Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

vymosftav.exe

Started by Тony Montana45 , Feb 08 2010 11:21 PM

  • Please log in to reply

#1
Тony Montana45
Posted 08 February 2010 - 11:21 PM

Тony Montana45

    New Member

  • Member
  • Pip
  • 7 posts
About 4 days ago, my computer got infected through a memory stick (unintentionally).

Moments after inserting the memory stick and opening it in My Computer, I got a message that my computer is infected with a Trojan, and I got a fake scanner popped up and started scanning. I closed it. Then I got a message prompting me to download the full version of the fake anti-virus, which I immediately closed. I tried running my anti-virus, but a message popped up telling me that the program is infected and again prompted me to download the full version of the fake anti-virus. The same was the case with EVERY program on my computer. So basically all the programs were inoperable and the PC was unusable. I restarted. Upon restart, I opened task manager before the Virus could make it un-openable, and closed all processes that were unfamiliar to me. Then I opened my anti-virus, which is Avast 4.8 Pro.

I scheduled a boot-time scan, restarted, and let the scanning begin. My friend kept an eye on the scanning process while I was gone and deleted some viruses after the scan. When I returned and turned on the computer, I immediately opened task manager again, not wanting to take any chances. Sure enough, no sooner had I did that when the computer started acting the same as before. I restarted in Safe Mode. I did two scans with Avast in safe mode which took up 2 days. Avast uncovered some sort of Malware and I deleted it the first time. The second time it didn't find anything. Then I restarted my computer in normal mode.


Again, I immediately opened Task-Manager. This time, I took a computer photo to record the names of any unfamiliar programs. I also closed just one program first, of which there were actually two of on the Task Manager list. As soon as I ended these two processes, the pop-up saying my computer is infected dissappeared and all programs were open-able again. The processes were both called "vymosftav.exe". Next, I did a scan with Malwarebytes' Anti-Malware. It did a full scan and found stuff like Adware.TMAagent, Trojan.Downloader, Trojan.FakeAlert, and Trojan.Dropper. I rebooted and did the Task-Manager thing again, finding both vymosftav.exe files again and shutting down the processes. Then I typed its name in search, found the file, and deleted it. Then I ran HijackThis! and found two more files with the word vymosftav.exe in them and deleted them.

I restarted yet again. I opened Task Manager and typed in the letter V. The suspect file vymosftav.exe was not present. I ran Ccleaner and cleaned out a lot of temporary files. Next I ran across this site. I read the thread for instructions on cleaning out Malware, and followed the directions. I ran TFC cleaner. Then I ran Malwarebytes' again. This time the scan came up clean. Then I downloaded ERU Erunt, and created a back-up registry (probably late, but I only came across this website today). I downloaded GMER and OTL and did scans with both programs. I have the logs saved and ready to show, if needed.

So now here comes the question: is anyone familiar with this "vymosftav.exe"? I have tried googling it and found absolutely no results. Something is telling me I shouldn't feel safe yet. Is it possible my computer still has an infection? Could vymosftav.exe be just a small part of something bigger? Any information would be greatly appreciated. I am ready to paste the logs, if needed.
  • 0

Advertisements

#2
RKinner
Posted 10 February 2010 - 08:32 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Let's see the logs please.

Ron
  • 0

#3
Тony Montana45
Posted 10 February 2010 - 10:47 PM

Тony Montana45

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
GMER LOG



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-09 09:20:52
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\******~1\LOCALS~1\Temp\fgldrpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEE3126B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEE312574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEE312A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEE31214C]
SSDT spwo.sys ZwEnumerateKey [0xF7522CA2]
SSDT spwo.sys ZwEnumerateValueKey [0xF7523030]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEE31264E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEE31208C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEE3120F0]
SSDT spwo.sys ZwQueryKey [0xF7523108]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEE31276E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEE31272E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEE3128AE]

INT 0x63 ? 857DEBF8
INT 0x82 ? 85770BF8
INT 0x83 ? 85770BF8
INT 0x83 ? 85770BF8
INT 0x83 ? 85770BF8
INT 0xA4 ? 855D3DD8
INT 0xA4 ? 855D3DD8
INT 0xA4 ? 855D3DD8
INT 0xA4 ? 855D3DD8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 857DA1F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Udfs \UdfsCdRom 84E6E1F8
Device \FileSystem\Udfs \UdfsDisk 84E6E1F8

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbohci \Device\USBPDO-0 855C11F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 857DC1F8
Device \Driver\dmio \Device\DmControl\DmConfig 857DC1F8
Device \Driver\dmio \Device\DmControl\DmPnP 857DC1F8
Device \Driver\dmio \Device\DmControl\DmInfo 857DC1F8
Device \Driver\usbohci \Device\USBPDO-1 855C11F8
Device \Driver\usbehci \Device\USBPDO-2 855AA1F8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 857711F8
Device \Driver\Cdrom \Device\CdRom0 8559D1F8
Device \Driver\Cdrom \Device\CdRom1 8559D1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F743AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F743AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F743AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [F743AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [F743AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [F743AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 852DE500
Device \Driver\NetBT \Device\NetBT_Tcpip_{9A5FE4A5-8534-4FFE-9797-7CE3FDE52D98} 852DE500
Device \Driver\NetBT \Device\NetbiosSmb 852DE500
Device \Driver\PCI_PNP5148 \Device\0000004c spwo.sys

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 855C11F8
Device \Driver\usbohci \Device\USBFDO-1 855C11F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 854261F8
Device \Driver\usbehci \Device\USBFDO-2 855AA1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 854261F8
Device \Driver\Ftdisk \Device\FtControl 857711F8
Device \Driver\sptd \Device\1641825148 spwo.sys
Device \Driver\as18x597 \Device\Scsi\as18x5971Port4Path0Target0Lun0 855341F8
Device \Driver\as18x597 \Device\Scsi\as18x5971 855341F8
Device \FileSystem\Cdfs \Cdfs 8529C500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCB 0xB7 0x35 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x44 0x35 0x74 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC4 0x33 0xDF 0x26 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCB 0xB7 0x35 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x44 0x35 0x74 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC4 0x33 0xDF 0x26 ...

---- EOF - GMER 1.0.15 ----


--------------------------------------------------------------------------------------------------------



OTL LOG






OTL logfile created on: 2/9/2010 9:24:07 AM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\*********\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 518.00 Mb Available Physical Memory | 58.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 28.12 Gb Free Space | 30.19% Space Free | Partition Type: NTFS
Drive D: | 330.82 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: *********
Current User Name: *********
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/09 09:21:18 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\[bleep] [bleep]er\My Documents\Downloads\OTL(2).exe
PRC - [2009/11/25 04:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/25 04:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/25 04:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/25 04:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/25 04:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/10/11 04:17:35 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/09 01:35:13 | 000,153,848 | ---- | M] (ICQ, LLC.) -- C:\Program Files\ICQLite\icq.exe
PRC - [2009/02/06 17:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/04/14 05:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/29 18:37:06 | 003,858,432 | ---- | M] (Provide Support, LLC) -- C:\Program Files\Provide Support\Live Support Chat for Web Site\ProvideSupportConsole.exe
PRC - [2006/08/01 22:57:06 | 001,773,568 | ---- | M] (TOSHIBA Inc.) -- C:\Program Files\TOSHIBA\Windows Utilities\Hotkey.exe
PRC - [2006/05/26 06:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe
PRC - [2006/03/17 01:58:50 | 000,974,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2005/12/12 11:33:46 | 000,393,216 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/12/11 21:05:00 | 000,344,064 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2005/09/27 00:22:28 | 000,036,864 | ---- | M] () -- C:\WINDOWS\system32\acs.exe
PRC - [2005/06/01 09:00:12 | 000,282,624 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSMain.exe
PRC - [2005/06/01 08:59:58 | 000,045,056 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe
PRC - [2005/03/18 05:37:26 | 000,151,552 | ---- | M] (TOSHIBA Corporation) -- C:\TOSHIBA\IVP\ISM\pinger.exe
PRC - [2005/01/18 04:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe


========== Modules (SafeList) ==========

MOD - [2010/02/09 09:21:18 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\*********\My Documents\Downloads\OTL(2).exe
MOD - [2009/11/25 04:50:32 | 000,139,264 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\AhJsctNs.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/25 04:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/25 04:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/25 04:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/25 04:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/10/11 04:17:35 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2008/11/21 02:20:44 | 000,536,872 | ---- | M] (Apple Inc.) [On_Demand | Stopped] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/08/29 23:18:44 | 000,238,888 | ---- | M] (Apple Inc.) [Disabled | Stopped] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2006/05/26 06:30:16 | 000,114,688 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\TODDSrv.exe -- (TODDSrv)
SRV - [2005/12/12 11:33:46 | 000,393,216 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2005/09/27 00:22:28 | 000,036,864 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2005/07/13 05:14:42 | 000,040,960 | ---- | M] () [Disabled | Stopped] -- c:\TOSHIBA\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2005/04/04 12:41:10 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- c:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2005/01/18 04:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2004/08/28 12:33:00 | 000,110,592 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Auto | Stopped] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)
SRV - [2003/07/29 00:28:22 | 000,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
IE - HKCU\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "ICQ Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.com"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.1.3
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.8
FF - prefs.js..extensions.enabledItems: [email protected]:3.1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:0.6.20100112
FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.68
FF - prefs.js..extensions.enabledItems: {a02c0c70-605c-11da-8cd6-0800200c9a66}:4.19
FF - prefs.js..network.proxy.backup.ftp: "64.18.143.219"
FF - prefs.js..network.proxy.backup.ftp_port: 2407
FF - prefs.js..network.proxy.backup.gopher: "64.18.143.219"
FF - prefs.js..network.proxy.backup.gopher_port: 2407
FF - prefs.js..network.proxy.backup.socks: "64.18.143.219"
FF - prefs.js..network.proxy.backup.socks_port: 2407
FF - prefs.js..network.proxy.backup.ssl: "64.18.143.219"
FF - prefs.js..network.proxy.backup.ssl_port: 2407
FF - prefs.js..network.proxy.ftp: "64.18.143.219"
FF - prefs.js..network.proxy.ftp_port: 2407
FF - prefs.js..network.proxy.gopher: "64.18.143.219"
FF - prefs.js..network.proxy.gopher_port: 2407
FF - prefs.js..network.proxy.http: "64.18.143.219"
FF - prefs.js..network.proxy.http_port: 2407
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "64.18.143.219"
FF - prefs.js..network.proxy.socks_port: 2407
FF - prefs.js..network.proxy.ssl: "64.18.143.219"
FF - prefs.js..network.proxy.ssl_port: 2407
FF - prefs.js..network.proxy.type: 1


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/01/19 15:12:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Common Files\Target Marketing Agency\TMAgent\extension
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/17 23:58:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/01/07 08:31:13 | 000,000,000 | ---D | M]

[2009/01/18 14:56:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\*********\Application Data\Mozilla\Extensions
[2010/02/09 09:15:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\extensions
[2010/01/19 19:29:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
[2009/09/10 21:17:02 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2010/01/19 19:26:03 | 000,000,000 | ---D | M] (PimpZilla) -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\extensions\{a02c0c70-605c-11da-8cd6-0800200c9a66}
[2010/01/17 23:59:26 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/01/19 00:15:13 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/01/17 23:59:24 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2010/01/17 23:59:01 | 000,000,000 | ---D | M] (DownThemAll!) -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2010/01/19 19:36:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\extensions\[email protected]
[2010/01/17 23:59:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\extensions\[email protected]
[2010/02/02 09:28:19 | 000,000,961 | ---- | M] () -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\searchplugins\icqplugin-1.xml
[2009/01/18 19:06:06 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\searchplugins\icqplugin-2.xml
[2009/02/07 15:46:23 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\searchplugins\icqplugin-3.xml
[2008/11/23 18:11:36 | 000,000,944 | ---- | M] () -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\searchplugins\icqplugin.xml
[2008/12/12 23:23:54 | 000,002,158 | ---- | M] () -- C:\Documents and Settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\searchplugins\MySpace.xml
[2010/02/09 09:15:18 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/01/18 15:08:14 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{800b5000-a755-47e1-992b-48a1c1357f07}

O1 HOSTS File: ([2010/02/09 08:20:59 | 000,249,147 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.1001-search.info
O1 - Hosts: 127.0.0.1 1001-search.info
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.139mm.com
O1 - Hosts: 8709 more lines...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [CFSServ.exe] File not found
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Toshiba Hotkey Utility] c:\Program Files\Toshiba\Windows Utilities\Hotkey.exe (TOSHIBA Inc.)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe ()
O4 - HKCU..\Run: [ProvideSupportOperatorConsole[default]] C:\Program Files\Provide Support\Live Support Chat for Web Site\ProvideSupportConsole.exe (Provide Support, LLC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe (Matsushita Electric Industrial Co., Ltd.)
O4 - Startup: C:\Documents and Settings\*********\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\*********\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: ICQ Lite - {E59EB121-F339-4851-A3BA-FE49C35617C2} - File not found
O9 - Extra 'Tools' menuitem : ICQ Lite - {E59EB121-F339-4851-A3BA-FE49C35617C2} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 41 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 40 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1232359627345 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\*********\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\*********\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/19 10:24:01 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [1997/08/14 22:37:26 | 000,450,560 | R--- | M] () - D:\AUTORUN.EXE -- [ CDFS ]
O32 - AutoRun File - [1996/06/05 02:07:26 | 000,000,051 | R--- | M] () - D:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{b2d76773-33c7-11db-bd96-806d6172696f}\Shell\play\command - "" = C:\Program Files\InterVideo\WinDVD\WinDVD.exe -- [2006/07/29 06:07:26 | 000,106,496 | ---- | M] (InterVideo Inc.)
O33 - MountPoints2\{c98bcb77-1093-11de-9adb-00163680bf1d}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe -- File not found
O33 - MountPoints2\{c98bcb77-1093-11de-9adb-00163680bf1d}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2006/10/19 10:23:06 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17454841580224512)

========== Files/Folders - Created Within 14 Days ==========

[2010/02/09 09:01:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/02/09 08:57:07 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/02/09 08:15:37 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/02/09 08:15:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/02/09 08:11:25 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\*********\Recent
[2010/02/08 11:35:30 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/02/08 11:34:51 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/02/08 08:18:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\*********\Application Data\Malwarebytes
[2010/02/08 08:17:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/08 08:17:52 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/08 08:17:52 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/08 08:17:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/07 17:39:00 | 016,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\*********\Desktop\spybotsd162.exe
[2010/02/05 22:41:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\*********\Local Settings\Application Data\vuwjws
[2010/02/02 13:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\*********\Desktop\chika
[2009/08/20 22:39:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2009/08/20 22:39:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/08/12 23:03:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Mozilla
[2009/08/12 23:03:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Mozilla
[2009/01/29 16:02:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ESET
[2009/01/29 09:27:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/01/19 16:27:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/01/18 21:42:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
[2006/10/19 10:27:46 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2006/10/19 10:27:44 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/10/19 10:27:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/02/09 09:20:52 | 010,747,904 | -H-- | M] () -- C:\Documents and Settings\*********\NTUSER.DAT
[2010/02/09 09:01:37 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/09 09:01:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/09 09:01:12 | 937,603,072 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/09 08:59:34 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\*********\ntuser.ini
[2010/02/09 08:57:15 | 000,000,778 | ---- | M] () -- C:\Documents and Settings\*********\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/02/09 08:57:08 | 000,000,622 | ---- | M] () -- C:\Documents and Settings\*********\Desktop\NTREGOPT.lnk
[2010/02/09 08:57:08 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\*********\Desktop\ERUNT.lnk
[2010/02/09 08:20:59 | 000,249,147 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/09 08:15:52 | 000,000,944 | ---- | M] () -- C:\Documents and Settings\*********\Desktop\Spybot - Search & Destroy.lnk
[2010/02/08 18:30:13 | 000,027,204 | ---- | M] () -- C:\Documents and Settings\*********\Desktop\worksheet.rtf
[2010/02/08 14:54:32 | 000,109,568 | ---- | M] () -- C:\Documents and Settings\*********\Desktop\2010_02_shipping_0201.xls
[2010/02/08 14:52:34 | 000,069,120 | ---- | M] () -- C:\Documents and Settings\*********\Desktop\2010_01_shipping_0131.xls
[2010/02/08 11:47:18 | 000,366,344 | ---- | M] () -- C:\Documents and Settings\*********\My Documents\cc_20100208_114703.reg
[2010/02/08 11:35:31 | 000,001,559 | ---- | M] () -- C:\Documents and Settings\*********\Desktop\CCleaner.lnk
[2010/02/08 11:34:51 | 000,001,745 | ---- | M] () -- C:\Documents and Settings\*********\Desktop\HijackThis.lnk
[2010/02/08 10:05:51 | 001,098,498 | ---- | M] () -- C:\Documents and Settings\*********\Desktop\thinkifoundit.bmp
[2010/02/08 10:03:03 | 000,156,915 | ---- | M] () -- C:\Documents and Settings\*********\Desktop\scan-2.JPG
[2010/02/08 08:17:58 | 000,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/07 18:00:03 | 016,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\*********\Desktop\spybotsd162.exe
[2010/02/07 16:49:04 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/07 16:29:00 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/02/04 09:27:07 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/04 07:49:38 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/02/04 07:46:25 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/02/04 07:40:31 | 001,577,344 | -H-- | M] () -- C:\Documents and Settings\*********\Local Settings\Application Data\IconCache.db
[2010/02/01 00:58:46 | 000,206,336 | ---- | M] () -- C:\Documents and Settings\*********\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/29 05:50:44 | 000,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2010/01/28 22:27:16 | 000,293,423 | ---- | M] () -- C:\Documents and Settings\*********\1 019.jpg

========== Files Created - No Company Name ==========

[2010/02/09 08:57:15 | 000,000,778 | ---- | C] () -- C:\Documents and Settings\*********\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2010/02/09 08:57:08 | 000,000,622 | ---- | C] () -- C:\Documents and Settings\*********\Desktop\NTREGOPT.lnk
[2010/02/09 08:57:08 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\*********\Desktop\ERUNT.lnk
[2010/02/09 08:56:50 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\*********\Desktop\gmer.exe
[2010/02/09 08:15:52 | 000,000,944 | ---- | C] () -- C:\Documents and Settings\*********\Desktop\Spybot - Search & Destroy.lnk
[2010/02/08 14:54:20 | 000,109,568 | ---- | C] () -- C:\Documents and Settings\*********\Desktop\2010_02_shipping_0201.xls
[2010/02/08 14:52:26 | 000,069,120 | ---- | C] () -- C:\Documents and Settings\*********\Desktop\2010_01_shipping_0131.xls
[2010/02/08 11:47:06 | 000,366,344 | ---- | C] () -- C:\Documents and Settings\*********\My Documents\cc_20100208_114703.reg
[2010/02/08 11:35:31 | 000,001,559 | ---- | C] () -- C:\Documents and Settings\*********\Desktop\CCleaner.lnk
[2010/02/08 11:34:51 | 000,001,745 | ---- | C] () -- C:\Documents and Settings\*********\Desktop\HijackThis.lnk
[2010/02/08 09:59:31 | 001,098,498 | ---- | C] () -- C:\Documents and Settings\*********\Desktop\thinkifoundit.bmp
[2010/02/08 09:48:04 | 000,156,915 | ---- | C] () -- C:\Documents and Settings\*********\Desktop\scan-2.JPG
[2010/02/08 08:17:58 | 000,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/08 07:57:35 | 937,603,072 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/06 09:04:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/01/29 02:34:18 | 000,293,423 | ---- | C] () -- C:\Documents and Settings\*********\Desktop\1 019.jpg
[2009/11/08 17:42:20 | 000,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009/02/20 02:06:17 | 000,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2009/02/01 01:34:27 | 000,001,043 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/02/01 01:05:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ToDisc.INI
[2009/01/23 22:20:36 | 000,206,336 | ---- | C] () -- C:\Documents and Settings\*********\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/21 21:34:39 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\vusetup.dll
[2009/01/21 21:34:31 | 000,000,272 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2009/01/21 19:35:47 | 000,000,067 | ---- | C] () -- C:\WINDOWS\swupdate.INI
[2009/01/19 15:15:27 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/01/18 21:40:42 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\*********\Local Settings\Application Data\fusioncache.dat
[2009/01/18 18:57:56 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2009/01/18 14:50:37 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\zdmDll.dll
[2009/01/18 14:50:37 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\AsNotify.dll
[2009/01/18 14:50:37 | 000,001,185 | ---- | C] () -- C:\WINDOWS\System32\W32N55.INI
[2009/01/18 14:47:16 | 000,002,229 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/01/18 14:47:14 | 000,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2006/10/19 13:13:16 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/10/19 13:13:16 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/10/19 13:13:16 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/10/19 13:13:16 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/10/19 13:13:16 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/10/19 13:13:16 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/10/19 11:53:50 | 000,011,122 | ---- | C] () -- C:\WINDOWS\HWSetupStr.ini
[2006/10/19 11:53:50 | 000,002,036 | ---- | C] () -- C:\WINDOWS\SVPW32Str.ini
[2006/10/19 11:36:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2006/10/19 11:21:53 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/10/19 10:30:22 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/19 10:17:50 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/10/19 09:57:16 | 000,000,341 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/08/22 20:01:46 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/08/01 22:56:40 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\TPeculiarity.dll
[2005/12/08 23:56:50 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\tsbwls.dll
[2005/08/25 03:20:28 | 000,009,472 | ---- | C] () -- C:\WINDOWS\System32\drivers\tbiosdrv.sys
[2005/08/06 02:01:54 | 000,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2003/01/08 03:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/01/19 16:40:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2009/01/18 15:08:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ICQ
[2010/01/19 00:06:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Speedbit
[2009/02/19 20:42:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/12/08 23:02:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2009/01/18 19:10:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2009/01/19 16:48:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/11/08 17:42:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\*********\Application Data\DAEMON Tools
[2010/01/29 02:04:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\*********\Application Data\ICQ
[2006/08/25 04:30:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\*********\Application Data\InterVideo
[2006/10/19 11:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\*********\Application Data\toshiba
[2010/02/01 12:07:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\*********\Application Data\uTorrent

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/10 02:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/01/19 15:52:01 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2004/08/10 02:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:AGP440.sys
[2009/01/19 15:52:01 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 23:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 23:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/10 02:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/01/19 15:52:01 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2004/08/10 02:00:00 | 016,971,599 | ---- | M] () .cab file -- C:\WINDOWS\I386\sp2.cab:atapi.sys
[2009/01/19 15:52:01 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 23:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 23:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/10 02:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 05:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 02:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: KR10N.SYS >
[2005/01/11 22:05:46 | 000,204,160 | ---- | M] (TOSHIBA CORPORATION) MD5=00C1EA8DECF810B8ECCB5C5A8186A96E -- C:\WINDOWS\OemDir\KR10N.sys
[2005/01/11 22:05:46 | 000,204,160 | ---- | M] (TOSHIBA CORPORATION) MD5=00C1EA8DECF810B8ECCB5C5A8186A96E -- C:\WINDOWS\system32\drivers\KR10N.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 05:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/10 02:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 02:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 05:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 05:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/14 05:11:51 | 001,267,200 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\comsvcs.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2009/11/08 17:42:21 | 000,717,296 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys

< %systemroot%\System32\config\*.sav >
[2006/10/19 03:12:23 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2006/10/19 03:12:23 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2006/10/19 03:12:23 | 000,880,640 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >





--------------------------------------------------------------------------------------------------------




OTL EXTRAS





OTL Extras logfile created on: 2/9/2010 9:24:07 AM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\***********\My Documents\Downloads
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 518.00 Mb Available Physical Memory | 58.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.16 Gb Total Space | 28.12 Gb Free Space | 30.19% Space Free | Partition Type: NTFS
Drive D: | 330.82 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ***********
Current User Name: ***********
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\TOSHIBA\ivp\NetInt\Netint.exe" = C:\TOSHIBA\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrade Engine -- (TOSHIBA Corporation)
"C:\TOSHIBA\Ivp\ISM\pinger.exe" = C:\TOSHIBA\IVP\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger -- (TOSHIBA Corporation)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- File not found
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon -- File not found
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed -- File not found
"C:\Program Files\Common Files\AOL\1161249244\EE\AOLServiceHost.exe" = C:\Program Files\Common Files\AOL\1161249244\EE\AOLServiceHost.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe" = C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe" = C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL -- File not found
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Engine -- File not found
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\ICQLite\ICQ.exe" = C:\Program Files\ICQLite\ICQ.exe:*:Enabled:ICQ Lite -- (ICQ, LLC.)
"C:\Program Files\Asus\AiGuru S2 Utility\AiGuruS2Utility.exe" = C:\Program Files\Asus\AiGuru S2 Utility\AiGuruS2Utility.exe:*:Enabled:AiGuru S2 Utility -- File not found
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Valve\hl.exe" = C:\Program Files\Valve\hl.exe:*:Enabled:Half-Life Launcher -- File not found
"C:\Program Files\Counter-Strike 1.6\hl.exe" = C:\Program Files\Counter-Strike 1.6\hl.exe:*:Enabled:Half-Life Launcher -- (Valve)
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- (Skype Technologies)
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- File not found
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- File not found
"C:\Program Files\MySpace\IM\MySpaceIM.exe" = C:\Program Files\MySpace\IM\MySpaceIM.exe:*:Enabled:MySpace Instant Messenger -- ()
"C:\WINDOWS\system32\drivers\svchost.exe" = C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:svchost -- File not found
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- (Skype Technologies S.A.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{05832D65-6EDB-4D32-BA78-BCD0E2B91C02}" = Atheros Wireless LAN MiniPCI/PCIe card Driver
"{099D12EC-0321-4CAC-A0CC-33D020156FCD}" = Toshiba Utility
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 17
"{2C38F661-26B7-445D-B87D-B53FE2D3BD42}" = TOSHIBA PC Diagnostic Tool
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0150070}" = J2SE Runtime Environment 5.0 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{400830CA-F056-4BBE-80A3-9DF9CA4FB889}" = TOSHIBA Direct Disc Writer
"{425A2BC2-AA64-4107-9C29-484245BBEA05}" = TOSHIBA Software Upgrades
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{47D2103B-FD51-4017-9C20-DD408B17D726}" = Office 2003 Trial Assistant
"{529DDE6B-4F31-438B-B218-F36266ABD8C0}" = TOSHIBA Disc Creator
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{64212898-097F-4F3F-AECA-6D34A7EF82DF}" = TOSHIBA Zooming Utility
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6C13128C-1782-456F-84A4-017CECE259CA}" = ICQ Lite
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{71D658CF-4E0D-4DA8-AA67-8C0B6F1C01FE}" = Atheros Client Utility
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD for TOSHIBA
"{91A10409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office OneNote 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}" = TOSHIBA ConfigFree
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0A05EB3-1A5E-45EF-B2AB-E3ABD2B86130}" = Toshiba Hotkey Utility
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F21B28BF-8A4D-4F1A-A61B-69DD5B4A9BBA}" = Toshiba Media Center Game Console
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F6C405D2-C50D-4D10-B89E-73A233A14D74}" = Toshiba Registration
"{F77890F3-774A-4CBE-A2E3-7BB0DC71D1FA}" = Toshiba Touchpad Utility
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ASIO4ALL" = ASIO4ALL
"ATI Display Driver" = ATI Display Driver
"avast!" = avast! Antivirus
"CCleaner" = CCleaner
"Counter-Strike 1.6" = Counter-Strike 1.6
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ERUNT_is1" = ERUNT 1.1j
"HijackThis" = HijackThis 2.0.2
"InstallShield_{099D12EC-0321-4CAC-A0CC-33D020156FCD}" = Toshiba Utility
"InstallShield_{2C38F661-26B7-445D-B87D-B53FE2D3BD42}" = TOSHIBA PC Diagnostic Tool
"InstallShield_{F77890F3-774A-4CBE-A2E3-7BB0DC71D1FA}" = Toshiba Touchpad Utility
"IrfanView" = IrfanView (remove only)
"Live Support Chat for Web Site_is1" = Live Support Chat for Web Site 4.3.0
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"MySpaceIM" = MySpaceIM
"Power Saver" = TOSHIBA Power Saver
"RealPlayer 6.0" = RealPlayer
"Red Alert" = Red Alert Windows 95
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TOSHIBA Software Modem" = TOSHIBA Software Modem
"VLC media player" = VLC media player 1.0.3
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"Yahoo! Messenger" = Yahoo! Messenger

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 12/8/2009 1:32:06 AM | Computer Name = *********** | Source = avast! | ID = ***********
Description = AAVM - scanning error: OpenEventsAndMapping: OpenEvent failed!, 00000002.


Error - 12/8/2009 1:32:06 AM | Computer Name = *********** | Source = avast! | ID = ***********
Description = AAVM - scanning error: ClientRqDispatchThread: OpenEventsAndMapping
failed - client probably died, 00008D75.

Error - 12/9/2009 10:11:59 AM | Computer Name = *********** | Source = avast! | ID = ***********
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\WINDOWS\SoftwareDistribution\Download\803a199c9684b0bc2060630def40d202\BIT6F7.tmp
failed, 00000026.

Error - 1/6/2010 11:35:17 PM | Computer Name = *********** | Source = avast! | ID = ***********
Description = AAVM - scanning error: Aavm: CreateEventsAndMapping mutex timeout
- server DOWN???, (null).

Error - 1/6/2010 11:35:21 PM | Computer Name = *********** | Source = avast! | ID = ***********
Description = AAVM - scanning error: Aavm: CreateEventsAndMapping mutex timeout
- server DOWN???, (null).

Error - 2/5/2010 11:17:06 PM | Computer Name = *********** | Source = avast! | ID = ***********
Description = Internal error has occurred in module aswar scan function failed!,
function 00000002.

Error - 2/7/2010 11:34:19 AM | Computer Name = *********** | Source = avast! | ID = ***********
Description = Error in aswChestC: chestOpenList Error 1753.

Error - 2/7/2010 11:34:19 AM | Computer Name = *********** | Source = avast! | ID = ***********
Description = aswChestInterface - Program error description: CChestListView::LoadFiles()
chestOpenList() failed: 2147422219.

Error - 2/7/2010 11:34:31 AM | Computer Name = *********** | Source = avast! | ID = ***********
Description = aswChestInterface - Program error description: CChestListView::OnCreate()
!m_strErrorWnd.IsEmpty().

Error - 2/7/2010 11:38:16 AM | Computer Name = *********** | Source = avast! | ID = ***********
Description = Internal error has occurred in module aswar scan function failed!,
function 00000002.

[ Application Events ]
Error - 9/6/2009 1:14:21 PM | Computer Name = *********** | Source = Application Error | ID = ***********
Description = Faulting application itunes.exe, version 8.0.2.20, faulting module
quicktime.qts, version 7.55.90.70, fault address 0x001945fa.

Error - 9/11/2009 7:47:42 AM | Computer Name = *********** | Source = Application Hang | ID = ***********
Description = Hanging application OUTLOOK.EXE, version 11.0.8217.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/12/2009 12:01:15 PM | Computer Name = *********** | Source = Application Error | ID = ***********
Description = Faulting application itunes.exe, version 8.0.2.20, faulting module
quicktime.qts, version 7.55.90.70, fault address 0x001945fa.

Error - 9/28/2009 10:58:46 PM | Computer Name = *********** | Source = Application Error | ID = ***********
Description = Faulting application itunes.exe, version 8.0.2.20, faulting module
quicktime.qts, version 7.55.90.70, fault address 0x001945fa.

Error - 10/1/2009 5:33:06 PM | Computer Name = *********** | Source = MsiInstaller | ID = ***********
Description = Product: Windows Live Communications Platform -- The installer has
encountered an unexpected error installing this package. This may indicate a problem
with this package. The error code is 2762. The arguments are: , ,

Error - 10/1/2009 5:33:06 PM | Computer Name = *********** | Source = MsiInstaller | ID = ***********
Description = Product: Windows Live Communications Platform -- The installer has
encountered an unexpected error installing this package. This may indicate a problem
with this package. The error code is 2762. The arguments are: , ,

Error - 10/12/2009 9:34:04 AM | Computer Name = *********** | Source = Application Error | ID = ***********
Description = Faulting application 006300730031003600660075006C006C005F0076003300200441043D043004470430043B04300020044D0442044300200441044204300432044C002E
006500780065,
version 9.0.0.333, faulting module 006300730031003600660075006C006C005F0076003300200441043D043004470430043B04300020044D0442044300200441044204300432044C002E
006500780065,
version 9.0.0.333, fault address 0x0000a8b4.

Error - 10/12/2009 9:34:04 AM | Computer Name = *********** | Source = Application Error | ID = ***********
Description = Faulting application 006300730031003600660075006C006C005F0076003300200441043D043004470430043B04300020044D0442044300200441044204300432044C002E
006500780065,
version 9.0.0.333, faulting module 006300730031003600660075006C006C005F0076003300200441043D043004470430043B04300020044D0442044300200441044204300432044C002E
006500780065,
version 9.0.0.333, fault address 0x0000a8b4.

Error - 10/12/2009 9:34:06 AM | Computer Name = *********** | Source = Application Error | ID = ***********
Description = Faulting application 006300730031003600660075006C006C005F0076003300200441043D043004470430043B04300020044D0442044300200441044204300432044C002E
006500780065,
version 9.0.0.333, faulting module 006300730031003600660075006C006C005F0076003300200441043D043004470430043B04300020044D0442044300200441044204300432044C002E
006500780065,
version 9.0.0.333, fault address 0x0000a8b4.

Error - 10/15/2009 8:55:37 PM | Computer Name = *********** | Source = Microsoft Office 11 | ID = ***********
Description = Rejected Safe Mode action : Microsoft Office Outlook.

[ System Events ]
Error - 2/8/2010 10:58:08 PM | Computer Name = *********** | Source = Service Control Manager | ID = ***********
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 2/8/2010 10:58:23 PM | Computer Name = *********** | Source = Service Control Manager | ID = ***********
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 2/8/2010 11:58:26 PM | Computer Name = *********** | Source = Service Control Manager | ID = ***********
Description = The Ati HotKey Poller service terminated unexpectedly. It has done
this 1 time(s).

Error - 2/8/2010 11:58:27 PM | Computer Name = *********** | Source = Service Control Manager | ID = ***********
Description = The Atheros Configuration Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 2/8/2010 11:58:27 PM | Computer Name = *********** | Source = Service Control Manager | ID = ***********
Description = The ConfigFree Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 2/8/2010 11:58:28 PM | Computer Name = *********** | Source = Service Control Manager | ID = ***********
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 2/8/2010 11:58:28 PM | Computer Name = *********** | Source = Service Control Manager | ID = ***********
Description = The TOSHIBA Optical Disc Drive Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 2/9/2010 12:03:26 AM | Computer Name = *********** | Source = Service Control Manager | ID = ***********
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 2/9/2010 12:03:36 AM | Computer Name = *********** | Source = Service Control Manager | ID = ***********
Description = The DVD-RAM_Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 2/9/2010 12:03:42 AM | Computer Name = *********** | Source = Service Control Manager | ID = ***********
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).


< End of report >



--------------------------------------------------------------------------------------------------------

Also, here's another thing:

When I turned on the computer yesterday and turned on Task Manager, I saw vymosftav.exe for a split second, and then it dissappeared from the processes list.
  • 0

#4
RKinner
Posted 11 February 2010 - 12:59 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

This is a sign of a common infection. Unfortunately the malware proxy is being removed by MBAM and other scanners but the proxy setup in IE (and sometimes in Firefox) is being left in which takes it off line.


In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.

Now IE should work again. Your firefox also has a proxy but I'm thinking it is probably legit since the address is external to your PC and in NJ.

You still have some infected flash signs:


O33 - MountPoints2\{c98bcb77-1093-11de-9adb-00163680bf1d}\Shell\AutoRun\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe -- File not found
O33 - MountPoints2\{c98bcb77-1093-11de-9adb-00163680bf1d}\Shell\open\command - "" = E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isee.exe -- File not found

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************************************
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /f

**********************************************************************

Start, Run, cmd, OK to bring up a new Command Prompt window. Right click and select Paste and the above text should appear. Make sure you got it all and then hit Enter.

Close the Command Prompt window.

Download Flash_Disinfector.exe by sUBs
http://download.blee...Disinfector.exe
and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.


Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

I see two files that look suspicious:
C:\WINDOWS\System32\zdmDll.dll
C:\WINDOWS\System32\AsNotify.dll
Let's submit each to http://virustotal.com (go to the site, press Browse and point it to the first file then Open and Send File. It will give you a report ont he file from 41 different antivirus companies. IF it says 0/41 then we won't worry about it but I expect at least a few of them will not like it. In that case copy the report and paste it into a reply.

Finally
Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Ron

Edited by RKinner, 11 February 2010 - 12:59 AM.

  • 0

#5
Тony Montana45
Posted 11 February 2010 - 10:06 AM

Тony Montana45

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I have followed all your instructions carefully. I submitted the suspicious files to virustotal.com, but they came up clean.

Here is my ComboFix log:






ComboFix 10-02-10.05 - ******** 02/11/2010 20:47:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.526 [GMT 5:00]
Running from: c:\documents and settings\********\Desktop\george.exe
AV: avast! antivirus 4.8.1368 [VPS 100211-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\********\Local Settings\Application Data\vuwjws
c:\documents and settings\********\Local Settings\Application Data\vuwjws\vymosftav.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-11 to 2010-02-11 )))))))))))))))))))))))))))))))
.

2010-02-11 15:34 . 2010-02-11 15:40 -------- d-----w- C:\george
2010-02-10 10:09 . 2010-02-10 10:10 -------- d-----w- C:\3a376b459808a8227f332e
2010-02-09 03:57 . 2010-02-09 03:57 -------- d-----w- c:\program files\ERUNT
2010-02-09 03:15 . 2010-02-09 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-09 03:15 . 2010-02-09 03:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-08 06:35 . 2010-02-08 06:35 -------- d-----w- c:\program files\CCleaner
2010-02-08 06:34 . 2010-02-08 06:34 -------- d-----w- c:\program files\Trend Micro
2010-02-08 03:18 . 2010-02-08 03:18 -------- d-----w- c:\documents and settings\********\Application Data\Malwarebytes
2010-02-08 03:17 . 2009-12-30 09:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 03:17 . 2010-02-08 03:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 03:17 . 2010-02-08 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 03:17 . 2009-12-30 09:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-06 04:04 . 2010-02-07 11:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-25 22:51 . 2010-02-11 09:22 -------- d-----w- c:\documents and settings\********\Application Data\vlc
2010-01-18 19:37 . 2010-01-18 19:37 -------- d-----w- c:\documents and settings\********\dwhelper
2010-01-17 18:56 . 2010-01-18 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Speedbit
2010-01-12 18:37 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-11 15:13 . 2009-01-18 09:48 -------- d-----w- c:\documents and settings\********\Application Data\Skype
2010-02-11 03:18 . 2009-01-19 12:57 -------- d-----w- c:\documents and settings\********\Application Data\skypePM
2010-02-07 12:14 . 2009-01-19 11:46 -------- d-----w- c:\program files\Common Files\Apple
2010-02-01 07:07 . 2009-01-18 09:59 -------- d-----w- c:\documents and settings\********\Application Data\uTorrent
2010-01-28 21:04 . 2009-01-18 10:01 -------- d-----w- c:\documents and settings\********\Application Data\ICQ
2010-01-20 22:39 . 2009-01-20 16:59 -------- d-----w- c:\documents and settings\********\Application Data\dvdcss
2010-01-09 03:28 . 2006-10-19 07:04 40320 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 15:17 . 2010-01-07 15:17 -------- d-----w- c:\documents and settings\********\Application Data\DivX
2010-01-07 03:31 . 2010-01-07 03:24 -------- d-----w- c:\program files\DivX
2010-01-07 03:30 . 2010-01-07 03:24 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-31 16:50 . 2006-10-19 04:53 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2006-10-19 04:53 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2006-10-19 04:52 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 18:43 . 2006-10-19 05:17 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2006-10-19 04:52 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2006-10-19 04:52 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2006-10-19 04:52 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-28 21:35 . 2009-11-12 18:37 9904720 ----a-w- c:\documents and settings\********\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.820.0-static-A.exe
2009-11-27 17:11 . 2006-10-19 04:53 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2006-10-19 04:52 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2006-10-19 04:52 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2006-10-19 04:52 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-24 23:54 . 2009-02-19 15:53 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-02-19 15:54 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-02-19 15:54 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-02-19 15:54 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-02-19 15:54 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-02-19 15:54 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-02-19 15:54 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-02-19 15:54 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-02-19 15:54 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2006-10-19 04:52 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-14 00:49 . 2010-01-07 03:31 9464 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-11-14 00:49 . 2010-01-07 03:31 9336 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-11-14 00:49 . 2010-01-07 03:31 129784 ------w- c:\windows\system32\pxafs.dll
2009-11-14 00:49 . 2010-01-07 03:31 120056 ------w- c:\windows\system32\pxcpyi64.exe
2009-11-14 00:49 . 2010-01-07 03:31 118520 ------w- c:\windows\system32\pxinsi64.exe
2009-11-14 00:49 . 2005-10-26 20:12 43528 ------w- c:\windows\system32\drivers\pxhelp20.sys
2009-11-14 00:47 . 2009-11-14 00:47 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ----a-w- c:\windows\system32\DivX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-08-18 5137648]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"NDSTray.exe"="NDSTray.exe" [BU]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 1773568]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-19 185872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\********\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-20 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-10-19 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
2009-10-08 20:35 153848 ----a-w- c:\program files\ICQLite\icq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 08:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-04-07 23:48 761946 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Swupdtmr"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ICQLite\\ICQ.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/19/2009 8:54 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/19/2009 8:54 PM 20560]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 11:50 PM 98816]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/8/2009 5:42 PM 717296]
S3 ASWLUSB;ASUS Wireless Link 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\asus_sp.sys --> c:\windows\system32\DRIVERS\asus_sp.sys [?]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable WDM;c:\windows\system32\drivers\vrtaucbl.sys [1/18/2009 2:50 PM 24832]
.
Contents of the 'Scheduled Tasks' folder

2010-02-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {66DA01D4-BB8D-4363-B564-21E3CEBBA05D} = 79.134.0.1,79.134.0.2
FF - ProfilePath - c:\documents and settings\********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.ftp - 64.18.143.219
FF - prefs.js: network.proxy.ftp_port - 2407
FF - prefs.js: network.proxy.gopher - 64.18.143.219
FF - prefs.js: network.proxy.gopher_port - 2407
FF - prefs.js: network.proxy.http - 64.18.143.219
FF - prefs.js: network.proxy.http_port - 2407
FF - prefs.js: network.proxy.socks - 64.18.143.219
FF - prefs.js: network.proxy.socks_port - 2407
FF - prefs.js: network.proxy.ssl - 64.18.143.219
FF - prefs.js: network.proxy.ssl_port - 2407
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-REGSHAVE - c:\program files\REGSHAVE\REGSHAVE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-11 20:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–Ђ|яяяя¤•Ђ|щ•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-02-11 20:54:22
ComboFix-quarantined-files.txt 2010-02-11 15:54

Pre-Run: 29,487,353,856 bytes free
Post-Run: 29,460,062,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 4A8224C53AAF94E4066DA0D172E68A14
  • 0

#6
RKinner
Posted 11 February 2010 - 01:27 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–Ђ|яяяя¤•Ђ|щ•A~*]

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–Ђ|яяяя¤•Ђ|щ•A~]

Registry::
[-HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–Ђ|яяяя¤•Ђ|щ•A~]


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop ), CFScript , (change Encoding to Unicode) SAVE. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Drag it over to george and let it start as before.

Post the new log.

Ron

Edited by RKinner, 11 February 2010 - 01:30 PM.

  • 0

#7
Тony Montana45
Posted 11 February 2010 - 11:56 PM

Тony Montana45

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ComboFix 10-02-11.04 - ********* 02/12/2010 10:25:45.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.528 [GMT 5:00]
Running from: c:\documents and settings\*********\Desktop\george.exe
Command switches used :: c:\documents and settings\*********\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100211-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-01-12 to 2010-02-12 )))))))))))))))))))))))))))))))
.

2010-02-12 05:18 . 2010-02-12 05:22 -------- d-----w- C:\george25911g
2010-02-12 02:47 . 2010-02-12 02:47 -------- d-s---w- c:\documents and settings\*********\UserData
2010-02-11 15:34 . 2010-02-11 15:40 -------- d-----w- C:\george
2010-02-10 10:09 . 2010-02-10 10:10 -------- d-----w- C:\3a376b459808a8227f332e
2010-02-09 03:57 . 2010-02-09 03:57 -------- d-----w- c:\program files\ERUNT
2010-02-09 03:15 . 2010-02-09 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-09 03:15 . 2010-02-09 03:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-08 06:35 . 2010-02-08 06:35 -------- d-----w- c:\program files\CCleaner
2010-02-08 06:34 . 2010-02-08 06:34 -------- d-----w- c:\program files\Trend Micro
2010-02-08 03:18 . 2010-02-08 03:18 -------- d-----w- c:\documents and settings\*********\Application Data\Malwarebytes
2010-02-08 03:17 . 2009-12-30 09:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-08 03:17 . 2010-02-08 03:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-08 03:17 . 2010-02-08 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-08 03:17 . 2009-12-30 09:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-06 04:04 . 2010-02-07 11:29 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-25 22:51 . 2010-02-11 09:22 -------- d-----w- c:\documents and settings\*********\Application Data\vlc
2010-01-18 19:37 . 2010-01-18 19:37 -------- d-----w- c:\documents and settings\*********\dwhelper
2010-01-17 18:56 . 2010-01-18 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Speedbit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-12 05:17 . 2009-01-18 09:48 -------- d-----w- c:\documents and settings\*********\Application Data\Skype
2010-02-12 03:04 . 2009-01-19 12:57 -------- d-----w- c:\documents and settings\*********\Application Data\skypePM
2010-02-07 12:14 . 2009-01-19 11:46 -------- d-----w- c:\program files\Common Files\Apple
2010-02-01 07:07 . 2009-01-18 09:59 -------- d-----w- c:\documents and settings\*********\Application Data\uTorrent
2010-01-28 21:04 . 2009-01-18 10:01 -------- d-----w- c:\documents and settings\*********\Application Data\ICQ
2010-01-20 22:39 . 2009-01-20 16:59 -------- d-----w- c:\documents and settings\*********\Application Data\dvdcss
2010-01-09 03:28 . 2006-10-19 07:04 40320 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-07 15:17 . 2010-01-07 15:17 -------- d-----w- c:\documents and settings\*********\Application Data\DivX
2010-01-07 03:31 . 2010-01-07 03:24 -------- d-----w- c:\program files\DivX
2010-01-07 03:30 . 2010-01-07 03:24 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-31 16:50 . 2006-10-19 04:53 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2006-10-19 04:53 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2006-10-19 04:52 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 18:43 . 2006-10-19 05:17 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2006-10-19 04:52 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2006-10-19 04:52 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-03 22:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2006-10-19 04:52 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-28 21:35 . 2009-11-12 18:37 9904720 ----a-w- c:\documents and settings\*********\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.820.0-static-A.exe
2009-11-27 17:11 . 2006-10-19 04:53 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 00:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2006-10-19 04:52 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2006-10-19 04:52 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2006-10-19 04:52 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 00:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-24 23:54 . 2009-02-19 15:53 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-02-19 15:54 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-02-19 15:54 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-02-19 15:54 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-02-19 15:54 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-02-19 15:54 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-02-19 15:54 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-02-19 15:54 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-02-19 15:54 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 15:51 . 2006-10-19 04:52 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-08-18 5137648]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"NDSTray.exe"="NDSTray.exe" [BU]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 1773568]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-19 185872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\*********\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-20 64864]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-10-19 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
2009-10-08 20:35 153848 ----a-w- c:\program files\ICQLite\icq.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 08:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-04-07 23:48 761946 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Swupdtmr"=2 (0x2)
"GoogleDesktopManager"=3 (0x3)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ICQLite\\ICQ.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/19/2009 8:54 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/19/2009 8:54 PM 20560]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 11:50 PM 98816]
S3 ASWLUSB;ASUS Wireless Link 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\asus_sp.sys --> c:\windows\system32\DRIVERS\asus_sp.sys [?]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable WDM;c:\windows\system32\drivers\vrtaucbl.sys [1/18/2009 2:50 PM 24832]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/8/2009 5:42 PM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-02-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {66DA01D4-BB8D-4363-B564-21E3CEBBA05D} = 79.134.0.1,79.134.0.2
FF - ProfilePath - c:\documents and settings\*********\Application Data\Mozilla\Firefox\Profiles\4g6m9h2i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.ftp - 64.18.143.219
FF - prefs.js: network.proxy.ftp_port - 2407
FF - prefs.js: network.proxy.gopher - 64.18.143.219
FF - prefs.js: network.proxy.gopher_port - 2407
FF - prefs.js: network.proxy.http - 64.18.143.219
FF - prefs.js: network.proxy.http_port - 2407
FF - prefs.js: network.proxy.socks - 64.18.143.219
FF - prefs.js: network.proxy.socks_port - 2407
FF - prefs.js: network.proxy.ssl - 64.18.143.219
FF - prefs.js: network.proxy.ssl_port - 2407
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 10:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–Ђ|яяяя¤•Ђ|щ•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3108)
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\RTHDCPL.EXE
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\acs.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\TODDSrv.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\TPSBattM.exe
.
**************************************************************************
.
Completion time: 2010-02-12 10:42:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-12 05:42
ComboFix2.txt 2010-02-11 15:54

Pre-Run: 29,400,154,112 bytes free
Post-Run: 29,367,406,592 bytes free

- - End Of File - - F5527D838FE9A7A34A050FBD604BDBD1
  • 0

#8
RKinner
Posted 12 February 2010 - 12:29 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
That didn't do much I'm afraid. Not sure how important it is or even what it does. Let's run BitDefender's online scan.

http://www.bitdefend...nline/free.html
It takes a while (hours) and you have to turn off your antivirus while you are running it but it is pretty thorough.

If windows blocks the active x then try putting Bitdefender in your trusted sites: In IE, Tool, Internet Options, Security, Trusted Sites, Sites. Then uncheck the HTTPS box and put in *.bitdefender.com then ADD. OK.

Ron
  • 0

#9
Тony Montana45
Posted 12 February 2010 - 12:41 AM

Тony Montana45

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
The scan took only about 60 seconds and came up clean.
  • 0

#10
RKinner
Posted 12 February 2010 - 01:01 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
Probably not as thorough as Kaspersky which I used to use but which appears not to be available any more. Guess I need to update the write up.

Other than the one locked registry key I don't see anything left. How is it running now?

Ron
  • 0

#11
Тony Montana45
Posted 12 February 2010 - 01:06 AM

Тony Montana45

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
The PC seems to be running fine. CPU use-age looks normal.
  • 0

#12
RKinner
Posted 12 February 2010 - 01:23 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f


Since BitDefender came back clean then you can uninstall or delete any tools we had you download and their logs. You can manually remove C:\george, C:\qoobox then put your system back the way it was (tho i would leave the hide extensions option unchecked.)


You do not have the latest Java. Get the latest (6.18) at:

http://www.java.com/...nload/index.jsp


Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 17

"{3248F0A8-6813-11D6-A77B-00B0D0150070}" = J2SE Runtime Environment 5.0 Update 7


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you are going to be exposed to bad usb drives then you might also want to run autorun eater. It's a bit silly with the goat logo but it will protect you from bad usb drives.
http://www.filefront.../aesetup2.4.exe
http://oldmcdonald.wordpress.com/ explains it.

Ron
  • 0

#13
Тony Montana45
Posted 14 February 2010 - 11:20 PM

Тony Montana45

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you very much for your help.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP