Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Antimalware Doctor

Started by shiv1226 , May 13 2010 08:37 PM

  • Please log in to reply

#1
shiv1226
Posted 13 May 2010 - 08:37 PM

shiv1226

    Member

  • Member
  • PipPip
  • 19 posts
So I got this virus on the computer at work that syncs up to the server and its got all the important info for the office on it. And we had the tech guy try to clean it, he did the whole malwarebytes scan, and still its there. Next step he says is to wipe the computer because he can't log in on safe mode. Is there another way to fix this?
  • 0

Advertisements

#2
RKinner
Posted 14 May 2010 - 10:58 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
http://www.geekstogo...uide-t2852.html

Then copy and paste your logs.

Ron
  • 0

#3
shiv1226
Posted 18 May 2010 - 11:02 AM

shiv1226

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
When i ran rkill.exe it showed where the program was running from so i deleted the .exe file and ran malwarebytes and got this log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4101

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/14/2010 2:01:16 PM
mbam-log-2010-05-14 (14-01-16).txt

Scan type: Quick scan
Objects scanned: 13435
Time elapsed: 1 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_________________________________

OTL logfile created on: 5/14/2010 2:33:51 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\fd2\Desktop\computer fix
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 631.00 Mb Available Physical Memory | 62.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): c:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 134.96 Gb Free Space | 90.60% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 193.03 Gb Total Space | 166.33 Gb Free Space | 86.17% Space Free | Partition Type: NTFS
Drive P: | 193.03 Gb Total Space | 166.33 Gb Free Space | 86.17% Space Free | Partition Type: NTFS

Computer Name: FRONTDESK2
Current User Name: FD2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/14 14:09:43 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\fd2\Desktop\computer fix\OTL.exe
PRC - [2010/04/07 11:12:10 | 000,085,528 | ---- | M] (DameWare Development) -- C:\WINDOWS\system32\DWRCST.EXE
PRC - [2010/04/07 11:12:04 | 000,241,688 | ---- | M] (DameWare Development LLC) -- C:\WINDOWS\system32\DWRCS.EXE
PRC - [2009/09/16 19:22:08 | 000,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2008/04/14 06:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\inetsrv\inetinfo.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/29 08:10:06 | 000,394,952 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\PccNTMon.exe
PRC - [2007/03/29 08:10:06 | 000,124,616 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\PccNTUpd.exe
PRC - [2007/03/29 08:10:02 | 000,214,712 | ---- | M] () -- C:\WINDOWS\Temp\KED347.EXE
PRC - [2007/03/29 08:09:38 | 000,603,856 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe
PRC - [2007/03/29 08:09:36 | 000,685,776 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe
PRC - [2007/03/29 08:03:16 | 000,282,704 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
PRC - [2006/05/01 08:07:44 | 000,843,776 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2006/03/17 17:25:16 | 000,065,536 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe


========== Modules (SafeList) ==========

MOD - [2010/05/14 14:09:43 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\fd2\Desktop\computer fix\OTL.exe
MOD - [2010/05/11 23:19:24 | 000,040,960 | -H-- | M] () -- C:\WINDOWS\system32\dpvsarts.dll
MOD - [2008/04/14 06:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (stllssvr)
SRV - [2010/04/07 11:12:04 | 000,241,688 | ---- | M] (DameWare Development LLC) [Auto | Running] -- C:\WINDOWS\System32\DWRCS.EXE -- (DWMRCS)
SRV - [2009/09/16 19:22:08 | 000,020,480 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2008/04/14 06:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (W3SVC)
SRV - [2008/04/14 06:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (SMTPSVC) Simple Mail Transfer Protocol (SMTP)
SRV - [2008/04/14 06:42:24 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\inetsrv\inetinfo.exe -- (IISADMIN)
SRV - [2007/05/24 08:08:44 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2007/03/29 08:09:38 | 000,603,856 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\NTRtScan.exe -- (ntrtscan)
SRV - [2007/03/29 08:09:36 | 000,685,776 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\TmListen.exe -- (tmlisten)
SRV - [2007/03/29 08:03:16 | 000,282,704 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe -- (OfcPfwSvc)
SRV - [2006/03/17 17:25:16 | 000,065,536 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)


========== Driver Services (SafeList) ==========

DRV - [2009/12/04 16:39:06 | 000,230,928 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmxpflt.sys -- (TmFilter)
DRV - [2009/12/04 16:38:18 | 000,036,368 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\tmpreflt.sys -- (TmPreFilter)
DRV - [2009/12/04 16:05:06 | 001,322,680 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\VsapiNT.sys -- (VSApiNt)
DRV - [2008/04/14 01:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 01:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2008/04/13 23:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/24 17:37:00 | 000,138,384 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2007/03/22 10:54:58 | 001,844,928 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\Client Server Security Agent\TM_CFW.sys -- (TM_CFW)
DRV - [2007/02/15 08:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dwvkbd.sys -- (dwvkbd)
DRV - [2007/02/07 08:00:00 | 000,003,712 | ---- | M] (DameWare Development, LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DamewareMini.sys -- (DwMirror)
DRV - [2006/08/28 02:28:56 | 000,156,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/07/21 19:12:16 | 001,095,968 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2006/07/05 14:08:28 | 000,241,152 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2006/03/17 17:18:58 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2004/08/04 06:00:00 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2004/08/04 06:00:00 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2004/08/04 06:00:00 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2004/08/04 06:00:00 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2004/08/04 06:00:00 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2004/08/04 06:00:00 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2004/08/04 06:00:00 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2004/08/04 06:00:00 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2004/08/04 06:00:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2004/08/04 06:00:00 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2004/08/04 06:00:00 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2004/08/04 06:00:00 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2004/08/04 06:00:00 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2004/08/04 06:00:00 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2004/08/04 06:00:00 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2003/04/24 16:21:50 | 000,006,025 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070808
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070808

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070808
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co...html?channel=us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - No CLSID value found.
O4 - HKLM..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.EXE (DameWare Development)
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe File not found
O4 - HKCU..\Run: [gotnewupdate000.exe] C:\Documents and Settings\fd2\Application Data\00BF55C579B1B97C5374D33A7C815DE7\gotnewupdate000.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: disablecad = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisablePersonalDirChange = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: Intellimenus = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoTrayNotify = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSimpleStartMenu = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMBalloonTip = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDesktopCleanupWizard = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoAutoUpdate = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ForceStartMenuLogOff = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A4639D2F-774E-11D3-A490-00C04F6843FB} http://download.micr...N-US/msorun.cab (IEAnimBehaviorFactory Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: CabBuilder http://ak.imgag.com/...llerControl.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.222.2
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Goldberg.local
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2005\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: \\Goldbergsvr1\MyDocs\fd2\My Documents\My Pictures\nikki.bmp
O24 - Desktop BackupWallPaper: \\Goldbergsvr1\MyDocs\fd2\My Documents\My Pictures\nikki.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/08/21 14:21:04 | 000,000,104 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{1e8323f3-a134-11de-98eb-001aa058de7d}\Shell\AutoRun\command - "" = E:\WDSetup.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *sprestrt) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: igfxfunc - (C:\WINDOWS\system32\drivshta.dll) - C:\WINDOWS\system32\drivshta.dll ()
O36 - AppCertDlls: igfxstat - (C:\WINDOWS\system32\dpvsarts.dll) - C:\WINDOWS\system32\dpvsarts.dll ()
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/12/08 13:08:22 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16339159400579072)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/14 14:26:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/14 14:26:28 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/14 14:08:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fd2\Desktop\computer fix
[2010/05/13 09:23:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\ICS
[2010/05/13 08:47:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fd2\Local Settings\Application Data\ICS
[2010/05/11 14:25:58 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/11 14:25:56 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/11 14:25:55 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/11 13:02:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fd2\Application Data\ATManager
[2010/05/11 13:02:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fd2\Application Data\00BF55C579B1B97C5374D33A7C815DE7
[2010/04/19 12:45:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\fd2\Desktop\x-rays
[2010/04/07 11:12:06 | 000,068,120 | ---- | C] (DameWare Development LLC) -- C:\WINDOWS\System32\DWRCSh32.DLL
[2010/03/10 15:14:14 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\fd2\IECompatCache
[2007/08/21 14:20:27 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\implode.dll

========== Files - Modified Within 90 Days ==========

[2010/05/14 14:22:05 | 003,145,782 | ---- | M] () -- C:\WINDOWS\BGInfo.bmp
[2010/05/14 14:18:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/14 14:18:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/14 14:18:30 | 003,407,872 | ---- | M] () -- C:\Documents and Settings\fd2\ntuser.dat
[2010/05/14 14:18:09 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\fd2\ntuser.ini
[2010/05/14 08:46:53 | 000,008,795 | ---- | M] () -- C:\WINDOWS\cfgall.ini
[2010/05/12 16:36:30 | 000,040,960 | -H-- | M] () -- C:\WINDOWS\System32\drivshta.dll
[2010/05/11 23:19:24 | 000,040,960 | -H-- | M] () -- C:\WINDOWS\System32\dpvsarts.dll
[2010/05/11 19:53:20 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/11 17:13:47 | 000,095,872 | ---- | M] () -- C:\WINDOWS\System32\drivers\atapiold.sys
[2010/05/11 14:20:55 | 000,000,698 | ---- | M] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2010/05/11 11:25:54 | 000,002,411 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CDR DICOM for Windows.lnk
[2010/05/11 08:29:25 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\fd2\Desktop\FOXUSER.FPT
[2010/05/10 17:23:09 | 000,019,968 | ---- | M] () -- \\Goldbergsvr1\MyDocs\fd2\My Documents\birthdays.doc
[2010/05/10 10:50:14 | 000,166,958 | ---- | M] () -- \\Goldbergsvr1\MyDocs\fd2\My Documents\krovich.JPG
[2010/04/30 13:41:46 | 000,020,480 | ---- | M] () -- \\Goldbergsvr1\MyDocs\fd2\My Documents\Orlovsky.doc khaled.doc
[2010/04/30 10:08:13 | 000,020,992 | ---- | M] () -- \\Goldbergsvr1\MyDocs\fd2\My Documents\UnitedHealthcare Dental.doc
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 12:12:24 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/22 13:12:37 | 000,230,824 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
[2010/04/20 16:50:23 | 000,000,520 | ---- | M] () -- C:\Documents and Settings\fd2\Desktop\FOXUSER.DBF
[2010/04/07 11:12:10 | 000,085,528 | ---- | M] (DameWare Development) -- C:\WINDOWS\System32\DWRCST.EXE
[2010/04/07 11:12:06 | 000,240,152 | ---- | M] (DameWare Development LLC) -- C:\WINDOWS\System32\DWRCSET.dll
[2010/04/07 11:12:06 | 000,068,120 | ---- | M] (DameWare Development LLC) -- C:\WINDOWS\System32\DWRCSh32.DLL
[2010/04/07 11:12:04 | 000,241,688 | ---- | M] (DameWare Development LLC) -- C:\WINDOWS\System32\DWRCS.EXE
[2010/04/07 11:11:52 | 000,059,928 | ---- | M] (DameWare Development LLC) -- C:\WINDOWS\System32\DWRCK.DLL
[2010/03/30 14:41:10 | 000,002,653 | ---- | M] () -- C:\Documents and Settings\fd2\Desktop\Universal Integrator.lnk
[2010/03/23 10:47:36 | 000,022,528 | ---- | M] () -- \\Goldbergsvr1\MyDocs\fd2\My Documents\March 23.doc wyche.doc
[2010/03/19 08:16:20 | 000,543,446 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/19 08:16:20 | 000,452,886 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/19 08:16:20 | 000,080,886 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/18 08:38:13 | 000,035,200 | ---- | M] () -- C:\Documents and Settings\fd2\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/15 15:23:40 | 000,002,756 | ---- | M] () -- C:\Documents and Settings\fd2\Desktop\shelters.png
[2010/03/10 10:24:42 | 003,516,803 | ---- | M] () -- C:\Documents and Settings\fd2\Desktop\Mark_Hochman_Information_2010_01_11.zip

========== Files Created - No Company Name ==========

[2010/05/12 16:36:30 | 000,040,960 | -H-- | C] () -- C:\WINDOWS\System32\drivshta.dll
[2010/05/11 23:19:24 | 000,040,960 | -H-- | C] () -- C:\WINDOWS\System32\dpvsarts.dll
[2010/05/11 23:19:21 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\NetworkService\Application Data\jmkneq.dat
[2010/05/11 19:53:20 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/11 14:20:44 | 000,000,698 | ---- | C] () -- C:\WINDOWS\System32\DWRCCMDError.ini
[2010/05/10 16:33:05 | 000,019,968 | ---- | C] () -- \\Goldbergsvr1\MyDocs\fd2\My Documents\birthdays.doc
[2010/05/10 10:50:14 | 000,166,958 | ---- | C] () -- \\Goldbergsvr1\MyDocs\fd2\My Documents\krovich.JPG
[2010/04/30 13:41:46 | 000,020,480 | ---- | C] () -- \\Goldbergsvr1\MyDocs\fd2\My Documents\Orlovsky.doc khaled.doc
[2010/04/30 10:08:12 | 000,020,992 | ---- | C] () -- \\Goldbergsvr1\MyDocs\fd2\My Documents\UnitedHealthcare Dental.doc
[2010/04/20 16:50:23 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\fd2\Desktop\FOXUSER.FPT
[2010/03/23 10:47:37 | 000,022,528 | ---- | C] () -- \\Goldbergsvr1\MyDocs\fd2\My Documents\March 23.doc wyche.doc
[2010/03/15 15:23:38 | 000,002,756 | ---- | C] () -- C:\Documents and Settings\fd2\Desktop\shelters.png
[2010/03/10 10:24:41 | 003,516,803 | ---- | C] () -- C:\Documents and Settings\fd2\Desktop\Mark_Hochman_Information_2010_01_11.zip
[2009/09/14 08:42:51 | 000,339,968 | ---- | C] () -- C:\WINDOWS\System32\pythoncom25.dll
[2009/09/14 08:42:51 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\pywintypes25.dll
[2008/10/17 14:46:08 | 000,002,795 | ---- | C] () -- C:\WINDOWS\RBuilder.ini
[2008/08/08 10:55:58 | 000,008,795 | ---- | C] () -- C:\WINDOWS\cfgall.ini
[2008/08/07 15:31:34 | 000,021,791 | ---- | C] () -- C:\WINDOWS\System32\smtpctrs.ini
[2008/08/07 15:31:33 | 000,001,037 | ---- | C] () -- C:\WINDOWS\System32\ntfsdrct.ini
[2008/08/07 15:31:20 | 000,038,576 | ---- | C] () -- C:\WINDOWS\System32\w3ctrs.ini
[2008/08/07 15:31:20 | 000,011,435 | ---- | C] () -- C:\WINDOWS\System32\infoctrs.ini
[2008/08/07 15:31:20 | 000,010,225 | ---- | C] () -- C:\WINDOWS\System32\axperf.ini
[2008/08/07 12:32:30 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2008/05/30 11:14:18 | 000,000,090 | ---- | C] () -- C:\WINDOWS\nea.ini
[2007/10/05 11:35:33 | 000,000,031 | -H-- | C] () -- C:\WINDOWS\uccspecc.sys
[2007/08/23 14:46:17 | 000,000,040 | ---- | C] () -- C:\WINDOWS\DRDIRECT.INI
[2007/08/21 14:29:30 | 000,000,461 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/08/21 14:21:03 | 000,000,100 | ---- | C] () -- C:\WINDOWS\WINCAGE.INI
[2007/08/21 14:20:28 | 000,748,160 | ---- | C] () -- C:\WINDOWS\System32\CO2C40EN.DLL
[2007/08/21 14:20:28 | 000,064,512 | ---- | C] () -- C:\WINDOWS\System32\eztw32.dll
[2007/08/21 14:20:28 | 000,062,256 | ---- | C] () -- C:\WINDOWS\System32\cachart.dll
[2007/08/21 14:20:28 | 000,054,272 | ---- | C] () -- C:\WINDOWS\System32\improc.dll
[2007/08/08 11:22:29 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2007/08/08 11:19:48 | 000,000,120 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/08/08 10:58:47 | 000,348,880 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2007/08/08 10:58:47 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4642.dll
[2007/08/08 10:55:25 | 000,001,121 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/11 17:24:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/11 17:11:31 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/03 22:59:44 | 000,095,872 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapiold.sys
[1999/03/05 11:04:02 | 000,004,112 | ---- | C] () -- C:\WINDOWS\System32\Winmn.drv
[1998/10/17 15:05:04 | 000,004,112 | ---- | C] () -- C:\WINDOWS\System32\Secvx.drv
[1996/08/03 12:00:00 | 000,004,112 | ---- | C] () -- C:\WINDOWS\Mnsysx.dll

========== LOP Check ==========

[2008/06/30 16:01:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Bomgar-SCC-48693927
[2008/01/16 10:55:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2009/09/14 08:43:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kiwee Toolbar2
[2009/12/02 17:10:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SecTaskMan
[2008/12/02 13:12:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2010/05/14 13:58:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\fd2\Application Data\00BF55C579B1B97C5374D33A7C815DE7
[2010/05/11 13:02:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\fd2\Application Data\ATManager

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2007/08/21 14:21:04 | 000,000,104 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/12/08 13:04:38 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2004/08/11 17:15:00 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2007/08/08 10:59:18 | 000,005,784 | RH-- | M] () -- C:\dell.sdr
[2009/12/08 13:01:13 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2004/08/11 17:15:00 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2009/07/17 14:52:14 | 000,000,961 | -H-- | M] () -- C:\IPH.PH
[2010/05/13 08:48:39 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2004/08/11 17:15:00 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/08/04 06:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/12/08 13:33:44 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/14 14:18:47 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
[2010/05/14 11:16:13 | 000,000,466 | ---- | M] () -- C:\rkill.log
[2010/05/14 14:19:11 | 000,091,286 | ---- | M] () -- C:\ssapi.log
[2008/08/08 10:55:18 | 000,000,021 | ---- | M] () -- C:\tmuninst.ini

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/12/08 07:56:35 | 000,524,288 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/12/08 12:31:55 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2009/12/08 07:56:35 | 026,738,688 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/12/08 07:56:35 | 004,980,736 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/05/11 17:13:47 | 000,095,872 | ---- | M] () -- C:\WINDOWS\system32\drivers\atapiold.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
< End of report >
OTL Extras logfile created on: 5/14/2010 2:33:51 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\fd2\Desktop\computer fix
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,014.00 Mb Total Physical Memory | 631.00 Mb Available Physical Memory | 62.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free
Paging file location(s): c:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 148.96 Gb Total Space | 134.96 Gb Free Space | 90.60% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 193.03 Gb Total Space | 166.33 Gb Free Space | 86.17% Space Free | Partition Type: NTFS
Drive P: | 193.03 Gb Total Space | 166.33 Gb Free Space | 86.17% Space Free | Partition Type: NTFS

Computer Name: FRONTDESK2
Current User Name: FD2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"6129:TCP" = 6129:TCP:*:Enabled:DameWare Mini Remote Control Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"6129:TCP" = 6129:TCP:*:Enabled:DameWare Mini Remote Control Service

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Intuit\QuickBooks 2005\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2005\QBDBMgrN.exe:*:Enabled:QuickBooks 2008 Data Manager -- (iAnywhere Solutions, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}" = Macromedia Flash Player
"{071B9AFA-EBE8-4ABF-8F4A-9F92612F517E}" = Broadcom ASF Management Applications
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{33D6CC28-9F75-4d1b-A11D-98895B3A3729}" = HP Photosmart 330,380,420,470,7800,8000,8200 Series
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3F873E63-1CA5-4bdb-A8C7-D97012496DE3}" = Canon MF6500 Series
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{755EC5E3-FD51-46bd-A57F-7A2D56FBF061}" = PSTAPlugin
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{769A295C-DCF4-41d6-AFBA-7D9394B23AFE}" = PSPrinters08
"{76DFE172-9A45-4A05-B9F1-22AD72C92277}" = FastAttach - NEA
"{7AD15E96-1C1A-4171-87CF-29B2E869FEFD}" = CDR DICOM for Windows 3.5 SR1
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8ECB8220-F422-4BEB-9596-97033C533702}" = QuickBooks Pro 2008
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{92FD71D5-ED7E-40B2-8DF3-4B5E6F684367}" = Dell ETS Factory Installation
"{95120000-003F-0409-0000-0000000FF1CE}" = Microsoft Office Excel Viewer
"{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer
"{A3455242-DAE0-4523-8242-FD82706ABF4B}" = CameraDrivers
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{AF715872-3BBA-4873-81CF-FC7FFA1FB175}" = CDR DICOM for Windows 3.5
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{F1670367-C07F-411f-A196-79D2C65CBEC0}" = PS8200
"{F365A286-E58B-4081-AC17-9993FC0256F1}" = Universal Integrator
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"{FA362C5C-A5D2-470F-A2CC-F13546919D36}" = YouSendIt Express
"{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}" = Broadcom Management Programs
"1.0_is1" = CareCredit CCware Version 4.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"Computer Age Dentist" = Computer Age Dentist
"Coupon Printer for Windows2.0" = Coupon Printer for Windows
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"DamewareMirror" = DameWare Development Mirror Driver Uninstall
"ERUNT_is1" = ERUNT 1.1j
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"ie8" = Windows Internet Explorer 8
"InstallShield_{AF715872-3BBA-4873-81CF-FC7FFA1FB175}" = CDR DICOM for Windows 3.5
"InstallShield_{F365A286-E58B-4081-AC17-9993FC0256F1}" = Universal Integrator
"InstallShield_{FA362C5C-A5D2-470F-A2CC-F13546919D36}" = YouSendIt Express
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"OfficeScanNT" = Trend Micro Client/Server Security Agent
"SearchAssist" = SearchAssist
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"CareCredit" = CareCredit

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/10/2010 7:02:25 PM | Computer Name = FRONTDESK2 | Source = QuickBooks | ID = 4
Description =

Error - 5/10/2010 7:02:25 PM | Computer Name = FRONTDESK2 | Source = QuickBooks | ID = 4
Description =

Error - 5/11/2010 11:45:11 AM | Computer Name = FRONTDESK2 | Source = QuickBooks | ID = 4
Description =

Error - 5/11/2010 11:45:11 AM | Computer Name = FRONTDESK2 | Source = QuickBooks | ID = 4
Description =

Error - 5/11/2010 11:45:11 AM | Computer Name = FRONTDESK2 | Source = QuickBooks | ID = 4
Description =

Error - 5/11/2010 1:35:44 PM | Computer Name = FRONTDESK2 | Source = QuickBooks | ID = 4
Description =

Error - 5/11/2010 11:19:40 PM | Computer Name = FRONTDESK2 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module iexplore.exe, version 8.0.6001.18702, fault address 0x00006472.

Error - 5/12/2010 4:37:37 PM | Computer Name = FRONTDESK2 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module iexplore.exe, version 8.0.6001.18702, fault address 0x00006472.

Error - 5/12/2010 4:37:46 PM | Computer Name = FRONTDESK2 | Source = Application Error | ID = 1001
Description = Fault bucket 1587186941.

Error - 5/13/2010 9:20:18 AM | Computer Name = FRONTDESK2 | Source = Application Hang | ID = 1002
Description = Hanging application gotnewupdate000.exe, version 0.1.0.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 9/14/2009 8:42:33 AM | Computer Name = FRONTDESK2 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Kiwee Toolbar2\1.2.114\MFC80U.DLL.
Reference
error message: The operation completed successfully. .

Error - 9/14/2009 8:42:33 AM | Computer Name = FRONTDESK2 | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 9/14/2009 8:42:33 AM | Computer Name = FRONTDESK2 | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 9/14/2009 8:42:33 AM | Computer Name = FRONTDESK2 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Kiwee Toolbar2\1.2.114\MFC80U.DLL.
Reference
error message: The operation completed successfully. .

Error - 9/14/2009 8:43:14 AM | Computer Name = FRONTDESK2 | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 9/14/2009 8:43:14 AM | Computer Name = FRONTDESK2 | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 9/14/2009 8:43:14 AM | Computer Name = FRONTDESK2 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Kiwee Toolbar\2.8.167\MFC80U.DLL.
Reference
error message: The operation completed successfully. .

Error - 9/14/2009 8:43:14 AM | Computer Name = FRONTDESK2 | Source = SideBySide | ID = 16842784
Description = Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last
Error was The referenced assembly is not installed on your system.

Error - 9/14/2009 8:43:14 AM | Computer Name = FRONTDESK2 | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference
error message: The referenced assembly is not installed on your system. .

Error - 9/14/2009 8:43:14 AM | Computer Name = FRONTDESK2 | Source = SideBySide | ID = 16842811
Description = Generate Activation Context failed for C:\Program Files\Kiwee Toolbar\2.8.167\MFC80U.DLL.
Reference
error message: The operation completed successfully. .


< End of report >


computer crashed on running GMER.
  • 0

#4
RKinner
Posted 18 May 2010 - 11:20 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c
***************************************************************************************************
:OTL
PRC - [2007/03/29 08:10:02 | 000,214,712 | ---- | M] () -- C:\WINDOWS\Temp\KED347.EXE
MOD - [2010/05/11 23:19:24 | 000,040,960 | -H-- | M] () -- C:\WINDOWS\system32\dpvsarts.dll
SRV - File not found [On_Demand | Stopped] -- -- (stllssvr)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - No CLSID value found.
O4 - HKLM..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe File not found
O4 - HKCU..\Run: [gotnewupdate000.exe] C:\Documents and Settings\fd2\Application Data\00BF55C579B1B97C5374D33A7C815DE7\gotnewupdate000.exe File not found
O36 - AppCertDlls: igfxfunc - (C:\WINDOWS\system32\drivshta.dll) - C:\WINDOWS\system32\drivshta.dll ()
O36 - AppCertDlls: igfxstat - (C:\WINDOWS\system32\dpvsarts.dll) - C:\WINDOWS\system32\dpvsarts.dll ()

:Files
C:\WINDOWS\Temp\KED347.EXE
C:\WINDOWS\system32\dpvsarts.dll
C:\WINDOWS\system32\drivshta.dll
C:\Documents and Settings\NetworkService\Application Data\jmkneq.dat

:Commands
[RESETHOSTS]
[purity]
[emptytemp]
[Reboot]

*******************************************************************

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Run Malwarebytes' Anti-Malware

* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:

Reboot now, please :!:

Post Back (copy/paste the .txt files, do not use attachments)

We Need to check for Rootkits with RootRepeal
[*]Extract RootRepeal.exe from the archive.
[*]Open Posted Image on your desktop.
[*]Before you run the scan go into Settings, Options, General and move the slider to Middle Level then close the Settings box!
[*]Click the Posted Image button.
[*]Allow RootRepeal to run a scan of your system. This may take some time.
[*]Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
[/list]

After following the above, post back with:

OTL Log
MBAM log
Combofix log
RootRepeal.txt

Ron
  • 0

#5
shiv1226
Posted 24 May 2010 - 06:29 PM

shiv1226

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
So i ran MBAM and the OTL, but on running combofix, I was having trouble. No disclaimers or anything popped up my hard drive light was not even flashing so i deleted and tried to download again nothing happened. A co-worker of mine did something and then there was no sound. Upon trying to reinstall the drivers, the computer can't seem to handle multiple programs opening or certain functions in programs. I will post the logs, once i get back to work tomorrow. Any suggestions as to what I should do?
  • 0

#6
RKinner
Posted 24 May 2010 - 08:54 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Remember when working with combofix you must pause or turn off your anti-virus.

When you redownload it you need to save it to a different name - say George2.exe

Ron
  • 0

#7
shiv1226
Posted 25 May 2010 - 04:30 AM

shiv1226

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I have something called trendmicro client/server agent? doesn't really give me the option of disabling or anything on the console. just to scan or review logs.
  • 0

#8
RKinner
Posted 26 May 2010 - 10:26 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Trend Micro apparently has to be stopped by killing the service.

http://solutionfile....en/Services.htm



Stop the following services:


Trend Micro Client/Server Agent Listener

Trend Micro Client/Server Agent RealTime Scan

Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP