paging File | 1.69 Gb Available in Paging File | 87.05% Paging File free
Paging file location(s): C:\pagefile.sys 360 720 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 7.27 Gb Free Space | 19.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 3.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 476.45 Mb Total Space | 465.16 Mb Free Space | 97.63% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: P19152-AV
Current User Name: techaide
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/25 09:12:44 | 00,970,085 | ---- | M] (Faronics Corporation) -- C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
PRC - [2009/11/25 09:11:50 | 00,531,456 | ---- | M] (OldTimer Tools) -- G:\OTL.exe
PRC - [2008/04/15 00:05:18 | 00,172,032 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
PRC - [2007/12/10 08:45:27 | 00,098,304 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
PRC - [2007/12/10 08:45:04 | 00,069,632 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
PRC - [2007/12/10 08:44:51 | 00,266,240 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
PRC - [2007/12/10 08:44:47 | 00,790,528 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Remote Management System\RouterNT.exe
PRC - [2007/06/13 02:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2007/04/04 06:22:26 | 00,743,296 | ---- | M] (Faronics Corporation) -- C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
PRC - [2006/04/02 12:13:02 | 02,596,864 | ---- | M] () -- C:\Documents and Settings\techaide\Application Data\U3\08B0E86050114936\Launchpad.exe
PRC - [2006/01/19 09:22:20 | 00,049,152 | ---- | M] (Pinnacle Systems) -- c:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
PRC - [2005/05/03 23:04:28 | 09,150,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
PRC - [2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wdfmgr.exe

========== Modules (SafeList) ==========

MOD - [2009/11/25 09:11:50 | 00,531,456 | ---- | M] (OldTimer Tools) -- G:\OTL.exe
MOD - [2006/05/22 12:45:29 | 00,614,400 | ---- | M] (New.net, Inc.) -- C:\Program Files\NewDotNet\newdotnet7_22.dll
MOD - [2004/08/03 23:57:00 | 01,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/03 23:56:42 | 00,185,856 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\framedyn.dll

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (MsUpdate4)
SRV - [2008/10/27 12:47:05 | 00,068,096 | ---- | M] () -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2008/04/15 00:05:18 | 00,172,032 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe -- (Sophos AutoUpdate Service)
SRV - [2007/12/10 08:45:27 | 00,098,304 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe -- (SAVService)
SRV - [2007/12/10 08:45:04 | 00,069,632 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe -- (SAVAdminService)
SRV - [2007/12/10 08:44:51 | 00,266,240 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe -- (Sophos Agent)
SRV - [2007/12/10 08:44:47 | 00,790,528 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Remote Management System\RouterNT.exe -- (Sophos Message Router)
SRV - [2007/04/04 06:22:26 | 00,743,296 | ---- | M] (Faronics Corporation) -- C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe -- (DF5Serv)
SRV - [2006/01/19 09:22:20 | 00,049,152 | ---- | M] (Pinnacle Systems) -- c:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe -- (PinnacleSys.MediaServer)
SRV - [2005/05/03 23:04:28 | 09,150,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe -- (MSSQL$PINNACLESYS)
SRV - [2005/05/03 21:50:28 | 00,073,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe -- (MSSQLServerADHelper)
SRV - [2005/05/03 20:42:56 | 00,323,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE -- (SQLAgent$PINNACLESYS)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wdfmgr.exe -- (UMWdf)
SRV - [2004/08/03 23:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2004/07/15 00:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2003/03/03 10:33:40 | 00,143,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.garpal.wednet.edu
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.garpal.wednet.edu/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (734 bytes) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {2C929DE8-0CF2-696E-B27F-C8B4563BF7F4} - No CLSID value found.
O2 - BHO: (ST) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll File not found
O4 - HKLM..\Run: [New.net Startup] C:\Program Files\NewDotNet\newdotnet7_22.dll (New.net, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = Welcome to the Gar-Pal Network --- Educational Use Only
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = Use of this network is limited to education and research and all use must be consistent with the goals of the Garfield and Palouse School Districts. Network access and Internet use is limited to those persons who have been issued district approved accounts. Use will be in accordance with the districts' Acceptable Use Procedures and Internet Code of Conduct. For more information,contact either school office. All use of this network is subject to review and/or monitoring.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\NewDotNet\newdotnet7_22.dll (New.net, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\NewDotNet\newdotnet7_22.dll (New.net, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\NewDotNet\newdotnet7_22.dll (New.net, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\NewDotNet\newdotnet7_22.dll (New.net, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\NewDotNet\newdotnet7_22.dll (New.net, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB (DoMoreRunExe.DoMoreRun)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} http://protect.micro...b?1118520135015 (MSSecurityAdvisor Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by102fd.bay10...es/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} file://C:\Program Files\gateway\helpspot\TechTools.CAB (TechToolsActivex.TechTools)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1130276248593 (WUWebControl Class)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} http://us.games2.yim...ctl_0_0_0_1.ocx (ExentInf Class)
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB (RunExeActiveX.RunExe)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...8112.5196064815 (Reg Error: Key error.)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn...pDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} http://www.tukati.co...0.20/tukati.cab (Tukati Launcher)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = garpal.wednet.edu
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\DfLogon: DllName - LogonDll.dll - C:\WINNT\System32\LogonDll.dll ()
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINNT\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/03 14:11:40 | 00,000,095 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/02/13 11:08:58 | 00,000,145 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{4a5ff787-5e41-11db-b2d6-0007e961066d}\Shell - "" = AutoRun
O33 - MountPoints2\{4a5ff787-5e41-11db-b2d6-0007e961066d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4a5ff787-5e41-11db-b2d6-0007e961066d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- [2006/02/13 11:09:04 | 00,921,600 | R--- | M] ()
O33 - MountPoints2\{75beb8d6-acc4-11db-b2f1-0007e961066d}\Shell - "" = AutoRun
O33 - MountPoints2\{75beb8d6-acc4-11db-b2f1-0007e961066d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{75beb8d6-acc4-11db-b2f1-0007e961066d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- [2006/02/13 11:09:04 | 00,921,600 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINNT\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (/k:C) - File not found
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/11/25 09:16:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\techaide\Application Data\U3
[2009/11/19 13:57:31 | 00,000,000 | --SD | C] -- C:\ComboFix
[2009/11/19 13:41:34 | 00,000,000 | ---D | C] -- C:\WINNT\ERDNT
[2009/11/19 13:41:02 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/11/16 13:21:11 | 00,000,000 | ---D | C] -- C:\WINNT\pss
[2009/11/16 13:20:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\techaide\Application Data\Nvu
[2009/11/16 13:20:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\techaide\Application Data\Mozilla
[2009/11/16 13:20:21 | 00,000,000 | ---D | C] -- C:\Program Files\Nvu
[2009/11/16 13:14:00 | 00,000,000 | --SD | C] -- C:\Documents and Settings\techaide\UserData

========== Files - Modified Within 14 Days ==========

[2009/11/25 09:15:58 | 01,048,576 | -H-- | M] () -- C:\Documents and Settings\techaide\NTUSER.DAT
[2009/11/25 09:12:34 | 00,001,158 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2009/11/24 14:28:00 | 00,465,578 | ---- | M] () -- C:\WINNT\System32\PerfStringBackup.INI
[2009/11/24 14:28:00 | 00,398,180 | ---- | M] () -- C:\WINNT\System32\perfh009.dat
[2009/11/24 14:28:00 | 00,060,380 | ---- | M] () -- C:\WINNT\System32\perfc009.dat
[2009/11/24 14:23:51 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2009/11/24 14:23:40 | 18,610,13504 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/19 13:49:38 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\techaide\ntuser.ini
[2009/11/19 13:49:34 | 02,003,204 | -H-- | M] () -- C:\Documents and Settings\techaide\Local Settings\Application Data\IconCache.db
[2009/11/19 13:49:14 | 00,000,634 | ---- | M] () -- C:\WINNT\win.ini
[2009/11/19 13:49:14 | 00,000,227 | ---- | M] () -- C:\WINNT\system.ini
[2009/11/19 13:49:14 | 00,000,207 | RHS- | M] () -- C:\boot.ini
[2009/11/19 13:13:35 | 00,000,605 | ---- | M] () -- C:\WINNT\QUICKEN.INI
[2009/11/16 13:20:26 | 00,000,568 | ---- | M] () -- C:\Documents and Settings\techaide\Desktop\Nvu.lnk
[2009/11/13 01:04:19 | 00,282,128 | ---- | M] () -- C:\WINNT\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2009/11/16 13:20:26 | 00,000,568 | ---- | C] () -- C:\Documents and Settings\techaide\Desktop\Nvu.lnk
[2008/01/25 13:34:22 | 02,003,204 | -H-- | C] () -- C:\Documents and Settings\techaide\Local Settings\Application Data\IconCache.db
[2008/01/25 13:30:35 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\techaide\Application Data\desktop.ini
[2007/04/12 12:01:40 | 00,065,536 | ---- | C] () -- C:\WINNT\System32\LogonDll.dll
[2007/01/03 14:27:21 | 00,194,248 | ---- | C] () -- C:\WINNT\System32\LTRFD13n.DLL
[2006/12/06 13:50:51 | 00,363,520 | ---- | C] () -- C:\WINNT\System32\psisdecd.dll
[2006/12/06 13:50:49 | 00,733,696 | ---- | C] () -- C:\WINNT\System32\qedwipes.dll
[2006/12/06 13:50:49 | 00,562,176 | ---- | C] () -- C:\WINNT\System32\qedit.dll
[2006/12/06 13:50:48 | 00,385,024 | ---- | C] () -- C:\WINNT\System32\qdvd.dll
[2006/12/06 13:50:48 | 00,279,040 | ---- | C] () -- C:\WINNT\System32\qdv.dll
[2006/12/06 13:50:48 | 00,192,512 | ---- | C] () -- C:\WINNT\System32\qcap.dll
[2006/12/06 13:50:48 | 00,070,656 | ---- | C] () -- C:\WINNT\System32\amstream.dll
[2006/12/06 13:50:48 | 00,059,904 | ---- | C] () -- C:\WINNT\System32\devenum.dll
[2006/12/06 13:50:48 | 00,035,328 | ---- | C] () -- C:\WINNT\System32\mciqtz32.dll
[2006/12/06 13:50:48 | 00,014,336 | ---- | C] () -- C:\WINNT\System32\msdmo.dll
[2006/11/21 14:46:22 | 00,000,050 | ---- | C] () -- C:\WINNT\wwp.INI
[2006/09/01 12:19:12 | 00,001,208 | ---- | C] () -- C:\WINNT\VFO.INI
[2006/09/01 12:19:11 | 00,196,096 | ---- | C] () -- C:\WINNT\System32\macd32.dll
[2006/09/01 12:19:11 | 00,138,752 | ---- | C] () -- C:\WINNT\System32\mase32.dll
[2006/09/01 12:19:11 | 00,136,192 | ---- | C] () -- C:\WINNT\System32\mamc32.dll
[2006/09/01 12:19:11 | 00,057,856 | ---- | C] () -- C:\WINNT\System32\masd32.dll
[2006/09/01 12:19:09 | 00,027,648 | ---- | C] () -- C:\WINNT\System32\ma32.dll
[2005/11/18 13:51:26 | 00,001,368 | ---- | C] () -- C:\WINNT\cdplayer.ini
[2005/10/24 13:15:15 | 00,001,747 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2004/05/05 11:46:04 | 00,355,112 | ---- | C] () -- C:\WINNT\System32\msjetoledb40.dll
[2003/11/12 14:48:08 | 00,000,003 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DirectCDUserNameD.txt
[2003/10/30 15:00:42 | 00,019,968 | ---- | C] () -- C:\WINNT\System32\cpuinf32.dll
[2003/09/11 11:31:59 | 00,000,370 | ---- | C] () -- C:\WINNT\ODBC.INI
[2003/07/08 12:14:30 | 00,000,061 | ---- | C] () -- C:\WINNT\smscfg.ini
[2003/07/08 12:01:07 | 00,000,605 | ---- | C] () -- C:\WINNT\QUICKEN.INI
[2003/07/08 12:01:07 | 00,000,052 | ---- | C] () -- C:\WINNT\intuprof.ini
[2003/07/08 11:59:13 | 00,000,701 | ---- | C] () -- C:\WINNT\System32\OEMINFO.INI
[2003/05/30 08:00:02 | 01,290,752 | ---- | C] () -- C:\WINNT\System32\quartz.dll
[2003/05/12 07:57:34 | 00,000,781 | ---- | C] () -- C:\WINNT\orun32.ini
[2003/05/12 07:32:50 | 00,000,000 | ---- | C] () -- C:\WINNT\control.ini
[2003/05/12 07:27:51 | 00,000,037 | ---- | C] () -- C:\WINNT\vbaddin.ini
[2003/05/12 07:27:51 | 00,000,036 | ---- | C] () -- C:\WINNT\vb.ini
[2003/05/12 07:27:04 | 00,013,223 | ---- | C] () -- C:\WINNT\System32\tslabels.ini
[2003/05/12 07:27:03 | 00,001,931 | ---- | C] () -- C:\WINNT\System32\msdtcprf.ini
[2003/05/12 07:22:09 | 00,465,578 | ---- | C] () -- C:\WINNT\System32\PerfStringBackup.INI
[2003/05/12 07:22:08 | 00,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[2003/05/12 07:21:44 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2002/11/26 11:15:52 | 00,186,368 | ---- | C] () -- C:\WINNT\System32\encdec.dll
[2002/11/26 11:15:50 | 00,270,848 | ---- | C] () -- C:\WINNT\System32\sbe.dll
[2001/08/17 19:36:28 | 00,157,696 | ---- | C] () -- C:\WINNT\System32\paqsp.dll
[1979/12/31 21:00:00 | 01,015,477 | ---- | C] () -- C:\WINNT\System32\esentprf.ini
[1979/12/31 21:00:00 | 00,498,742 | ---- | C] () -- C:\WINNT\System32\dxmasf.dll
[1979/12/31 21:00:00 | 00,252,928 | ---- | C] () -- C:\WINNT\System32\compatui.dll
[1979/12/31 21:00:00 | 00,199,168 | ---- | C] () -- C:\WINNT\System32\ir32_32.dll
[1979/12/31 21:00:00 | 00,126,976 | ---- | C] () -- C:\WINNT\System32\e1000msg.dll
[1979/12/31 21:00:00 | 00,094,282 | ---- | C] () -- C:\WINNT\System32\msencode.dll
[1979/12/31 21:00:00 | 00,053,478 | ---- | C] () -- C:\WINNT\System32\tcpmon.ini
[1979/12/31 21:00:00 | 00,042,809 | ---- | C] () -- C:\WINNT\System32\key01.sys
[1979/12/31 21:00:00 | 00,042,537 | ---- | C] () -- C:\WINNT\System32\keyboard.sys
[1979/12/31 21:00:00 | 00,035,648 | ---- | C] () -- C:\WINNT\System32\ntio411.sys
[1979/12/31 21:00:00 | 00,035,424 | ---- | C] () -- C:\WINNT\System32\ntio412.sys
[1979/12/31 21:00:00 | 00,034,560 | ---- | C] () -- C:\WINNT\System32\ntio804.sys
[1979/12/31 21:00:00 | 00,034,560 | ---- | C] () -- C:\WINNT\System32\ntio404.sys
[1979/12/31 21:00:00 | 00,033,840 | ---- | C] () -- C:\WINNT\System32\ntio.sys
[1979/12/31 21:00:00 | 00,029,370 | ---- | C] () -- C:\WINNT\System32\ntdos411.sys
[1979/12/31 21:00:00 | 00,029,274 | ---- | C] () -- C:\WINNT\System32\ntdos412.sys
[1979/12/31 21:00:00 | 00,029,146 | ---- | C] () -- C:\WINNT\System32\ntdos804.sys
[1979/12/31 21:00:00 | 00,029,146 | ---- | C] () -- C:\WINNT\System32\ntdos404.sys
[1979/12/31 21:00:00 | 00,027,866 | ---- | C] () -- C:\WINNT\System32\ntdos.sys
[1979/12/31 21:00:00 | 00,027,097 | ---- | C] () -- C:\WINNT\System32\country.sys
[1979/12/31 21:00:00 | 00,015,360 | ---- | C] () -- C:\WINNT\System32\tsd32.dll
[1979/12/31 21:00:00 | 00,013,312 | ---- | C] () -- C:\WINNT\System32\win87em.dll
[1979/12/31 21:00:00 | 00,012,082 | ---- | C] () -- C:\WINNT\System32\rsvp.ini
[1979/12/31 21:00:00 | 00,010,240 | ---- | C] () -- C:\WINNT\System32\scriptpw.dll
[1979/12/31 21:00:00 | 00,010,110 | ---- | C] () -- C:\WINNT\System32\mqperf.ini
[1979/12/31 21:00:00 | 00,009,029 | ---- | C] () -- C:\WINNT\System32\ansi.sys
[1979/12/31 21:00:00 | 00,006,877 | ---- | C] () -- C:\WINNT\System32\pschdprf.ini
[1979/12/31 21:00:00 | 00,004,768 | ---- | C] () -- C:\WINNT\System32\himem.sys
[1979/12/31 21:00:00 | 00,004,126 | ---- | C] () -- C:\WINNT\System32\msdxmlc.dll
[1979/12/31 21:00:00 | 00,003,458 | ---- | C] () -- C:\WINNT\System32\rasctrs.ini
[1979/12/31 21:00:00 | 00,002,891 | ---- | C] () -- C:\WINNT\System32\perfci.ini
[1979/12/31 21:00:00 | 00,002,732 | ---- | C] () -- C:\WINNT\System32\perfwci.ini
[1979/12/31 21:00:00 | 00,002,656 | ---- | C] () -- C:\WINNT\System32\netware.drv
[1979/12/31 21:00:00 | 00,001,405 | ---- | C] () -- C:\WINNT\msdfmap.ini
[1979/12/31 21:00:00 | 00,001,152 | ---- | C] () -- C:\WINNT\System32\perffilt.ini
[1979/12/31 21:00:00 | 00,000,634 | ---- | C] () -- C:\WINNT\win.ini
[1979/12/31 21:00:00 | 00,000,343 | ---- | C] () -- C:\WINNT\System32\prodspec.ini
[1979/12/31 21:00:00 | 00,000,227 | ---- | C] () -- C:\WINNT\system.ini

========== LOP Check ==========

[2009/11/24 14:25:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2005/12/16 14:01:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ahead
[2005/11/18 14:37:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2005/12/16 14:10:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2006/09/05 12:53:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2008/10/27 12:47:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Macrovision
[2005/09/27 13:32:37 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2003/07/08 12:01:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN Messenger 5.0.0527
[2005/10/26 13:17:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2007/01/03 14:39:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2007/01/03 14:39:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
[2003/05/12 07:58:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2007/12/21 01:05:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sophos
[2005/09/26 14:11:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2003/08/11 14:01:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2006/03/09 14:47:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WhiteCap (Holiday Edition)
[2005/11/04 13:52:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2003/07/08 12:00:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Adobe
[2009/11/19 13:07:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Google
[2003/05/12 07:39:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Identities
[2003/07/08 12:00:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\InterTrust
[2009/11/16 13:22:32 | 00,000,000 | --SD | M] -- C:\Documents and Settings\techaide\Application Data\Microsoft
[2009/11/16 13:20:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Mozilla
[2009/11/16 13:20:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Nvu
[2008/01/25 13:31:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Real
[2003/07/08 12:01:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Symantec
[2009/11/25 09:16:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\U3
[2002/08/29 03:00:00 | 00,000,065 | RH-- | M] () -- C:\WINNT\Tasks\desktop.ini
[2003/08/11 13:43:14 | 00,000,254 | ---- | M] () -- C:\WINNT\Tasks\ISP signup reminder 1.job
[2003/08/11 13:43:14 | 00,000,254 | ---- | M] () -- C:\WINNT\Tasks\ISP signup reminder 2.job
[2003/08/11 13:43:15 | 00,000,254 | ---- | M] () -- C:\WINNT\Tasks\ISP signup reminder 3.job
[2009/11/24 14:23:51 | 00,000,006 | -H-- | M] () -- C:\WINNT\Tasks\SA.DAT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2002/08/29 03:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINNT\$NtServicePackUninstall$\eventlog.dll
[2004/08/03 23:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINNT\ServicePackFiles\i386\eventlog.dll
[2008/04/13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINNT\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll
[2004/08/03 23:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINNT\system32\eventlog.dll

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2002/08/29 03:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINNT\$NtServicePackUninstall$\scecli.dll
[2004/08/03 23:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINNT\ServicePackFiles\i386\scecli.dll
[2008/04/13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINNT\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll
[2004/08/03 23:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINNT\system32\scecli.dll

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2009/02/06 10:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINNT\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 10:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINNT\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2002/08/29 03:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINNT\$NtServicePackUninstall$\netlogon.dll
[2004/08/03 23:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINNT\ServicePackFiles\i386\netlogon.dll
[2008/04/13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINNT\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll
[2004/08/03 23:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINNT\system32\netlogon.dll

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >
[2003/03/20 21:00:00 | 00,201,088 | ---- | M] (Intel Corporation) MD5=18E3972D9632485D80D609D4674F9D83 -- C:\OEMDRVRS\iaStor.sys
[2003/03/20 21:00:00 | 00,201,088 | ---- | M] (Intel Corporation) MD5=18E3972D9632485D80D609D4674F9D83 -- C:\WINNT\system32\drivers\iaStor.sys

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2002/10/24 12:59:48 | 00,087,040 | ---- | M] (Microsoft Corporation) MD5=F1D915C3870E741D83B5142F3B358761 -- C:\WINNT\$NtServicePackUninstall$\atapi.sys
[2004/08/03 21:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINNT\ServicePackFiles\i386\atapi.sys
[2008/04/13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINNT\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\atapi.sys
[2004/08/03 21:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINNT\system32\drivers\atapi.sys
[2002/08/28 22:27:50 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINNT\system32\ReinstallBackups\0003\DriverFiles\i386\atapi.sys
[2002/08/28 22:27:50 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINNT\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2001/08/17 10:58:00 | 00,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINNT\$NtServicePackUninstall$\agp440.sys
[2004/08/03 22:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINNT\ServicePackFiles\i386\agp440.sys
[2008/04/13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINNT\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\agp440.sys
[2004/08/03 22:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINNT\system32\drivers\agp440.sys

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >

< %SYSTEMDRIVE%\comres.dll /s /md5 >
[2002/08/29 03:00:00 | 00,792,064 | ---- | M] (Microsoft Corporation) MD5=1F51839ECCF908FD86558198909262E4 -- C:\WINNT\$NtServicePackUninstall$\comres.dll
[2004/08/03 23:56:41 | 00,792,064 | ---- | M] (Microsoft Corporation) MD5=6728270CB7DBB776ED086F5AC4C82310 -- C:\WINNT\ServicePackFiles\i386\comres.dll
[2008/04/13 16:11:51 | 00,792,064 | ---- | M] (Microsoft Corporation) MD5=1280A158C722FA95A80FB7AEBE78FA7D -- C:\WINNT\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\comres.dll
[2004/08/03 23:56:41 | 00,792,064 | ---- | M] (Microsoft Corporation) MD5=6728270CB7DBB776ED086F5AC4C82310 -- C:\WINNT\system32\comres.dll
< End of report >

#7
Kyleweatherly93

Posted 25 November 2009 - 12:22 PM

Member

Topic Starter
Member
29 posts

OTL Extras logfile created on: 11/25/2009 9:16:30 AM - Run 1
OTL by OldTimer - Version 3.1.10.1 Folder = G:\
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.73 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 76.58% Memory free
1.94 Gb Paging File | 1.69 Gb Available in Paging File | 87.05% Paging File free
Paging file location(s): C:\pagefile.sys 360 720 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 7.27 Gb Free Space | 19.50% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 3.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 476.45 Mb Total Space | 465.16 Mb Free Space | 97.63% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: P19152-AV
Current User Name: techaide
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000000-3976-4267-9F39-1DC4745090B7}" = Microsoft Learning and Research Plus Support Files
"{034759DA-E21A-4795-BFB3-C66D17FAD183}" = Sophos Anti-Virus
"{15C418EB-7675-42be-B2B3-281952DA014D}" = Sophos AutoUpdate
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{369B36BE-3D64-4641-9AEA-808D436FE130}" = Microsoft Picture It! Express 7.0
"{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}" = QuickTime
"{3CB05291-F546-458E-A796-B5BCF5A3CDC4}" = Studio 10
"{3F866D37-22D0-435D-94F1-31A64D566D0E}" = Pinnacle device drivers
"{460CE8B9-6EC2-458A-90D4-691631ECE9D9}" = Pinnacle MediaServer
"{5E835305-63BB-4E55-BBB7-EEBBE67774DB}" = MyDVD
"{609F7AC8-C510-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Basic
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{90190409-6000-11D3-8CFE-0050048383C9}" = Microsoft Publisher 2002
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{A77F3C2D-50CC-4A29-A1FB-1E018BE4DCA2}" = DiscAPI (Studio 10)
"{A790BEB1-BCCF-4EC6-807B-5708B36E8A79}" = Intel® PROSet
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D2B7C41F-C63D-4935-B323-B60673724D63}" = Do More 7.0
"{E09B48B5-E141-427A-AB0C-D3605127224A}" = Microsoft SQL Server Desktop Engine (PINNACLESYS)
"{EEECE229-49F6-4851-A73A-99B058221F8C}" = RAPID (Studio 10)
"{EF781A5C-58F5-4BFD-87F9-E4F14D382F25}" = Pinnacle Instant DVD Recorder
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{FF11005D-CBC8-45D5-A288-25C7BB304121}" = Sophos Remote Management System
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Buccaneers Flag" = Buccaneers Flag Screen Saver
"Clockwork Orange Icon Library" = Clockwork Orange Icon Library
"Foxit Reader" = Foxit Reader
"G-Force" = G-Force
"HFX PLUS for Studio" = HFX PLUS for Studio
"HijackThis" = HijackThis 2.0.2
"InstallShield_{3868A8EE-5051-4DB0-8DF6-4F4B8A98D083}" = QuickTime
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 1.80 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"MSN Toolbar" = MSN Toolbar
"MSNMS" = MSN Internet Software
"MVApplication1" = SureThing CD Labeler - Stomper Edition 32 bit
"New.net" = New.net Domains 7.22
"NMIX!UninstallKey" = NeroMIX
"Nvu_is1" = Nvu 1.0
"Pinnacle Hollywood FX Pack - Extra FX" = Pinnacle Hollywood FX Pack - Extra FX
"Pinnacle Studio AV/DV" = Pinnacle Studio AV/DV
"Pinnacle Systems PCI Performance Enhancer" = Pinnacle Systems PCI Performance Enhancer
"PROSet" = Intel® PRO Network Adapters and Drivers
"QuickSearch Toolbar" = QuickSearch Toolbar
"RealArcade 1.2" = RealArcade
"RealPlayer 6.0" = RealPlayer
"Shockwave" = Shockwave
"ShockwaveFlash" = Macromedia Flash Player 8
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 2
"Worms for Pocket PC" = Worms for Pocket PC

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/3/2009 12:02:56 PM | Computer Name = P19152-AV | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The RPC server
is unavailable. ). Group Policy processing aborted.

Error - 11/4/2009 5:48:09 PM | Computer Name = P19152-AV | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (A socket operation was attempted to an unreachable host. ). Group Policy
processing aborted.

Error - 11/9/2009 12:31:33 PM | Computer Name = P19152-AV | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007003a). The specified server cannot perform the requested
operation. Enrollment will not be performed.

Error - 11/9/2009 12:31:35 PM | Computer Name = P19152-AV | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The RPC server
is unavailable. ). Group Policy processing aborted.

Error - 11/10/2009 12:29:37 PM | Computer Name = P19152-AV | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The RPC server
is unavailable. ). Group Policy processing aborted.

Error - 11/12/2009 12:24:55 PM | Computer Name = P19152-AV | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007003a). The specified server cannot perform the requested
operation. Enrollment will not be performed.

Error - 11/12/2009 12:24:57 PM | Computer Name = P19152-AV | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The RPC server
is unavailable. ). Group Policy processing aborted.

Error - 11/13/2009 12:18:17 PM | Computer Name = P19152-AV | Source = Userenv | ID = 1054
Description = Windows cannot obtain the domain controller name for your computer
network. (A socket operation was attempted to an unreachable host. ). Group Policy
processing aborted.

Error - 11/16/2009 1:27:38 PM | Computer Name = P19152-AV | Source = AutoEnrollment | ID = 15
Description = Automatic certificate enrollment for local system failed to contact
the active directory (0x8007003a). The specified server cannot perform the requested
operation. Enrollment will not be performed.

Error - 11/16/2009 1:27:38 PM | Computer Name = P19152-AV | Source = Userenv | ID = 1053
Description = Windows cannot determine the user or computer name. (The RPC server
is unavailable. ). Group Policy processing aborted.

< End of report >

#8
Onaipian

Posted 26 November 2009 - 05:25 PM

Notepad warrior

Retired Staff
2,130 posts

Hello

Step One
Run OTL (Double click to run)

Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
O2 - BHO: (no name) - {2C929DE8-0CF2-696E-B27F-C8B4563BF7F4} - No CLSID value found.
O4 - HKLM..\Run: [New.net Startup] C:\Program Files\NewDotNet\newdotnet7_22.dll (New.net, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\NewDotNet\newdotnet7_22.dll (New.net, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\NewDotNet\newdotnet7_22.dll (New.net, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\NewDotNet\newdotnet7_22.dll (New.net, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\Program Files\NewDotNet\newdotnet7_22.dll (New.net, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\Program Files\NewDotNet\newdotnet7_22.dll (New.net, Inc.)

:Files
C:\Program Files\NewDotNet

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}]

:Commands
[purity]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, and accept to reboot when it's finished.
During start-up, a log will open. Paste the contents of it back here
Open OTL again.
Click the Quick Scan button.
Post the log it produces in your next reply.

Step Two
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs&Info
Remember to post back the following logs:

OTL Fix Results
OTL.txt
MalwareBytes' Anti-Malware log

#9
Kyleweatherly93

Posted 30 November 2009 - 03:45 PM

Member

Topic Starter
Member
29 posts

Okay i will get right on that. Sorry for the delay. Got busy over turkey day.

#10
Kyleweatherly93

Posted 30 November 2009 - 04:02 PM

Member

Topic Starter
Member
29 posts

This is the log after the fixes and reaboot

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C929DE8-0CF2-696E-B27F-C8B4563BF7F4}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C929DE8-0CF2-696E-B27F-C8B4563BF7F4}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\New.net Startup deleted successfully.
File move failed. C:\Program Files\NewDotNet\newdotnet7_22.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004\ deleted successfully.
File move failed. C:\Program Files\NewDotNet\newdotnet7_22.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\ deleted successfully.
File move failed. C:\Program Files\NewDotNet\newdotnet7_22.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\ deleted successfully.
File move failed. C:\Program Files\NewDotNet\newdotnet7_22.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020\ deleted successfully.
File move failed. C:\Program Files\NewDotNet\newdotnet7_22.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021\ deleted successfully.
File move failed. C:\Program Files\NewDotNet\newdotnet7_22.dll scheduled to be moved on reboot.
========== FILES ==========
Folder move failed. C:\Program Files\NewDotNet scheduled to be moved on reboot.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: 0cocknic
->Temp folder emptied: 1934095 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: 0gamesha
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 0grunben
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 0lopezac
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 0martmic
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 0pfafgar
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 0roaclee
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 0willhar
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 0zettfen
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 1nissmik
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 1weatkyl
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 6aguiaid
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 6kelnjos
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 6kitedot
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 6lawsmic
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 6rudzjer
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 6wilcbry
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 7colejes
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 7eldeeli
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 7fincjes
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 7lopevan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 7osboant
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 7philjus
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 7saundan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 7snoojos
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 7tullpau
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 7wernbry
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8bofejef
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8bowebri
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8cockcol
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8fiscsam
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8gamedav
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8iverann
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8mckinic
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8saunjul
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8shoecou
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8smiteri
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8smitsco
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8thurchr
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 8watebri
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 9rageaar
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 9reameri
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 9tronste
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 9villtre
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: 9willsar
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: administrator.GARPAL
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: ADMINI~1~GAR

User: All Users

User: cbrantner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: dgriner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Lab
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: pal
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: SWEEPUPD
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: techaide
->Temp folder emptied: 35400 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Tester
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 3209229 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 5.03 mb

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\: LSP stack updated.

OTL by OldTimer - Version 3.1.10.1 log created on 11302009_135239

Files\Folders moved on Reboot...
C:\Program Files\NewDotNet\newdotnet7_22.dll moved successfully.
C:\Program Files\NewDotNet folder moved successfully.

Registry entries deleted on Reboot...

#11
Kyleweatherly93

Posted 30 November 2009 - 04:14 PM

Member

Topic Starter
Member
29 posts

This is the OTL.txt after quick scan

OTL logfile created on: 11/30/2009 2:07:51 PM - Run 2
OTL by OldTimer - Version 3.1.10.1 Folder = G:\
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.73 Gb Total Physical Memory | 1.41 Gb Available Physical Memory | 81.51% Memory free
1.94 Gb Paging File | 1.80 Gb Available in Paging File | 92.61% Paging File free
Paging file location(s): C:\pagefile.sys 360 720 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINNT | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 7.27 Gb Free Space | 19.51% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 3.79 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive G: | 476.45 Mb Total Space | 474.16 Mb Free Space | 99.52% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: P19152-AV
Current User Name: techaide
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/30 14:00:20 | 00,970,085 | ---- | M] (Faronics Corporation) -- C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
PRC - [2009/11/25 09:11:50 | 00,531,456 | ---- | M] (OldTimer Tools) -- G:\OTL.exe
PRC - [2009/02/06 08:39:29 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\wmiprvse.exe
PRC - [2008/04/15 00:05:18 | 00,172,032 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
PRC - [2007/12/10 08:45:27 | 00,098,304 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
PRC - [2007/12/10 08:45:04 | 00,069,632 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
PRC - [2007/06/13 02:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINNT\explorer.exe
PRC - [2007/04/04 06:22:26 | 00,743,296 | ---- | M] (Faronics Corporation) -- C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
PRC - [2006/04/02 12:13:02 | 02,596,864 | ---- | M] () -- C:\Documents and Settings\techaide\Application Data\U3\08B0E86050114936\Launchpad.exe
PRC - [2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wdfmgr.exe

========== Modules (SafeList) ==========

MOD - [2009/11/25 09:11:50 | 00,531,456 | ---- | M] (OldTimer Tools) -- G:\OTL.exe
MOD - [2004/08/03 23:57:00 | 01,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
MOD - [2004/08/03 23:56:42 | 00,185,856 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wbem\framedyn.dll

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (MsUpdate4)
SRV - [2008/10/27 12:47:05 | 00,068,096 | ---- | M] () -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2008/04/15 00:05:18 | 00,172,032 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe -- (Sophos AutoUpdate Service)
SRV - [2007/12/10 08:45:27 | 00,098,304 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe -- (SAVService)
SRV - [2007/12/10 08:45:04 | 00,069,632 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe -- (SAVAdminService)
SRV - [2007/12/10 08:44:51 | 00,266,240 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe -- (Sophos Agent)
SRV - [2007/12/10 08:44:47 | 00,790,528 | ---- | M] (Sophos Plc) -- C:\Program Files\Sophos\Remote Management System\RouterNT.exe -- (Sophos Message Router)
SRV - [2007/04/04 06:22:26 | 00,743,296 | ---- | M] (Faronics Corporation) -- C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe -- (DF5Serv)
SRV - [2006/01/19 09:22:20 | 00,049,152 | ---- | M] (Pinnacle Systems) -- c:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe -- (PinnacleSys.MediaServer)
SRV - [2005/05/03 23:04:28 | 09,150,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe -- (MSSQL$PINNACLESYS)
SRV - [2005/05/03 21:50:28 | 00,073,728 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe -- (MSSQLServerADHelper)
SRV - [2005/05/03 20:42:56 | 00,323,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE -- (SQLAgent$PINNACLESYS)
SRV - [2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/09/22 18:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\system32\wdfmgr.exe -- (UMWdf)
SRV - [2004/08/03 23:56:44 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINNT\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2004/07/15 00:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2003/03/03 10:33:40 | 00,143,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.garpal.wednet.edu
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.garpal.wednet.edu/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (734 bytes) - C:\WINNT\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ST) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll File not found
O4 - HKLM..\Run: [New.net Startup] C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = Welcome to the Gar-Pal Network --- Educational Use Only
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = Use of this network is limited to education and research and all use must be consistent with the goals of the Garfield and Palouse School Districts. Network access and Internet use is limited to those persons who have been issued district approved accounts. Use will be in accordance with the districts' Acceptable Use Procedures and Internet Code of Conduct. For more information,contact either school office. All use of this network is subject to review and/or monitoring.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB (DoMoreRunExe.DoMoreRun)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} http://protect.micro...b?1118520135015 (MSSecurityAdvisor Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by102fd.bay10...es/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} file://C:\Program Files\gateway\helpspot\TechTools.CAB (TechToolsActivex.TechTools)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1130276248593 (WUWebControl Class)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} http://us.games2.yim...ctl_0_0_0_1.ocx (ExentInf Class)
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB (RunExeActiveX.RunExe)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupd...8112.5196064815 (Reg Error: Key error.)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn...pDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} http://www.tukati.co...0.20/tukati.cab (Tukati Launcher)
O16 - DPF: DirectAnimation Java Classes file://C:\WINNT\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINNT\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = garpal.wednet.edu
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINNT\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\DfLogon: DllName - LogonDll.dll - C:\WINNT\System32\LogonDll.dll ()
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINNT\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/03 14:11:40 | 00,000,095 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/02/13 11:08:58 | 00,000,145 | R--- | M] () - F:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{4a5ff787-5e41-11db-b2d6-0007e961066d}\Shell - "" = AutoRun
O33 - MountPoints2\{4a5ff787-5e41-11db-b2d6-0007e961066d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4a5ff787-5e41-11db-b2d6-0007e961066d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- [2006/02/13 11:09:04 | 00,921,600 | R--- | M] ()
O33 - MountPoints2\{75beb8d6-acc4-11db-b2f1-0007e961066d}\Shell - "" = AutoRun
O33 - MountPoints2\{75beb8d6-acc4-11db-b2f1-0007e961066d}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{75beb8d6-acc4-11db-b2f1-0007e961066d}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- [2006/02/13 11:09:04 | 00,921,600 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINNT\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (/k:C) - File not found
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 14 Days ==========

[2009/11/25 09:16:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\techaide\Application Data\U3
[2009/11/19 13:57:31 | 00,000,000 | --SD | C] -- C:\ComboFix
[2009/11/19 13:41:34 | 00,000,000 | ---D | C] -- C:\WINNT\ERDNT
[2009/11/19 13:41:02 | 00,000,000 | ---D | C] -- C:\Qoobox

========== Files - Modified Within 14 Days ==========

[2009/11/30 14:03:27 | 00,465,578 | ---- | M] () -- C:\WINNT\System32\PerfStringBackup.INI
[2009/11/30 14:03:27 | 00,398,180 | ---- | M] () -- C:\WINNT\System32\perfh009.dat
[2009/11/30 14:03:27 | 00,060,380 | ---- | M] () -- C:\WINNT\System32\perfc009.dat
[2009/11/30 14:01:55 | 01,048,576 | -H-- | M] () -- C:\Documents and Settings\techaide\NTUSER.DAT
[2009/11/30 14:00:13 | 00,001,158 | ---- | M] () -- C:\WINNT\System32\wpa.dbl
[2009/11/30 13:56:56 | 00,000,006 | -H-- | M] () -- C:\WINNT\tasks\SA.DAT
[2009/11/30 13:55:24 | 18,610,13504 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/30 13:54:06 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\techaide\ntuser.ini
[2009/11/19 13:49:34 | 02,003,204 | -H-- | M] () -- C:\Documents and Settings\techaide\Local Settings\Application Data\IconCache.db
[2009/11/19 13:49:14 | 00,000,634 | ---- | M] () -- C:\WINNT\win.ini
[2009/11/19 13:49:14 | 00,000,227 | ---- | M] () -- C:\WINNT\system.ini
[2009/11/19 13:49:14 | 00,000,207 | RHS- | M] () -- C:\boot.ini
[2009/11/19 13:13:35 | 00,000,605 | ---- | M] () -- C:\WINNT\QUICKEN.INI

========== Files Created - No Company Name ==========

[2008/01/25 13:34:22 | 02,003,204 | -H-- | C] () -- C:\Documents and Settings\techaide\Local Settings\Application Data\IconCache.db
[2008/01/25 13:30:35 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\techaide\Application Data\desktop.ini
[2007/04/12 12:01:40 | 00,065,536 | ---- | C] () -- C:\WINNT\System32\LogonDll.dll
[2007/01/03 14:27:21 | 00,194,248 | ---- | C] () -- C:\WINNT\System32\LTRFD13n.DLL
[2006/12/06 13:50:51 | 00,363,520 | ---- | C] () -- C:\WINNT\System32\psisdecd.dll
[2006/12/06 13:50:49 | 00,733,696 | ---- | C] () -- C:\WINNT\System32\qedwipes.dll
[2006/12/06 13:50:49 | 00,562,176 | ---- | C] () -- C:\WINNT\System32\qedit.dll
[2006/12/06 13:50:48 | 00,385,024 | ---- | C] () -- C:\WINNT\System32\qdvd.dll
[2006/12/06 13:50:48 | 00,279,040 | ---- | C] () -- C:\WINNT\System32\qdv.dll
[2006/12/06 13:50:48 | 00,192,512 | ---- | C] () -- C:\WINNT\System32\qcap.dll
[2006/12/06 13:50:48 | 00,070,656 | ---- | C] () -- C:\WINNT\System32\amstream.dll
[2006/12/06 13:50:48 | 00,059,904 | ---- | C] () -- C:\WINNT\System32\devenum.dll
[2006/12/06 13:50:48 | 00,035,328 | ---- | C] () -- C:\WINNT\System32\mciqtz32.dll
[2006/12/06 13:50:48 | 00,014,336 | ---- | C] () -- C:\WINNT\System32\msdmo.dll
[2006/11/21 14:46:22 | 00,000,050 | ---- | C] () -- C:\WINNT\wwp.INI
[2006/09/01 12:19:12 | 00,001,208 | ---- | C] () -- C:\WINNT\VFO.INI
[2006/09/01 12:19:11 | 00,196,096 | ---- | C] () -- C:\WINNT\System32\macd32.dll
[2006/09/01 12:19:11 | 00,138,752 | ---- | C] () -- C:\WINNT\System32\mase32.dll
[2006/09/01 12:19:11 | 00,136,192 | ---- | C] () -- C:\WINNT\System32\mamc32.dll
[2006/09/01 12:19:11 | 00,057,856 | ---- | C] () -- C:\WINNT\System32\masd32.dll
[2006/09/01 12:19:09 | 00,027,648 | ---- | C] () -- C:\WINNT\System32\ma32.dll
[2005/11/18 13:51:26 | 00,001,368 | ---- | C] () -- C:\WINNT\cdplayer.ini
[2005/10/24 13:15:15 | 00,001,747 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2004/05/05 11:46:04 | 00,355,112 | ---- | C] () -- C:\WINNT\System32\msjetoledb40.dll
[2003/11/12 14:48:08 | 00,000,003 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DirectCDUserNameD.txt
[2003/10/30 15:00:42 | 00,019,968 | ---- | C] () -- C:\WINNT\System32\cpuinf32.dll
[2003/09/11 11:31:59 | 00,000,370 | ---- | C] () -- C:\WINNT\ODBC.INI
[2003/07/08 12:14:30 | 00,000,061 | ---- | C] () -- C:\WINNT\smscfg.ini
[2003/07/08 12:01:07 | 00,000,605 | ---- | C] () -- C:\WINNT\QUICKEN.INI
[2003/07/08 12:01:07 | 00,000,052 | ---- | C] () -- C:\WINNT\intuprof.ini
[2003/07/08 11:59:13 | 00,000,701 | ---- | C] () -- C:\WINNT\System32\OEMINFO.INI
[2003/05/30 08:00:02 | 01,290,752 | ---- | C] () -- C:\WINNT\System32\quartz.dll
[2003/05/12 07:57:34 | 00,000,781 | ---- | C] () -- C:\WINNT\orun32.ini
[2003/05/12 07:32:50 | 00,000,000 | ---- | C] () -- C:\WINNT\control.ini
[2003/05/12 07:27:51 | 00,000,037 | ---- | C] () -- C:\WINNT\vbaddin.ini
[2003/05/12 07:27:51 | 00,000,036 | ---- | C] () -- C:\WINNT\vb.ini
[2003/05/12 07:27:04 | 00,013,223 | ---- | C] () -- C:\WINNT\System32\tslabels.ini
[2003/05/12 07:27:03 | 00,001,931 | ---- | C] () -- C:\WINNT\System32\msdtcprf.ini
[2003/05/12 07:22:09 | 00,465,578 | ---- | C] () -- C:\WINNT\System32\PerfStringBackup.INI
[2003/05/12 07:22:08 | 00,004,073 | ---- | C] () -- C:\WINNT\ODBCINST.INI
[2003/05/12 07:21:44 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2002/11/26 11:15:52 | 00,186,368 | ---- | C] () -- C:\WINNT\System32\encdec.dll
[2002/11/26 11:15:50 | 00,270,848 | ---- | C] () -- C:\WINNT\System32\sbe.dll
[2001/08/17 19:36:28 | 00,157,696 | ---- | C] () -- C:\WINNT\System32\paqsp.dll
[1979/12/31 21:00:00 | 01,015,477 | ---- | C] () -- C:\WINNT\System32\esentprf.ini
[1979/12/31 21:00:00 | 00,498,742 | ---- | C] () -- C:\WINNT\System32\dxmasf.dll
[1979/12/31 21:00:00 | 00,252,928 | ---- | C] () -- C:\WINNT\System32\compatui.dll
[1979/12/31 21:00:00 | 00,199,168 | ---- | C] () -- C:\WINNT\System32\ir32_32.dll
[1979/12/31 21:00:00 | 00,126,976 | ---- | C] () -- C:\WINNT\System32\e1000msg.dll
[1979/12/31 21:00:00 | 00,094,282 | ---- | C] () -- C:\WINNT\System32\msencode.dll
[1979/12/31 21:00:00 | 00,053,478 | ---- | C] () -- C:\WINNT\System32\tcpmon.ini
[1979/12/31 21:00:00 | 00,042,809 | ---- | C] () -- C:\WINNT\System32\key01.sys
[1979/12/31 21:00:00 | 00,042,537 | ---- | C] () -- C:\WINNT\System32\keyboard.sys
[1979/12/31 21:00:00 | 00,035,648 | ---- | C] () -- C:\WINNT\System32\ntio411.sys
[1979/12/31 21:00:00 | 00,035,424 | ---- | C] () -- C:\WINNT\System32\ntio412.sys
[1979/12/31 21:00:00 | 00,034,560 | ---- | C] () -- C:\WINNT\System32\ntio804.sys
[1979/12/31 21:00:00 | 00,034,560 | ---- | C] () -- C:\WINNT\System32\ntio404.sys
[1979/12/31 21:00:00 | 00,033,840 | ---- | C] () -- C:\WINNT\System32\ntio.sys
[1979/12/31 21:00:00 | 00,029,370 | ---- | C] () -- C:\WINNT\System32\ntdos411.sys
[1979/12/31 21:00:00 | 00,029,274 | ---- | C] () -- C:\WINNT\System32\ntdos412.sys
[1979/12/31 21:00:00 | 00,029,146 | ---- | C] () -- C:\WINNT\System32\ntdos804.sys
[1979/12/31 21:00:00 | 00,029,146 | ---- | C] () -- C:\WINNT\System32\ntdos404.sys
[1979/12/31 21:00:00 | 00,027,866 | ---- | C] () -- C:\WINNT\System32\ntdos.sys
[1979/12/31 21:00:00 | 00,027,097 | ---- | C] () -- C:\WINNT\System32\country.sys
[1979/12/31 21:00:00 | 00,015,360 | ---- | C] () -- C:\WINNT\System32\tsd32.dll
[1979/12/31 21:00:00 | 00,013,312 | ---- | C] () -- C:\WINNT\System32\win87em.dll
[1979/12/31 21:00:00 | 00,012,082 | ---- | C] () -- C:\WINNT\System32\rsvp.ini
[1979/12/31 21:00:00 | 00,010,240 | ---- | C] () -- C:\WINNT\System32\scriptpw.dll
[1979/12/31 21:00:00 | 00,010,110 | ---- | C] () -- C:\WINNT\System32\mqperf.ini
[1979/12/31 21:00:00 | 00,009,029 | ---- | C] () -- C:\WINNT\System32\ansi.sys
[1979/12/31 21:00:00 | 00,006,877 | ---- | C] () -- C:\WINNT\System32\pschdprf.ini
[1979/12/31 21:00:00 | 00,004,768 | ---- | C] () -- C:\WINNT\System32\himem.sys
[1979/12/31 21:00:00 | 00,004,126 | ---- | C] () -- C:\WINNT\System32\msdxmlc.dll
[1979/12/31 21:00:00 | 00,003,458 | ---- | C] () -- C:\WINNT\System32\rasctrs.ini
[1979/12/31 21:00:00 | 00,002,891 | ---- | C] () -- C:\WINNT\System32\perfci.ini
[1979/12/31 21:00:00 | 00,002,732 | ---- | C] () -- C:\WINNT\System32\perfwci.ini
[1979/12/31 21:00:00 | 00,002,656 | ---- | C] () -- C:\WINNT\System32\netware.drv
[1979/12/31 21:00:00 | 00,001,405 | ---- | C] () -- C:\WINNT\msdfmap.ini
[1979/12/31 21:00:00 | 00,001,152 | ---- | C] () -- C:\WINNT\System32\perffilt.ini
[1979/12/31 21:00:00 | 00,000,634 | ---- | C] () -- C:\WINNT\win.ini
[1979/12/31 21:00:00 | 00,000,343 | ---- | C] () -- C:\WINNT\System32\prodspec.ini
[1979/12/31 21:00:00 | 00,000,227 | ---- | C] () -- C:\WINNT\system.ini

========== LOP Check ==========

[2009/11/24 14:25:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2005/12/16 14:01:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ahead
[2005/11/18 14:37:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2005/12/16 14:10:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2006/09/05 12:53:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Google
[2008/10/27 12:47:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Macrovision
[2005/09/27 13:32:37 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2003/07/08 12:01:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN Messenger 5.0.0527
[2005/10/26 13:17:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2007/01/03 14:39:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2007/01/03 14:39:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle Studio
[2003/05/12 07:58:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2007/12/21 01:05:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sophos
[2005/09/26 14:11:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2003/08/11 14:01:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2006/03/09 14:47:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WhiteCap (Holiday Edition)
[2005/11/04 13:52:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2003/07/08 12:00:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Adobe
[2009/11/19 13:07:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Google
[2003/05/12 07:39:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Identities
[2003/07/08 12:00:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\InterTrust
[2009/11/16 13:22:32 | 00,000,000 | --SD | M] -- C:\Documents and Settings\techaide\Application Data\Microsoft
[2009/11/16 13:20:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Mozilla
[2009/11/16 13:20:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Nvu
[2008/01/25 13:31:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Real
[2003/07/08 12:01:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\Symantec
[2009/11/30 13:51:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\techaide\Application Data\U3
[2002/08/29 03:00:00 | 00,000,065 | RH-- | M] () -- C:\WINNT\Tasks\desktop.ini
[2003/08/11 13:43:14 | 00,000,254 | ---- | M] () -- C:\WINNT\Tasks\ISP signup reminder 1.job
[2003/08/11 13:43:14 | 00,000,254 | ---- | M] () -- C:\WINNT\Tasks\ISP signup reminder 2.job
[2003/08/11 13:43:15 | 00,000,254 | ---- | M] () -- C:\WINNT\Tasks\ISP signup reminder 3.job
[2009/11/30 13:56:56 | 00,000,006 | -H-- | M] () -- C:\WINNT\Tasks\SA.DAT

========== Purity Check ==========

< End of report >

#12
Kyleweatherly93

Posted 30 November 2009 - 04:44 PM

Member

Topic Starter
Member
29 posts

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

11/30/2009 2:35:19 PM
mbam-log-2009-11-30 (14-35-19).txt

Scan type: Quick Scan
Objects scanned: 484078
Time elapsed: 13 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

#13
Onaipian

Posted 01 December 2009 - 06:48 PM

Notepad warrior

Retired Staff
2,130 posts

Hello.. Logs are looking much improved.

Please know that the Kaspersky Online Scan (Step Two) can take 6-7+ hours. I recommend running it overnight.

Remember to save and post back the log!

Step One
Posted Image

You don't appear to have Java installed (I could have missed it). Java is required for many functions over the Internet. We need it now for an online scan. Please follow these steps to remove older version of Java components (If I missed) and upgrade\install the application:

Please visit Java Downloads for All Operating Systems
Under Windows, click "Windows 7/XP/Vista/2000/2003/2008 Offline"
- Make sure to download the Offline version.
- Save it to your Desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java:
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java version.
- Reboot your computer once all Java components are removed.
Then from your Desktop double-click jre-6u17-windows-i586-s to install the newest version.
(Vista users, right click and select "Run as an Administrator.")

Step Two
Using Internet Explorer or Firefox, please visit Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
To optimize scanning time and produce a more sensible report for review:
- Close any open programs
- Turn off any realtime scanners of any existing antivirus program while performing the scan.
  Click Here! for instructions on disabling some common realtime programs.
Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, adware, dialers, and other riskware
- Archives
- E-mail databases
Click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View report... at the bottom.
Click the Save report... button.
Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

#14
Kyleweatherly93

Posted 02 December 2009 - 02:31 PM

Member

Topic Starter
Member
29 posts

there may be a prob involved here. I work for a school and am currently using a flash drive to move the programs and logs so i can upload them to the internet. I have unplugged the network cable so the malware would not spread over the network. No since i have to run an online scan i do need to plug it back in. Do you feel i should worry about the malware spreading or no? If not, GREAT!! then can run the scan over night and it will all be great. but if you do feel i should not hook the computer back up to the schools network then we may have to find another scan. Thx so much for your help

#15
Onaipian

Posted 03 December 2009 - 03:31 PM

Notepad warrior

Retired Staff
2,130 posts

If you want, you can do this. It will perform the same function.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode.

You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
It will by default install it to your desktop folder.Click Next.
Hit ok at the prompt for scanning in Safe Mode.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

System Memory
Startup Objects
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be Neutralized then chooose The delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.