Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

(Was)hijack log file(Now)Malware and Spyware walkthrough

Started by VCO , May 10 2010 05:08 PM

  • Please log in to reply

#1
VCO
Posted 10 May 2010 - 05:08 PM

VCO

    New Member

  • Member
  • Pip
  • 4 posts
Hi All, Could you please look at my Hijack log file and tell me if you see anything suspicious. I've pasted it in several online sites that have flagged a few items. I'd like some second opinions before I do anything. My wife downloaded a game last night called "Zuma Deluxe" and the computer became very bogged down. I'm not sure if that was the problem or if something got on her computer earlier and this is now the last straw. Ran NAV-2009 last night with no errors showing. Ran it this morning and noticed that "intrusion prevention" was turned off. When I went to turn it on, I get a Norton popup that wants me to remove it and reinstall. A bit of a red flag again! I would be very gratefull for some help. Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:03:23 PM, on 5/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System\hppropty.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com...de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.DLL
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [OSCD_Creator] c:\Dell\PreODM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP LaserJet ToolBox] hppropty.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE /2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ent/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...ploader_v10.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7336 bytes

Edited by VCO, 13 May 2010 - 10:57 AM.

  • 0

Advertisements

#2
RKinner
Posted 10 May 2010 - 07:38 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Do as much of

http://www.geekstogo...uide-t2852.html

as you can. If a step won't work, skip to the next one. Copy and paste your gmer, mbam, otl, & extras logs into a reply. Do not attach them.

If you lose internet access after running MBAM or if you are not able to get to the downloads:

In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.

In FireFox, Tools, Options, Advanced, Settings, check No Proxy then OK. Close Firefox and restart Firefox.

In Chrome, Wrench, Options, Under the Hood, Change Proxy Settings, uncheck all boxes, OK.

Ron
  • 0

#3
VCO
Posted 12 May 2010 - 08:46 AM

VCO

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi Ron,
Thanks for your help. You live in a beautiful place, I've been to Orcas Island once and many times to San Juan Island.
I've followed your instructions as well as the geekstogo "cleaning guide".
I ran TFC, ERUNT, MBAM (found some items and allowed MBAM to remove them), and then removed NAV-2009 and installed NAV-2010 (because I was getting a update error).
Ran a full scan; NAV-2010 found 19 cookies and removed them.
I rebooted throughout all these processes.
Ran GMER.
Ran OTL.
Here are the logs.

MBAM
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/11/2010 11:52:08 AM
mbam-log-2010-05-11 (11-52-08).txt

Scan type: Quick scan
Objects scanned: 113432
Time elapsed: 7 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{4d25f920-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4d25f923-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaysearchassistantde.auxiliary (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywaysearchassistantde.auxiliary.1 (Adware.MyWaySearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-11 15:25:38
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Laptop\LOCALS~1\Temp\kxloapow.sys


---- System - GMER 1.0.15 ----

SSDT 82E6A680 ZwAlertResumeThread
SSDT 82E74070 ZwAlertThread
SSDT 82E95AC0 ZwAllocateVirtualMemory
SSDT 82EA3050 ZwAssignProcessToJobObject
SSDT 82D7FE30 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB2698210]
SSDT 82CB72E8 ZwCreateMutant
SSDT 82B83008 ZwCreateSymbolicLinkObject
SSDT 82E8E0E8 ZwCreateThread
SSDT 82B50070 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB2698490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB26989F0]
SSDT 82D40150 ZwDuplicateObject
SSDT 82E832E8 ZwFreeVirtualMemory
SSDT 82B2B070 ZwImpersonateAnonymousToken
SSDT 82C9C2C0 ZwImpersonateThread
SSDT 82E762D0 ZwLoadDriver
SSDT 82E1A900 ZwMapViewOfSection
SSDT 82C91070 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xB26987A0]
SSDT 82D46740 ZwOpenProcess
SSDT 82CA52C0 ZwOpenProcessToken
SSDT 82D42098 ZwOpenSection
SSDT 82D42D70 ZwOpenThread
SSDT 82CA60D8 ZwProtectVirtualMemory
SSDT 82E7D8E0 ZwResumeThread
SSDT 82D3C560 ZwSetContextThread
SSDT 82E8ECA0 ZwSetInformationProcess
SSDT 82D8D628 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB2698C40]
SSDT 82C8B070 ZwSuspendProcess
SSDT 82D66160 ZwSuspendThread
SSDT 82C523B8 ZwTerminateProcess
SSDT 82D42E58 ZwTerminateThread
SSDT 82D21050 ZwUnmapViewOfSection
SSDT 82E7E980 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + F8 804E2764 4 Bytes CALL ABD0F2DB
.text ntoskrnl.exe!_abnormal_termination + 198 804E2804 4 Bytes CALL 15D1103B
.text ntoskrnl.exe!_abnormal_termination + 4A0 804E2B0C 4 Bytes JMP 8F04ADF8
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device B0F23D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


OTL

OTL logfile created on: 5/11/2010 4:40:00 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Laptop\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 172.00 Mb Available Physical Memory | 34.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.45 Gb Total Space | 11.36 Gb Free Space | 32.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D4DJWQ61
Current User Name: Laptop
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/11 16:37:31 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Laptop\Desktop\OTL.exe
PRC - [2010/02/25 17:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
PRC - [2009/05/26 19:36:41 | 000,071,168 | ---- | M] () -- C:\WINDOWS\SYSTEM32\LxrJD31s.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/10/07 19:44:14 | 000,610,304 | ---- | M] () -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2004/08/21 18:04:48 | 000,155,648 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2004/08/19 09:40:08 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2003/11/19 17:48:14 | 000,032,881 | ---- | M] () -- C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
PRC - [2003/10/29 02:06:00 | 000,024,576 | R--- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2003/05/14 18:37:56 | 000,098,304 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\SYSTEM32\BacsTray.exe
PRC - [1997/02/19 01:00:00 | 000,032,256 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\SYSTEM\HPPROPTY.EXE
PRC - [1996/11/21 00:00:00 | 000,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE


========== Modules (SafeList) ==========

MOD - [2010/05/11 16:37:31 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Laptop\Desktop\OTL.exe
MOD - [2008/04/13 18:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/02/25 17:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe -- (NAV)
SRV - [2009/05/26 19:36:41 | 000,071,168 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\LxrJD31s.exe -- (LxrJD31s)


========== Driver Services (SafeList) ==========

DRV - [2010/05/11 13:05:45 | 001,347,504 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\VirusDefs\20100511.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/05/11 13:05:44 | 000,085,552 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\VirusDefs\20100511.003\NAVENG.SYS -- (NAVENG)
DRV - [2010/05/11 13:00:22 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/04/29 11:44:04 | 000,537,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/03/04 03:00:00 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/03/04 03:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/02/26 20:23:54 | 000,116,784 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1106000.020\Ironx86.SYS -- (SymIRON)
DRV - [2010/02/26 20:23:21 | 000,325,680 | R--- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NAV\1106000.020\SRTSP.SYS -- (SRTSP)
DRV - [2010/02/26 20:23:21 | 000,043,696 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1106000.020\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 17:22:57 | 000,501,888 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1106000.020\ccHPx86.sys -- (ccHP)
DRV - [2010/02/03 19:40:52 | 000,362,032 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1106000.020\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/02/03 19:40:50 | 000,172,592 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1106000.020\SYMEFA.SYS -- (SymEFA)
DRV - [2010/02/03 19:40:47 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1106000.020\SYMDS.SYS -- (SymDS)
DRV - [2010/02/03 19:40:07 | 000,329,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100505.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2009/05/26 19:36:41 | 000,069,824 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\LxrJD31d.sys -- (LxrJD31d)
DRV - [2008/04/13 12:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 12:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2005/01/26 01:41:58 | 000,015,781 | ---- | M] (Meetinghouse Data Communications) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\mdc8021x.sys -- (MDC8021X) AEGIS Protocol (IEEE 802.1x)
DRV - [2004/09/15 19:53:06 | 000,263,608 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2004/08/12 22:14:00 | 000,786,944 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys -- (ati2mtag)
DRV - [2004/08/12 07:31:27 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2004/08/12 07:30:27 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2004/08/12 07:30:27 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2004/08/12 07:30:26 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2004/08/12 07:30:26 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\symc810.sys -- (symc810)
DRV - [2004/08/12 07:29:29 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2004/08/12 07:26:47 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2004/08/12 07:26:47 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2004/08/12 07:26:46 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2004/08/12 07:22:31 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2004/08/12 07:18:30 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2004/08/12 07:17:45 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2004/08/12 07:17:24 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2004/08/12 07:17:24 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2004/08/12 07:17:21 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2004/08/06 14:32:44 | 000,104,735 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\Apfiltr.sys -- (ApfiltrService)
DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\NV4_MINI.SYS -- (nv)
DRV - [2004/06/30 10:39:36 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS -- (APPDRV)
DRV - [2004/04/14 15:52:54 | 000,020,736 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\MosIrUsb.sys -- (MosIrUsb)
DRV - [2004/02/20 16:13:50 | 000,312,960 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\BCMWL5.SYS -- (BCM43XX)
DRV - [2004/02/13 10:46:00 | 000,017,153 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys -- (omci)
DRV - [2003/11/13 18:21:16 | 000,197,120 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSFHWICH.sys -- (HSFHWICH)
DRV - [2003/11/13 18:18:36 | 000,679,808 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/13 18:17:00 | 001,042,816 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\HSF_DP.sys -- (HSF_DP)
DRV - [2003/06/02 08:02:42 | 000,043,136 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://en-us.start.m...en-US:official"
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/01/06 14:50:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\IPSFFPlgn\ [2010/05/11 13:05:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/02 18:32:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.19\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/11 12:22:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/18 08:00:01 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2008/02/09 14:09:39 | 000,000,000 | ---D | M]

[2008/09/08 20:04:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Laptop\Application Data\Mozilla\Extensions
[2010/05/11 12:33:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Laptop\Application Data\Mozilla\Firefox\Profiles\5p8axszb.default\extensions
[2010/05/11 13:15:54 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\IPSBHO.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [bacstray] C:\WINDOWS\System32\BacsTray.exe (Broadcom Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe ()
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe File not found
O4 - HKLM..\Run: [HP LaserJet ToolBox] File not found
O4 - HKLM..\Run: [OSCD_Creator] c:\DELL\PREODM.EXE ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe ()
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe File not found
O4 - HKLM..\RunOnce: [OSCD_Creator] C:\Dell\PreODM.EXE ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Laptop\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
O4 - Startup: C:\Documents and Settings\Laptop\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcaf...90/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx (AcDcToday Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} file://C:\Program Files\AutoCAD 2002\InstBanr.ocx (NOXLATE-BANR)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcaf...,23/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} file://C:\Program Files\AutoCAD 2002\InstFred.ocx (InstaFred)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.m...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/...ploader_v10.cab (PopCapLoader Object)
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} file://C:\Program Files\AutoCAD 2002\AcPreview.ocx (AcPreview Control)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll ()
O24 - Desktop WallPaper: C:\Documents and Settings\Laptop\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Laptop\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c19ec350-5bc3-11da-b83f-0011436aa8e4}\Shell\AutoRun\command - "" = F:\JDSecure\Windows\JDSecure31.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\SYSTEM32\IAS [2005/02/07 12:40:15 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/11 16:37:30 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Laptop\Desktop\OTL.exe
[2010/05/11 14:38:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Laptop\Desktop\gmer
[2010/05/11 13:00:22 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/05/11 13:00:22 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/05/11 12:59:25 | 000,000,000 | ---D | C] -- C:\Program Files\Norton AntiVirus
[2010/05/11 12:54:39 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2010/05/11 12:52:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton
[2010/05/11 11:09:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Laptop\Application Data\Malwarebytes
[2010/05/11 11:09:16 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/11 11:09:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/11 11:09:14 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/11 11:09:14 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/11 11:06:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/11 11:04:43 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/11 10:20:54 | 000,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Laptop\Desktop\erunt_setup.exe
[2010/05/11 10:08:26 | 006,153,384 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Laptop\Desktop\mbam-setup.exe
[2010/05/11 10:07:25 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Laptop\Desktop\TFC.exe
[2010/05/11 07:51:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Laptop\Desktop\Bookmarks-email
[2010/05/10 16:40:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Laptop\Desktop\hjred103
[2010/05/10 13:01:13 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/10 10:00:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/05/09 20:31:52 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/05/09 20:26:51 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2010/05/09 20:26:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Oberon Media
[2010/05/09 20:26:41 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar
[2010/05/09 20:24:43 | 000,000,000 | ---D | C] -- C:\Program Files\Oberon Media
[2010/05/09 20:24:43 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Toolbar Installer
[2010/03/13 12:22:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Laptop\My Documents\Downloads
[2010/03/13 12:21:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/03/13 12:16:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Laptop\Local Settings\Application Data\Temp
[2010/03/13 12:16:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[1980/01/01 00:00:00 | 000,151,552 | ---- | C] ( ) -- C:\WINDOWS\System32\ATIDEMGR.dll
[1 C:\Documents and Settings\Laptop\My Documents\*.tmp files -> C:\Documents and Settings\Laptop\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/05/11 16:37:31 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Laptop\Desktop\OTL.exe
[2010/05/11 16:27:01 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/11 16:10:53 | 000,002,444 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/05/11 16:10:53 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/11 16:10:47 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/11 16:10:44 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/05/11 16:10:42 | 536,129,536 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/11 16:08:36 | 004,456,448 | ---- | M] () -- C:\Documents and Settings\Laptop\ntuser.dat
[2010/05/11 16:08:36 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Laptop\NTUSER.INI
[2010/05/11 16:08:14 | 000,001,367 | ---- | M] () -- C:\WINDOWS\System32\HPA.DAT
[2010/05/11 13:00:52 | 000,673,504 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\Cat.DB
[2010/05/11 13:00:22 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/05/11 13:00:22 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/05/11 13:00:22 | 000,007,443 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/05/11 13:00:22 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/05/11 13:00:18 | 000,000,710 | ---- | M] () -- C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Laptop.job
[2010/05/11 12:40:07 | 000,694,596 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1008000.029\Cat.DB
[2010/05/11 11:09:19 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/11 11:04:44 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Laptop\Desktop\NTREGOPT.lnk
[2010/05/11 11:04:44 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Laptop\Desktop\ERUNT.lnk
[2010/05/11 10:20:54 | 000,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Laptop\Desktop\erunt_setup.exe
[2010/05/11 10:08:32 | 006,153,384 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Laptop\Desktop\mbam-setup.exe
[2010/05/11 10:07:25 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Laptop\Desktop\TFC.exe
[2010/05/10 15:54:41 | 000,000,414 | ---- | M] () -- C:\Documents and Settings\Laptop\Desktop\Shortcut to Wireless Network Connection.lnk
[2010/05/10 15:03:09 | 000,002,449 | ---- | M] () -- C:\Documents and Settings\Laptop\Desktop\HiJackThis.lnk
[2010/05/09 21:11:32 | 000,000,439 | ---- | M] () -- C:\Program Files\0509201021113257.bat
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/27 21:52:56 | 000,000,083 | ---- | M] () -- C:\WINDOWS\webica.ini
[2010/04/14 21:21:00 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/11 13:41:42 | 000,000,721 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2010/04/11 12:45:32 | 000,959,737 | ---- | M] () -- C:\Documents and Settings\Laptop\My Documents\MAC.pdf
[2010/04/04 20:25:49 | 024,840,187 | ---- | M] () -- C:\Documents and Settings\Laptop\Desktop\Cardiology I - Chapter 1 - Hypertension - Clinical Practice Updates.mp3
[2010/03/26 19:17:31 | 000,000,172 | ---- | M] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\isolate.ini
[2010/03/18 18:47:40 | 001,422,919 | ---- | M] () -- C:\Documents and Settings\Laptop\Desktop\p575.pdf
[2010/03/14 08:38:19 | 000,444,132 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 08:38:19 | 000,383,694 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2010/03/14 08:38:19 | 000,054,678 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2010/03/13 10:43:47 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/03/13 10:43:47 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/03/01 21:32:06 | 000,007,442 | R--- | M] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\srtspx.cat
[2010/03/01 21:32:06 | 000,007,438 | R--- | M] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\srtsp.cat
[2010/02/26 20:23:54 | 000,116,784 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1106000.020\Ironx86.sys
[2010/02/26 20:23:54 | 000,007,438 | R--- | M] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\iron.cat
[2010/02/26 20:23:54 | 000,000,741 | R--- | M] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\Iron.inf
[2010/02/26 20:23:21 | 000,325,680 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1106000.020\srtsp.sys
[2010/02/26 20:23:21 | 000,043,696 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1106000.020\srtspx.sys
[2010/02/26 20:23:21 | 000,001,388 | R--- | M] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\srtspx.inf
[2010/02/26 20:23:21 | 000,001,382 | R--- | M] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\srtsp.inf
[2010/02/25 17:22:57 | 000,501,888 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NAV\1106000.020\cchpx86.sys
[2010/02/25 11:54:56 | 000,007,396 | R--- | M] () -- C:\WINDOWS\System32\drivers\NAV\1106000.020\cchpx86.cat
[1 C:\Documents and Settings\Laptop\My Documents\*.tmp files -> C:\Documents and Settings\Laptop\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/11 13:00:22 | 000,007,443 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/05/11 13:00:22 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/05/11 11:09:19 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/11 11:04:44 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Laptop\Desktop\NTREGOPT.lnk
[2010/05/11 11:04:44 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Laptop\Desktop\ERUNT.lnk
[2010/05/10 15:54:41 | 000,000,414 | ---- | C] () -- C:\Documents and Settings\Laptop\Desktop\Shortcut to Wireless Network Connection.lnk
[2010/05/10 13:01:14 | 000,002,449 | ---- | C] () -- C:\Documents and Settings\Laptop\Desktop\HiJackThis.lnk
[2010/05/09 21:11:32 | 000,000,439 | ---- | C] () -- C:\Program Files\0509201021113257.bat
[2010/04/29 18:00:05 | 004,456,448 | ---- | C] () -- C:\Documents and Settings\Laptop\ntuser.dat
[2010/04/11 12:45:32 | 000,959,737 | ---- | C] () -- C:\Documents and Settings\Laptop\My Documents\MAC.pdf
[2010/04/04 20:25:06 | 024,840,187 | ---- | C] () -- C:\Documents and Settings\Laptop\Desktop\Cardiology I - Chapter 1 - Hypertension - Clinical Practice Updates.mp3
[2010/03/18 18:47:40 | 001,422,919 | ---- | C] () -- C:\Documents and Settings\Laptop\Desktop\p575.pdf
[2010/03/13 12:16:17 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/13 12:16:15 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/13 10:43:47 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/03/13 10:43:47 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2007/09/03 14:45:56 | 000,249,856 | ---- | C] () -- C:\WINDOWS\System32\LxrJD31.dll
[2007/09/03 14:45:56 | 000,069,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\LxrJD31d.sys
[2007/09/03 14:45:56 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\LxrJD20Sat.dll
[2007/02/06 16:46:18 | 000,002,004 | ---- | C] () -- C:\WINDOWS\FONTSMRT.INI
[2007/02/06 16:43:11 | 000,000,599 | ---- | C] () -- C:\WINDOWS\prntname.ini
[2007/02/06 16:43:11 | 000,000,125 | ---- | C] () -- C:\WINDOWS\hpljps.ini
[2007/02/06 16:43:11 | 000,000,034 | ---- | C] () -- C:\WINDOWS\winhelp.ini
[2006/05/31 18:58:59 | 000,000,083 | ---- | C] () -- C:\WINDOWS\webica.ini
[2005/11/22 19:52:20 | 000,000,000 | ---- | C] () -- C:\WINDOWS\JDSecure31.INI
[2005/03/07 20:29:25 | 000,000,092 | ---- | C] () -- C:\WINDOWS\WIN2SEC.INI
[2005/02/03 05:51:07 | 000,000,737 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/02/02 16:01:35 | 000,000,871 | ---- | C] () -- C:\WINDOWS\QIII.INI
[2005/01/26 01:50:59 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/01/26 01:12:18 | 000,000,454 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 13:13:12 | 000,000,780 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004/08/04 05:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2004/04/14 15:52:54 | 000,020,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\MosIrUsb.sys
[2002/10/03 14:42:27 | 000,000,034 | ---- | C] () -- C:\WINDOWS\Q3version.ini
[2000/09/18 16:50:28 | 000,202,752 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[1996/11/21 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1996/11/21 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1980/01/01 00:00:00 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\ati2evxx.dll

========== LOP Check ==========

[2005/05/19 06:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MCA16.tmp
[2009/09/29 12:57:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PCSettings
[2005/02/03 19:30:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2010/05/10 14:42:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SupportSoft
[2010/05/09 20:36:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2006/05/31 19:03:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Laptop\Application Data\ICAClient
[2006/10/15 08:58:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Laptop\Application Data\Thunderbird

========== Purity Check ==========



========== Custom Scans ==========


< >

< %SYSTEMDRIVE%\*.* >
[2004/08/12 08:05:03 | 000,260,272 | R--- | M] () -- C:\$LDR$
[2004/08/10 13:04:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2005/02/07 12:35:52 | 000,000,211 | -HS- | M] () -- C:\BOOT.BAK
[2005/02/09 09:03:07 | 000,000,269 | -HS- | M] () -- C:\boot.ini
[2006/05/31 18:59:00 | 000,000,000 | ---- | M] () -- C:\COMLOG.txt
[2004/08/10 13:04:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2005/01/26 01:17:50 | 000,004,215 | RH-- | M] () -- C:\DELL.SDR
[2005/02/03 11:42:25 | 000,005,359 | -HS- | M] () -- C:\ffastun.ffa
[2005/02/03 11:42:25 | 000,286,720 | -HS- | M] () -- C:\ffastun.ffl
[2005/02/03 11:42:25 | 000,151,552 | -H-- | M] () -- C:\ffastun.ffo
[2005/02/03 11:42:25 | 002,510,848 | -HS- | M] () -- C:\ffastun0.ffx
[2010/05/11 16:10:42 | 536,129,536 | -HS- | M] () -- C:\hiberfil.sys
[2005/02/07 12:30:53 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2004/08/10 13:04:08 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2004/08/10 13:04:08 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/08/12 08:02:33 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/04/13 13:46:53 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/11 16:10:40 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2004/09/14 09:34:07 | 000,452,619 | R--- | M] () -- C:\txtsetup.sif

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2005/02/07 06:26:49 | 000,262,144 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\default.sav
[2005/02/07 12:18:19 | 000,262,144 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\security.sav
[2005/02/07 06:26:49 | 017,301,504 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\software.sav
[2005/02/07 06:26:51 | 006,553,600 | ---- | M] () -- C:\WINDOWS\SYSTEM32\CONFIG\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\mbamswissarmy.sys
[2010/02/24 07:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\mrxsmb.sys
[2010/05/11 13:00:22 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
[2010/02/11 06:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\DRIVERS\tcpip6.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 126 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B623B5B8
@Alternate Data Stream - 105 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3E7393FC
< End of report >


EXTRAS

OTL Extras logfile created on: 5/11/2010 4:40:01 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Laptop\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 172.00 Mb Available Physical Memory | 34.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): c:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.45 Gb Total Space | 11.36 Gb Free Space | 32.99% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: D4DJWQ61
Current User Name: Laptop
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with Paint Shop Pro Studio] -- "C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\\Paint Shop Pro Studio.exe" "/Browse" "%L" (Jasc Software, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Quake III Arena\quake3.exe" = C:\Program Files\Quake III Arena\quake3.exe:*:Disabled:quake3 -- ()
"C:\Program Files\Dell Inc\Dell Picture Studio v3.0\launch.exe" = C:\Program Files\Dell Inc\Dell Picture Studio v3.0\launch.exe:*:Disabled:Jasc Paint Shop Photo Album 5 Application -- (Jasc Software)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Computer, Inc.)
"C:\Documents and Settings\Laptop\Local Settings\Temp\7zS15.tmp\SymNRT.exe" = C:\Documents and Settings\Laptop\Local Settings\Temp\7zS15.tmp\SymNRT.exe:*:Enabled:Norton Removal Tool -- File not found


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Small Business
"{08C0729E-3E50-11DF-9D81-005056806466}" = Google Earth
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5
"{446DBFFA-4088-48E3-8932-74316BA4CAE4}" = iTunes
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{50D8FFDD-90CD-4859-841F-AA1961C7767A}" = QuickTime
"{5783F2D7-0101-0409-0000-0060B0CE6BBA}" = AutoCAD 2002
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.1
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon
"{78D944D7-A97B-4004-AB0A-B5AD06839940}" = My Way Search Assistant
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110113233}" = Bookworm Deluxe
"{89EE857B-8970-4F9F-AB58-A1C873AC72B3}" = Broadcom Advanced Control Suite
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{9692FD03-6662-4E62-B08C-30DFF51651E1}" = Actiontec Gateway
"{9A200E68-D5F4-4E70-910F-2871753A0E2B}" = Worms World Party
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{C5074CC4-0E26-4716-A307-960272A90040}" = QuickSet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AnswerWorks" = AnswerWorks Runtime
"ATI Display Driver" = ATI Display Driver
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Utility
"Citrix ICA Web Client" = Citrix ICA Web Client
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D480 MDC V.9x Modem
"ERUNT_is1" = ERUNT 1.1j
"HP LaserJet 6P/6MP UnInstaller" = HP LaserJet 6P/6MP
"InstallShield_{89EE857B-8970-4F9F-AB58-A1C873AC72B3}" = Broadcom Advanced Control Suite
"JDSecure" = JD Secure 3.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.19)" = Mozilla Firefox (3.0.19)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyWaySearchAssistantDE" = My Way Search Assistant
"NAV" = Norton AntiVirus
"Office8.0" = Microsoft Office 97, Professional Edition
"Quake III Arena" = Quake III Arena
"Quake III Arena Point Release 1.32" = Quake III Arena Point Release 1.32
"RealPlayer 6.0" = RealPlayer
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/8/2009 11:01:44 PM | Computer Name = D4DJWQ61 | Source = Application Hang | ID = 1002
Description = Hanging application POWERPNT.EXE, version 8.0.0.3516, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/11/2010 10:30:01 PM | Computer Name = D4DJWQ61 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3685, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/9/2010 10:49:11 PM | Computer Name = D4DJWQ61 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3725, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/9/2010 10:50:41 PM | Computer Name = D4DJWQ61 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3725, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/9/2010 10:50:49 PM | Computer Name = D4DJWQ61 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3725, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/10/2010 11:27:06 AM | Computer Name = D4DJWQ61 | Source = Google Update | ID = 20
Description =

Error - 5/10/2010 12:27:35 PM | Computer Name = D4DJWQ61 | Source = Google Update | ID = 20
Description =

Error - 5/10/2010 1:27:34 PM | Computer Name = D4DJWQ61 | Source = Google Update | ID = 20
Description =

Error - 5/10/2010 2:27:05 PM | Computer Name = D4DJWQ61 | Source = Google Update | ID = 20
Description =

Error - 5/10/2010 3:27:05 PM | Computer Name = D4DJWQ61 | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 5/10/2010 9:02:03 PM | Computer Name = D4DJWQ61 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86

Error - 5/11/2010 8:33:06 AM | Computer Name = D4DJWQ61 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86

Error - 5/11/2010 12:11:11 PM | Computer Name = D4DJWQ61 | Source = Service Control Manager | ID = 7034
Description = The Ati HotKey Poller service terminated unexpectedly. It has done
this 1 time(s).

Error - 5/11/2010 12:11:11 PM | Computer Name = D4DJWQ61 | Source = Service Control Manager | ID = 7034
Description = The Lexar JD31 service terminated unexpectedly. It has done this
1 time(s).

Error - 5/11/2010 12:11:11 PM | Computer Name = D4DJWQ61 | Source = Service Control Manager | ID = 7034
Description = The WLTRYSVC service terminated unexpectedly. It has done this 1
time(s).

Error - 5/11/2010 12:11:13 PM | Computer Name = D4DJWQ61 | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 5/11/2010 12:15:15 PM | Computer Name = D4DJWQ61 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86

Error - 5/11/2010 1:56:37 PM | Computer Name = D4DJWQ61 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
abp480n5 adpu160m agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
hpn
i2omp
IDSxpx86
ini910u
IntelIde
mraid35x
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
sisagp
Sparrow
symc8xx
sym_hi
sym_u3
TosIde
ultra
viaagp
ViaIde

Error - 5/11/2010 1:57:00 PM | Computer Name = D4DJWQ61 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 5/11/2010 2:30:10 PM | Computer Name = D4DJWQ61 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86


< End of report >
  • 0

#4
RKinner
Posted 12 May 2010 - 10:58 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus programs at this time :!:

Ron
  • 0

#5
VCO
Posted 13 May 2010 - 09:11 AM

VCO

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi Ron,
I turned off everything I could in NAV-2010, and then disabled my wireless internet connection. !
Okay, I downloaded Combofix, renamed to george.exe and ran it. Went through the disclaimer and then it wanted to download the "recovery console". I tried to "enable" my wireless connection but it would not. After the second try to enable, without success, combofix said the recovery console was not downloaded and then proceeded to run the scan. I left the computer alone and waited for the scan to complete and produce a log. Is this okay???
Note : I noticed that a Icon for Internet Explorer(not a shortcut) was now sitting in the upper left corner of the screen. When I right click this and select properties, it shows the home page as "www.dell4me/mywaybiz"
I don't think any other icons were moved and I'm not sure if this IE icon wasn't already on the desktop in a different place.

Here is the log

ComboFix 10-05-12.04 - Laptop 05/13/2010 8:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.255 [GMT -6:00]
Running from: c:\documents and settings\Laptop\Desktop\george.exe.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system\oeminfo.ini
c:\windows\system32\drivers\fad.sys
c:\windows\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
.

2010-05-11 17:04 . 2010-05-11 17:04 -------- d-----w- c:\program files\ERUNT
2010-05-10 19:01 . 2010-05-10 19:01 388096 ----a-r- c:\documents and settings\Laptop\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-10 19:01 . 2010-05-10 19:01 -------- d-----w- c:\program files\Trend Micro
2010-05-10 16:00 . 2010-05-10 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-10 15:34 . 2010-05-10 15:34 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-10 03:11 . 2010-05-10 03:11 439 ----a-w- c:\program files\0509201021113257.bat
2010-05-10 02:26 . 2010-05-10 02:26 -------- d-----w- c:\program files\Microsoft
2010-05-10 02:26 . 2010-05-10 02:26 -------- d-----w- c:\program files\Common Files\Oberon Media
2010-05-10 02:26 . 2010-05-10 02:26 -------- d-----w- c:\program files\MSN Toolbar
2010-05-10 02:24 . 2010-05-10 02:28 -------- d-----w- c:\program files\MSN Toolbar Installer
2010-05-10 02:24 . 2010-05-10 02:24 -------- d-----w- c:\program files\Oberon Media

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-13 03:14 . 2007-02-06 23:08 1367 ----a-w- c:\windows\system32\HPA.DAT
2010-05-13 02:48 . 2006-10-15 14:58 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-11 19:17 . 2005-07-07 16:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-11 19:01 . 2009-09-29 18:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-11 19:00 . 2009-09-29 19:09 -------- d-----w- c:\program files\Symantec
2010-05-11 19:00 . 2010-05-11 19:00 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-05-11 19:00 . 2010-05-11 19:00 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-05-11 19:00 . 2010-05-11 19:00 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-05-11 19:00 . 2010-05-11 19:00 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-05-11 18:59 . 2010-05-11 18:59 -------- d-----w- c:\program files\Norton AntiVirus
2010-05-11 18:54 . 2010-05-11 18:54 -------- d-----w- c:\program files\NortonInstaller
2010-05-11 18:41 . 2005-07-07 16:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-11 17:09 . 2010-05-11 17:09 -------- d-----w- c:\documents and settings\Laptop\Application Data\Malwarebytes
2010-05-11 17:09 . 2010-05-11 17:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 17:09 . 2010-05-11 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-10 20:42 . 2008-02-10 19:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2010-05-10 20:42 . 2008-02-10 19:09 -------- d-----w- c:\program files\Dell Support Center
2010-05-10 20:32 . 2006-03-09 13:36 -------- d-----w- c:\program files\Google
2010-05-10 03:11 . 2007-03-25 02:09 -------- d-----w- c:\program files\MSN Games
2010-05-10 02:36 . 2007-03-25 02:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-29 21:39 . 2010-05-11 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2010-05-11 17:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-09 11:09 . 2004-08-12 13:32 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 05:43 . 2004-08-12 13:33 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-08-12 13:19 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2004-08-12 13:22 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 15:10 . 2004-08-12 13:25 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-08-22 155648]
"OSCD_Creator"="c:\dell\PreODM.EXE" [2004-10-31 408576]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"bacstray"="BacsTray.exe" [2003-05-15 98304]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-13 339968]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2004-10-08 610304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

c:\documents and settings\Laptop\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-21 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-21 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-1-26 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\NAV\1106000.020\SymDS.sys [5/11/2010 1:00 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NAV\1106000.020\SymEFA.sys [5/11/2010 1:00 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [5/11/2010 1:07 PM 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\SYSTEM32\DRIVERS\NAV\1106000.020\cchpx86.sys [5/11/2010 1:00 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\NAV\1106000.020\Ironx86.sys [5/11/2010 1:00 PM 116784]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe [5/11/2010 12:59 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/11/2010 1:05 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\Definitions\IPSDefs\20100505.001\IDSXpx86.sys [5/11/2010 1:07 PM 329592]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/13/2010 12:16 PM 135664]
S3 MosIrUsb;MosIrUsb.sys;c:\windows\SYSTEM32\DRIVERS\MosIrUsb.sys [4/14/2004 3:52 PM 20736]
.
Contents of the 'Scheduled Tasks' folder

2010-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 18:16]

2010-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 18:16]

2010-05-11 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Laptop.job
- c:\program files\Norton AntiVirus\Engine\17.6.0.32\Navw32.exe [2010-05-11 23:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
FF - ProfilePath - c:\documents and settings\Laptop\Application Data\Mozilla\Firefox\Profiles\5p8axszb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.6.0.32\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-HP LaserJet ToolBox - hppropty.exe
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 08:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-05-13 08:30:12
ComboFix-quarantined-files.txt 2010-05-13 14:30

Pre-Run: 11,997,581,312 bytes free
Post-Run: 11,988,570,112 bytes free

- - End Of File - - 4EC2C8210CDC7380D45277C15395EBFF
  • 0

#6
RKinner
Posted 13 May 2010 - 09:50 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
All I see is some Adware that came from Dell.

"{78D944D7-A97B-4004-AB0A-B5AD06839940}" = My Way Search Assistant

You do not have the latest Java. Get the latest at:

http://www.java.com/...nload/index.jsp


Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03

I do see a problem with a Norton file:
Error - 5/10/2010 9:02:03 PM | Computer Name = D4DJWQ61 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IDSxpx86

You might want to uninstall it, use the Norton Removal tool
http://service1.syma...005033108162039
then if you have paid for it reinstall it. If it's a demo just install the free Avast!
http://www.avast.com...avast-home.html (You will notice that the PC is a lot faster without that Norton resource hog.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.4.
http://oldmcdonald.w...orun-eater-v24/
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on.

Ron
  • 0

#7
VCO
Posted 13 May 2010 - 10:49 AM

VCO

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hi Ron,
Thanks very much for your time and walkthrough. I'm glad that there was nothing too serious with the laptop.
I will follow your recommendations for preventative maintenance.
An interesting thing happened when I went to update NAV-2009. As you noticed, there was an error when it went to update and it wanted me to uninstall and then reinstall my product. After I downloaded and ran the Norton product remover it asked me to choose the product to reinstall. My product was NAV2009 and it only offered one choice for NAV, that was something like NAV 2006 and up, I picked that and it proceeded to update to NAV-2010. Nice! I hope! No change in my subscription days.

PS, I will leave a donation.

Thanks Again!
Take care,

Carlos
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP