Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

BROKEN LINKS


  • Please log in to reply

#16
simplee55

simplee55

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 539 posts
Ron:

I'm having problems getting this ComboFix to run now.

When I initially ran the Tool, I told you that there was this little Bar that appeared down at the bottom of my Desktop, but now, after running this Program 3 times, I don't get that Bar at all, so my take is, I think that CombFix has already done it's job, what about you ???

Unless there is something else you need me to do, should I run the Boot-Time Scan with AVAST ???

Edited by simplee55, 30 April 2011 - 03:22 AM.

  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,425 posts
  • MVP
Don't know what happened to the notification email. The forum had a glitch a while back and might have lost it.

You can run the Avast boot-time scan at anytime.

Look at c:\combofix.txt that should be the log from combofix if it ran. Copy and Paste it to a reply.

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply
Posted Image
  • 0

#18
simplee55

simplee55

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 539 posts
Ron:

I haven't gotten any Notifications from anyone since the site was redone last year.

rshaffer61 has tried and retried to help me with this and still no Notifications, but I do get all PM's, very strange.

The only way I know that someone has posted any replies, I have to keep coming back to the site to see if I have any answers, that's if I remember to do so.

I did a search on c:\combofix.txt and it's not on my PC at all.

Okay, I'm getting ready to start on the other instructions and will post as soon as I can.

Thank U !!!
  • 0

#19
simplee55

simplee55

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 539 posts
Ron:

I took a SNAPSHOT so you can see for yourself that the FixMBR is enabled.

Attached Thumbnails

  • Attachment No. 1.JPG

  • 0

#20
simplee55

simplee55

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 539 posts
Here is the Log:


aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-13 21:44:01
-----------------------------
21:44:01.953 OS Version: Windows 5.1.2600 Service Pack 3
21:44:01.953 Number of processors: 1 586 0x401
21:44:01.953 ComputerName: DEBRA UserName:
21:44:02.343 Initialize success
21:46:15.843 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:46:15.843 Disk 0 Vendor: WDC_WD800BB-75JHC0 06.01C06 Size: 76293MB BusType: 3
21:46:17.875 Disk 0 MBR read successfully
21:46:17.875 Disk 0 MBR scan
21:46:17.890 Disk 0 unknown MBR code
21:46:19.890 Disk 0 scanning sectors +156232125
21:46:19.937 Disk 0 scanning C:\WINDOWS\system32\drivers
21:46:30.046 Service scanning
21:46:31.171 Disk 0 trace - called modules:
21:46:31.187 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
21:46:31.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f48ab8]
21:46:31.187 3 CLASSPNP.SYS[f7696fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86fd7d98]
21:46:31.187 Scan finished successfully
21:53:02.625 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Debra Flowers\Desktop\MBR.dat"
21:53:02.625 The log file has been saved successfully to "C:\Documents and Settings\Debra Flowers\Desktop\aswMBR.txt"
  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,425 posts
  • MVP
I don't see anything wrong with your aswMBR log. It looks clean to me. You can submit the file:
C:\Documents and Settings\Debra Flowers\Desktop\MBR.dat to http://virustotal.com and see if you get a 0/42 but I expect you will.

The FixMBR button is always enabled. It doesn't have any significance.

It would be good if you could get Combofix to run. Forum is going down in one minute so I better post this soon.

Go into the My Profile and change how it notifies you. Put in your current email address and maybe add to tell you if someone quotes you.

Ron
  • 0

#22
simplee55

simplee55

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 539 posts

I don't see anything wrong with your aswMBR log. It looks clean to me. You can submit the file:
C:\Documents and Settings\Debra Flowers\Desktop\MBR.dat to http://virustotal.com and see if you get a 0/42 but I expect you will. Ron, I have NO idea what your talking about. Something I should have told you is that I'm not real computer savvy, your talking way over my head here. Please brake this down for me, step-by-step.


The FixMBR button is always enabled. It doesn't have any significance.

It would be good if you could get Combofix to run. Forum is going down in one minute so I better post this soon. It's not me that won't let ComboFix run, it's ComboFix and Google. I guess because Google is set up the way it is when you have to download something, there is NO Save button, only Run or Cancel. So after you hit the Run button, it does exactly what it's told to do, Run. I think that's where the problem is.



Go into the My Profile and change how it notifies you. Put in your current email address and maybe add to tell you if someone quotes you. As I mentioned, everything has been checked under my Profile, every thing checks out, just not receiving any Notifications, it's crazy.

Ron


  • 0

#23
simplee55

simplee55

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 539 posts

I don't see anything wrong with your aswMBR log. It looks clean to me. You can submit the file:
C:\Documents and Settings\Debra Flowers\Desktop\MBR.dat to http://virustotal.com and see if you get a 0/42 but I expect you will.
Okay, I read and re-read this instruction and finally figured it out. So I ran this Tool and now what ??? How do I show you the results, because there's no LOG to post, or I didn't see any.


  • 0

#24
simplee55

simplee55

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 539 posts
Ron:

I'm going to try and do this ComboFix with IE to see if I get anywhere.

If I do, I'll post anything it gives me, if I can. :)
  • 0

#25
simplee55

simplee55

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 539 posts
Ron:

It worked :) YES !!!

Here is ComboFix Log


ComboFix 11-05-14.01 - Debra Flowers 05/14/2011 17:55:10.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.623 [GMT -7:00]
Running from: c:\documents and settings\Debra Flowers\Desktop\George.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Debra Flowers\Application Data\PriceGong
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Debra Flowers\Application Data\PriceGong\Data\z.xml
c:\windows\system32\x517_256.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2011-05-15 01:07 . 2011-05-15 01:07 63115 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\USERTILE.JS
2011-05-15 01:07 . 2011-05-15 01:07 9310 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXTBOX.JS
2011-05-15 01:07 . 2011-05-15 01:07 8646 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TILEBOX.JS
2011-05-15 01:07 . 2011-05-15 01:07 8613 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\SAVEDUSER.JS
2011-05-15 01:07 . 2011-05-15 01:07 6429 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UICORE.JS
2011-05-15 01:07 . 2011-05-15 01:07 5927 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\TEXT.JS
2011-05-15 01:07 . 2011-05-15 01:07 4599 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\UIRESOURCE.JS
2011-05-15 01:07 . 2011-05-15 01:07 1651 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\QUERYSTRING.JS
2011-05-15 01:07 . 2011-05-15 01:07 6910 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\NEWUSERCOMM.JS
2011-05-15 01:07 . 2011-05-15 01:07 8288 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\IMAGE.JS
2011-05-15 01:07 . 2011-05-15 01:07 6208 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LINK.JS
2011-05-15 01:07 . 2011-05-15 01:07 18541 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\LOCALIZATION.JS
2011-05-15 01:06 . 2011-05-15 01:06 51852 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\EXTERNALWRAPPER.JS
2011-05-15 01:06 . 2011-05-15 01:06 8782 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\BUTTON.JS
2011-05-15 01:06 . 2011-05-15 01:06 7271 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\CHECKBOX.JS
2011-05-15 01:06 . 2011-05-15 01:06 23327 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\COMBOBOX.JS
2011-05-15 01:06 . 2011-05-15 01:06 20719 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\temp\wlidui_WLIDSVC\DIVWRAPPER.JS
2011-05-13 18:46 . 2011-05-13 19:53 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\DailyMagic
2011-05-12 17:19 . 2011-05-12 17:19 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\LegacyInteractive
2011-05-12 04:04 . 2011-05-12 07:23 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2011-05-09 04:53 . 2011-05-09 04:53 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\quickclick
2011-05-01 13:01 . 2011-05-01 18:26 -------- d-----w- c:\documents and settings\Debra Flowers\Local Settings\Application Data\Digital Smoke
2011-05-01 13:01 . 2011-05-01 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Micro Digital
2011-05-01 13:01 . 2011-05-01 13:01 -------- d-----w- c:\documents and settings\Debra Flowers\Local Settings\Application Data\Downloaded Installations
2011-04-30 17:59 . 2011-04-30 17:59 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\Az-Art
2011-04-30 02:52 . 2011-04-30 02:52 -------- d-----w- c:\documents and settings\Debra Flowers\Local Settings\Application Data\dj3
2011-04-28 09:28 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-28 09:28 . 2011-04-28 09:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-28 09:28 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-28 00:18 . 2011-04-28 01:30 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\Maximize Games
2011-04-28 00:18 . 2011-04-28 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Maximize Games
2011-04-26 21:26 . 2011-04-26 21:26 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\Sungift Games
2011-04-26 21:26 . 2011-04-26 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Sungift Games
2011-04-24 19:25 . 2011-04-24 20:33 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\Happy Muffin Top
2011-04-21 18:07 . 2011-04-21 18:07 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\Funlinker
2011-04-19 03:58 . 2011-04-19 03:58 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\My Games
2011-04-15 16:31 . 2011-04-15 16:31 -------- d-----w- c:\documents and settings\Debra Flowers\Local Settings\Application Data\WildWestStory
2011-04-15 07:13 . 2011-04-15 07:13 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\Cosmonaut Games
2011-04-15 05:09 . 2011-04-15 05:09 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\Zylom
2011-04-15 05:09 . 2011-04-15 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Zylom
2011-04-15 04:46 . 2011-04-15 04:46 -------- d-----w- c:\documents and settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2011-04-15 04:46 . 2011-04-15 04:46 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\GameHouse
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-09 21:00 . 2009-08-18 18:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-03-09 21:00 . 2009-08-18 18:24 18328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-07 05:33 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 17:51 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 17:51 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 14:04 . 2011-04-12 22:46 40648 ----a-w- c:\windows\avastSS.scr
2011-02-23 14:04 . 2011-04-12 22:46 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-23 13:56 . 2011-04-12 22:46 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-02-23 13:56 . 2011-04-12 22:46 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 13:55 . 2011-04-12 22:46 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 13:55 . 2011-04-12 22:46 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-23 13:55 . 2011-04-12 22:46 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-23 13:55 . 2011-04-12 22:46 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 13:54 . 2011-04-12 22:46 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-23 13:54 . 2011-04-12 22:46 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-22 23:06 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2005-07-12 02:06 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2005-07-12 02:06 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-15 12:56 . 2004-08-10 17:50 290432 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LegacyDrive"= 5ed9f75d9d755ad1a37d34ae14546e015815c95b4b772cd436f43c4ffe2a2e009c81d92ccd0e10300bb72ec5bb98f282a8a68ea2b092fa08bdf08e80f799d048394e8bcfc19e21bc2b092132dda0651c534b81b5030c09f8ee71a9edcce2756ce31b8932cedfec357eebba357e2983947b27ee6703c7a2cd8d38667fba2586a9da2c79f9b291c2f57c34149130c0b901022634cc2c4a2622edb4fb6e6fd229943034526805023ee608c0ec5d5ed0ccd00bf12e9d0b05fb5c9e17a30ae39c5667a8f9779c81464e211752fddec3e7b5915c4f296f4c16430eea12168204a115c6ba32825e9307b7283bca384ddfe9fce3c19924fef3b9e88b02ade63e1ef968cc7b0ee65bf663cb36fcc87cc6a8f797bd2b6d78957178023901909c0226ea79e44c4b1deaac1a1ddf2cba264e801640ad967e54c8d631b1ecb6d33b3b49e1015dc6021adf16c8e0828b92473ccfb16e801bc974bfa97a8d2f6b4055cbfd98639bd8652235c991dc84a2f718c8308126de6d8df8c2f6963352bf10865505933bbbb6843c0c26eb5037aa8d23d4d1593967e30caab264a5cbcddd190a78df491aaf4631517fbb624e197cb2de24603220581560e849ad9e628059e3f8d074b175e7c3476a24fb17d0a8837af0b07ce1a38022ffd10f65a5c9a2764d84a0391925eb0cba2d50a2eef2210f464d201f2d949fec26c8e6b0550fd5d74164ca59d88dc546b34dcba29cdc88744e94371a7bedc7df14ab36cfc45641cabdeceb40d8b8d14cbc370ea2cc0ebb4c0021b5fe486f963e2350e4c76dfa8730784a81c95fc2d9c597cdd89fc74b78b6da491a3a5210774cdf62d96130008be8096f8e2c96fc8d7bfefe13883c5b96fc0e2a4e29b6df67783b3bd3f4ccc0dd48b2a4b57a322470d6b51a512726d2472e9c1ab64c39987a825161299bcfc699a8d571a3ada3b1269aba134e7d413216f5a7d00bea8a25537bd876ef9f3834ea3d929b9ac18f47e724c2d3107d7ba103d03b7974d46b722dfa4d16a5aa32c1d3d0ee4a449789e56c74374839678a0dee7ee7582f9a36b95875de5413e4f13f2a5aa32b99ae0147e81efbe061b893134e9b26e18d29e4b52750ce18d9eb24dd7596e49b86c18d60330428a466b2897c2cb1d3105f893a4f83ba0de2ef53f35e2dc074bda3e4bc0f72679c6d9e52d22f6fd98a5e187724cf6c97413823dc73d8dc2d5015f1c929c475ccbb812252bdf592dfba55b2ff1d2b74298a59c5e9755bbf3eedcc1f41b82cf908a5e0aaca1e7a0f44fd3bf45ba0d6d0024077af5e7e046f283fa3a52f54ba7c05f0cfc0ef4e9bea0d6549450d752baee6ea099bc983b95c54b3efa10947573d004ae129d8265cccf30b4779e395e43a1fa98dccfb9f4bead7a7a5ce9665b6f651df82244d998aa8ee2bfe9ee15f02f302e30676122dfc5f365ecb0833bcf5002f62775bb736f04d071c06f7856906818e9bca697547e01bc952e8c1d7643e5c709ada14ed7c74cc6f2eebfa6beae7b667adbd10fefb3194a72a1cc677c37789f34261cf54cb056a306bc9744e9dc8eeb91483a713b4d3602ce1222dd3fddb1eed2c1f1fc35bba1da080556b9c23ed63b31d84501aa0168bd277cee57d8f7a4571b7b03c920ba483d445383a968b033f8ecb0b1780ccc8e05fc07387b51c803b46a76921f0d1ae49d6471ae0bdc447a8b62a64a6fed1361a221f5db46759d90568b8cd3401c082f26ccdaeb0aaeff7ce0f25f7b39893d2f2ad1d16bebfc1dba1c2f5cc68de8d7d2768deff7d1024b3195c215b7d550777027f98ce1d0f8c4be059330ac4885bb3a59174070e69f2b8b776f37e4c442267707adb6e02eb0c8f509fb26b9b689834080557760ae924dda7d847e387a7cfab4b44852d1ff51e9493e5b5e4a6dc78e0244ea12b3397a7ad2885b6389f175d6cca8487d8097fad61bbba4ae854a98e27b088eb56dca79f5c2ae2c5ab3ced23572b8d3a6a22532721c0712659bdcd5644d154bb60d19189aa1b7ea00e359a5323b13b6d15542676e2765d32caac386b00a5b7f0a65217def84aa31ec86ccd2f982ac67d2670b5a9f3594e26e585fdbe702c6c822f10a76125b07dfa48bf29af40d431fb6c638f0526ec0f754872f886ee2fee5c7e861798e6397d2b25dcb4670d8abc5c47d62861970480f161dd79e5b96d71f3eee7f0ebe4aafb12ddbd07541e1eb22d49bfb1cae6cf0a6b433a830b7e735a43e071366c6cf75e03b8192952fcfcb54d69dddcbbbc55649612db76b3fe8a52a5d92440df5958b1ca1a654028f6282efce465a840430ab17cc9074a3c256039c1e38109f78fd252a71d8c3aee88cb3ceebae429c3acf86cb8ceca91bba9cd090fc3812741c3006f5dd5d41061500caff2968f66ea4e3cb00d826c02b8dd876d80a40e818707c20b36540ae6c96b96140e72420d69ca3d571c416a57c589066728e88b282f32d51a2ff5846a6df3a10ae1d584073a1df518215d9172c2a66fe489fc44041f29a84455e3a60a0705e1ba17b1832525df31ad18a53da9fbb61e0a0b291e3f0e7d5357e6d9d06665981c296304e3ed0e62ecac82304b7a99aad81f0592e0069c311a56f299dc5e2d2ed78e3615655fa36bca383c7c48eecbf5a5bcf6f94cf01f714fe488a4ac30bb07cf1e2956595e11e320fca32e778e65b7afb2d710ddb85236de9b36219936449a84b4494d6a49fd1f6b1f2ac244b9941186d0a20972cf9e6993e726a894e854c38f5438df231f8630c7b38b195d3766950a1174d546aa0c2a2f716d262322f4fe8d489233ff007e72820127b829d96db9ed791083b4f4695fb384d758f8f6ce7dbf3d67ab8d0a96998af85cdb4e4eb11147d4115f5be6371dcec628cf65367457cc47b969356c684042d2cc8f25f448bb0569e047a401fa8f401166bab60b9deaed5246b5724cffa9d960b8592b834224d1bd54eeb1a830c6297c3c4501349cd09eec0617788ed2e1cdad510c97b160cfbc353d4386ad9922524ceece8c241295db900c3398cf279885f146ecbcf777d1e536cbe8eaacfc64967276cf0843d1947409a00ca2ff7e73ac68f43e01809cafb0b387a6e40dddbaaaf2c388fb0f824bf690e5ad6d93e2dda3dd7de254ccea2ff68df2773f8f97c3e738fbc1afd67e5fa29dd827989b3e458e074e56daec8927202add3de6011c74a6d4ade6212d810ef700492d7534e7edae5f2245cdd29d9ca9d50a319a339bba8bfab94b517cf97a3b994cc1eb4175236434c113630cf9f291f37e7c963cddf4b29cdfc5f4f9a4250a55f447a9a2c8d22fd80d938846a46e4e25ad9b3473050ea4fe0d37a7bfaeec066a9aa4ae43d4e5593372ff6b1ba1fb1a68ebcfd2e8b5d3d8dc0cf9792d4ea138b5a511c998766a96e99deb70868d0c803fe4be803a42f42a955c62f14e4c85f0602be3202fe294cd263d014b9f41ece503c0b116322acbfb25a69909d16262fb4f27970f3b3059ad725a3c3bf97fe24911af2549f98348402fcee3392780374143cabfb6008307c26dcbc122e2ee162cee8a3a1091f5435eacd93bc8b5217429af191bc75ad010d5a7c1f53c6eb3859c63de288de8474fc42a5b8ed5d01a7dc0232783645285eaf39c068600140698d9a158f11648815b72ae2434dad8be5cc4369351c2e0e899571f7361092f1063b743b50d2dcaa8dff6f1f01471690986276aa5dccc5cf8eda5e465d7993817f5ddc98b6378959a25a4f7fba577c30a63c292c7e8395b22fbd544761877b7531eceb780487a75405e721ed52da3f84334d9ad56a0e3e6e67bf21c5a2043ab6ba5f2fe292a4d5df545bd1013866ee1379ce4941f1eec1126cdd3c41719d5453fe7d834c6925a673e30a9487d165278a89edbb99127b50a435e6c13dabc21c499503a3a36bf58e2788989e0048ef0bfb274d08210aa7ae1176422aea7104beb0ae12e7fd622b92d14cbd9c7a152f59fd5c3ba3f63131e5a80b19f01485fcc1a5d40070fd13289c3465da6ca530c53d92abce57b78731b068d545fd3cebd6f499806dd6552f20d3601bf597bfabeddb055f988d89f18737acf8672ea7bcfe9c94c4ce2cfb0035cc8cec9e5ddbfa96b15fb8a4f1b110bbb429cb236c6724675551e7974ce91cac648bc14aa295681de5e89b32438373b19f27b545ac57d19eabaf4f6d4bde95d11f4bdbaab4f6da8235f1565106bb3830ac12ee1c64a97da8261aebca4e5a87c9e8d2fa8147cab9c4116c0f99711179d53a5cf622a3eeb9a1cd8118b5832149356393aa7c52dda96c5002a9257ff52ec12b3c51f170ad01047b27394b3c6713353aca32bfb3d91b88c274393679055b928fc4a6d90712280c2d92fd0aeb3a7240fdcbe6fc6318ec99957800bcc12944306fc4807557dbc0973f715ec48411f56af5736477d5066a9bf90d127443e51435cf85fa3dec634ac704d2d520246742f9c2eddd25a3e0e59b4b59de34203d5107e418309c711531e34ff2ceb0b08a8efd65dc77bb964e4ce0200e87e0212bd191b40050d1bf40dc5c8a8fc15bc6251d8747a8cd8a3a32aedcc29d7690f78e0b443dee7344692e0da7091f4257410162777307ce3bb3920f9b5deb9d46e123d24291ea58f46f1f0a366b76a10d0ad2e141333ea36ed22e2376c61384653b36a73bfd31c660bc31851f0619323f13bb1fef6a44cb1ec3707f1ce5b7c2c94e19906b4c08bcbd44a6511ca56b7f5c79e63a8cf66ac2b6d5f9056a4ca581f28e06d19ce726d3b42cd7ee3f8e0e31a65a1cc1a6eac730d212d6418a3011c986918d6acbcab1ea2f3165ab797c2d60a8a63c0200fc310207d706b2c3fb147f120bf517dc5320b517bbabab8330f7f57cb2bc40490b6d9db00c2df8fd4b8e6ff3e92520a6f4b83a35c94b528c2c924ef67c5237422a32f51ce207f5236de9f246d7a4ae424afdeccc01d0e12af49d70dfde6b59a225316be1f640f8dc9654e4a645c50cf738fd32fcf468f9bf7d22182a7ce48fcaca55369f654da55ef72ebad9f0b6d0adba01613f4f9607e16a5648fcb15a9436466a3ce9a7c794875500ba46d8b34e1cf534c846365f2454c6408092f70fe1098fb547099d85ac2b3953b1bfa0b393d75333a0fc43b84e54b05dac577f7e056166011c01fad3380aed96607fa90b4058793e9e79c5ea59ef808afa3c16c8c38bd8651f0c41fb57176ad6a792975ae1f25f21c5c147ac9c9b41f8caacfd39d2c6dd062ebf4483785b780f84a9890f1200f815a759f5d60cf8ce71019e389773aba8e08ecb9913dccda3681ad6c174e325e02939cba6158e070f9a4fd55d89f8c6b88f499638979b160fe123cfea7d20d93da0f6438b407aa24fc52a3e108a292bbc6c35d0ff017335dd342719f5526c7d9361296f296369dc2b85bd56c05d099ee54a80af66822b2f7ba69677d797e73bdd072f17167d87ae32c7a024753d44bfc4d9b9dc5f7d4943fa89edbbc7e73951fe2e8973d5e2fd489aee118f119fafa0301250b54ba3b5422980600384c4a55127006e94260f712124c5e9e6b8b03c4f6327a5b80e6a54aa3ee7a8e40a38c06a5968eb2d0c820c67a5de42b72384575931c0720f311231a5e0ad38203c4e9b06cf16475b49645a4f4b29fd1fe20ee584ebea9a13dcf1ba3789e6ea7b164094f946c1bd6fd757899b76858a5d7a8eb2eb5dc244085a082734780a8e870b24b94eb044fdb5e132d61aebe981dc5da60af932796f35283f1d60f5e7068666e41338da4e2cb935e86a7eadeba2f24fb4816fa165cea92ac50e5ea01fa3e170f4d0e8d3b5c6d14ff4648f356b006047a736b0ef291bd4ecc6e2657283d5a1df6b8794cff1437de2a343aecf81dc3c452aa913d8480024789457cc6890d0ba1a0154c15e1a9b489509b8e253bda0b3b973107824bb7cc74fc503dafdf2e539bcb97ce4d93e824ab92dabed1870463b4a3a1f405e1945b5896a9be86491ef850c46249456b1c4ce5cd6f2a06797c0e771329a7d9e4a72116f93c1c30caad61e273b489f0fb4885157f29e33c8cb94cf2cc0d521ce54468e59e1732fb43b200fb4bc2942939d02c65c0cdbc5a2aee7cf9fab9a226d16071b18e4f7287b90102f12a22170c5ec5ab1825f1e285eeaac0120a4b41a35f6fa54260120b653cf4416f563edb79f66882513e5a8fc35fd2d8180c05cadd2f89b9e5dc72739183bb1b4f69e8356159eafde09643fd00f9156bde95e9717fd7ffe544620bf6b080c2d837ab4a684d4eef13c3cc17f453c3783c7a9288d78519354defbfd7e6eaba63113c8ae1064cc720ab7d1da8b4ba95f00f5216d17f072b3b866106c6278948c5cc2fd2f5160a5a555479d2dc30cd5afde5aa1129acb02b96775b433fe228f32b67faa3f3d1bb9e7ef3466b1099855a83bfd65dd301b419e153933d70f20b13749a39548cfa6341cdc265daefc1ca25e3afe65bde1db8d1fa9436f5f6a33e7acf26cfb690c879486ac712fd07f7abf41c0ac2013e0eb950f637874b17dfaebd4fcb6d37fdb036b242f662775bbb243c2e1bbc9022afcfed793453b05b472d2a1bbceadc85434b1aebf1e1be0f92141d43406a3acf34063a93dd6f18ee2f949ade3e0c84680ba20b3a9e108c8f550b7e537b80a5871c1e89e8181427cb771ce64cfcb8cbcda7fdbbf2e6710c36bd4ba72fb206e4668082fcc3be0ec945bcc6cdf6ae1f761f0cc0a0b838945c22611df018a80b1ee3820daace5ee716da87c4b0b34bcecee25dfd5943782c88ba4572eeda227fafb78655652f9410ca834ef51bcc036d32497e635bec7dee64196430f3aa337d1c36b6c03393fb1bdf9909ce7029cf5a736e5be683634de161968ae9472b35ec7a23db8d1fdeedc94fdff574da6ed0005bb8c6e1ae1cc59a9b4e87933918790e12f0075c82d019516042def5e0bac87cb829d87982cf1b4e625174e7e80b9da838a769a368ef4c0f29df1cf5aaff192db9ef2c892b446cc5507f92e6eebeca9ee9a5c7d11706237d0f6c4f23ddfee3ccfaa6324a7a7222c0883a3a651083fd84bba377c7202615b63871ba7b13a50ee8cac619bbb51d1220deda7177b5fe4b580578dfd4e0268e6cfe747f46aa016729758762cd06a1f4bb923aa95ea645f85d21ae6d287f9107d15eabdf1e3a0d0bdc7c18c276b3a5c1c62184ed2a792839dbe7a0ca7a51c959ecdcc3da68b3a15bce03da652e3b4a2b4adad2a4effd78c6896cb2c2d7fcd1374c6483a5b64d9b241da81556ee44549a58a0af82f7fd2c87b0b88bfcdcd78741a8e25839bbf47cfe1a11b7d349ba5959b3bfbf064c551ca9d4756879362033fb50340d65673386dd971ab2f3c489c5dfd223e00a19382bd113a1248558ec36b6cdb98eb118642a4757e533d011f48c706c70ab99a101a8d1aefc93b64a880b3f1eff0c44fe32970941a6423b57a2d338938f61c77388f0f3a60b4e5e14f53cd81eadce30279f154a53ecfa728e5f6df0d1a3c0dda0b44d35d7945f2ca73f50c6dce0eea2614523160591d5817f310cddb0cc115394290f6095edaff7a678110bfc00212609fa0e0c95e0fd9b1032fef627ba3fe395157f703c6fc6dd748e54b6a312d7400dfbe116ee6b9814c6adaf74f5779637876ceec751e540da3df1dfee99e29a6a02586ba58b4a2ecb084cfa2dce6f6e7e19133743abfdd885b6a9aac9fce22141358f5244b1d0b2fc3e4a215f4cbe27604fe17d666568cffd3962c0cb27ca2ec6a15db8a5d1a97eaa947f67282c360a2aa2a298463f3db952102a0d3bde61c34a600d68a6b032fc1bfc934b197ed37a00aedae19ab67a18e926535524e9f4f5fc774258234d1ef20f9a429ffb3c6c3730eabf6382b9b366af1da77ae082d42687cc7409d63864dbb3e4d8540bd74d496942c018c7051e47a375fb68565d8640a242bd288aecddb266211d9036b49bb237be97afb42cdf661f7a8ae560bde9896de7cabb671b47a0eb334fd0bfc99a0defc92dd64ad3fede0b49b2bdb9a6abe44b1142d690315195ce44f55ba96b928b474817e7b2cb83037e49a7faabcf2e5fccb5dc77697613a5a3be9b2516c5a2fffd04dc0231af45c3370648e1aa84834f4256823b04bc9094b6b1ccca96ce7fd54b6cac781c09e9c760ec6ee7360c6c15762f9fe9e74f27dcb2419408169840305ec8e10010875e966879e240ac040b2f88e19f366e86eae4f47f9b3ee00d3eb0bd1c5fa22375f24d3835f2cd777e4977b06cf06c504b576ee30707f3d7e38678836e7b1867b3125db6b1a256110b8dea96ff686b199c5d6eb1a330cddb770039408a3d626b5733af3717c2d0a69812a1304183515b50e3c38c67e4341d47cd1fafdb6f5dc2785b91826352c3e494fd4bf2b9def1637e87526f0c0a85e1cfb0ff6e7deeb44554c1947fe7a248c4398b3354d807fa91ac2af0d2c0a88909519812a22478a0af1d7247430edd8c1bcd071c848932be785edc860b26444b0593295cd17ad56f96725adaa39e1c0610c78f20a2ae42d011f0a01db1c44ae637c4cf0af452189b42b06b95b76840659eeb50aca778ee40dd3f9a73d9c7d499358d2ec444eda5d2004631aa445a9bc23cf38fe419ccf23309ae756966da6b622da7d7dea4b36cca8293a0ec21eb40583ac871adc2de6761237d855984c0c6b74b075bf4e0a8952eb4e206c38312e31ed52aadd1cb5e11e418200c6d4e4f52615bacf1aa538d327a70d5c0de56230c969cc34aef24890291231bdc8bda4e7c48119a02b123bec90955bc5415662585816796107fcd8330b1c5339849c70cad6e6e11f2e287a9c4e368a2474f8375a00b3bcc65a4f541513773693d8f5d11a34b8e21c765cefd9ce6875a2996b45cd0dc71b7442fa8c44cceecd4c4b1a5c4e4bf6ed1c441bbae2097bfd459298d1abda17d850857d1612b0d98914cddd3230d6fd727116ff2c2bc3f517e3bade921e4c557f54d20c668f56678035109a961a315c590cbb5d8bb60f94606ffd6bcbae36e66a2b69263b4a78676f4bd04fe966b83286364b8635db05e14a600338b9e3f43364c696815ffa0129a6e357d44c2bba4dfff169b23f722dc7311f928583f161fc930ba0eaac68f0892ca8c38d1df1875b2b47217fd7e5009c0a6c6204fbe6aab8abab64c5e5dae068ef1c296b43bf50782ae3f814ef6df3061ce39d78f20f2e20c0d3d06cb8ec2a2c28f4b9f40f4c09a81da5545801f020a0c2433f21ed1c1c66ada22733441dcb3651c40eade99544e0c3f114bbd77cf26324afde0756c155dec7ae7cfc52f80952b17be386d17ace15bd03b4a1bdf5e2ecbfac9fd693bf8d5f0bb74aec46352d450fffc9bee94334e07f455687b8fdc07438c289d54197ee9c7ff50263879bf826c465ed136fd399a839ba116d33475fa42d411ef446bb605392adf979ee818cf85c5136c420df9c3685efe04f40e38bfc7c7b1a75a74bb95ad6183d0809de98bc6a38faf573a30dbe59a34a931d081347e6493d7f14638cf362db31483331f94fa2d50e2ae76874b88e2956a8df344f75f50f2e007727f9bf1a16aba381f36c024a31333f108baf2d34799c936a330434a23bbbfbf4511c6cdf1cc9c78acaa1512b80e33aa01769cccc2fcec782ea75d0cfde005598827b5f9d30522e3ca42423ccb57f9706526f58260e9d6a0fd6993fb7e7019d6e98035dc0ac5b3b6b749c7dd5767adada5828dbbb2f6a169299d4f99b8d7b93f5d6bb857167a1ac93ec629029fbf2597884af12b20c20c93fa3cc339ea10a5be169438e4502beaaaa37f4ab82b0a78fe2adbda99599711f67cbe2c39392f1be02aef66a33126ef1e9f0c6a14b429404a2cbbe0a79d0d39ef101635f1624e3e03ebc101ab5e62729ff0a110f0bd406a826762e2bf00e5b18c2af12b7c7cd1444428025470db8a1754e58bf8449a188f07f84768ca8a898806d28b3527344f6a4ac8df166f1be3521e24c6f2aa7a145ab7c32793fa70029e40a77d09b281a2bf57765824da153e628ef9dafdaff8f3aeea9d3b6e20d931d168f5469553cb3f7b73ab36da551ec7b4616fba6ad58e28ffbb317d7eff632de0c784a32f02927aec44a6f0aed1c2980df7c94ebea2cf70ff2a934b366f4ad4d5289f998078f7f772c2f98c1dbf4eef10cea59f1e8bfb9b3abda219f0ace55e36d99dbebf811e0ba8999f73f26d484a36878b0a94d2b899edffccca52288a25bcb3ceebfd7a1d55f628801d0be6933fd438d90115215231f18e50ae5af18629cc2d622d9a3bb29c5d49e90ffdbdd2c9b531eb5e910a55814bae32d5cdf05100f2cf0d018d6172c4ac0aa2f41ef1771132b56ac2c25bb46c708cb20330fd8e21062e1c55115702bdc99f1cd785901f944096c87cae9cf1873c27f3d883de67f110ef4f2203c305aaae3c721f5f3c80107966d2e8ca28b21518f94b6afddf18c2f5359ce7b6ab54b2c08eea73344aab92e92d3b77bd6d87a8296dfc31183cecf649fa5e7c3214d02a611a466edfffb7f7ef0c1b6bf130735986970b6ef57dfcebce45f456ccc53a7000e4ec682c688b4e6d09baca1eca430ef8895b097ed427de98fe7f947e72f10fd74809f53f2216cf97560992c1c534e4904627e63693c4c6b7f04e859d0ec3feed2e6c245b89b28bbaf03329b6b0155ec5b89a335bfef5df5d1e5d90d9445f68f44d78c52429e3c59f84b00912a516bae497960acae185107dba6a5227b0eaef370b7b957402ca52872e59a7ba3e6ddfffed279e3431f1bda5b51b55d38ac61a731902ebba5d33a6d84fb941c2a1d01735aeb47ff8b109a361367b901aa7cfa289250828a11e9d2d88c1eaeaa6aba2956665c485d59ecb976bb825d02887e744e355bf36df292a80a048e735fdfdab86759616e2c7afe661bcb36b63489f3a74d1092673cf616cf49578bb2ee26e3e2369ecd08c137db26a313f58ee7c16ec31fcfb4b25299750cb501056a73923f87107731b0e5f202f00
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkinClock]
2009-04-27 19:16 1742848 -c--a-w- c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:wildtangent games
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/5/2010 1:51 AM 64288]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/12/2011 3:46 PM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/12/2011 3:46 PM 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/12/2011 3:46 PM 19544]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 1:55 AM 2146496]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 15:14]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-14 18:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2288)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-14 18:13:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-15 01:13
.
Pre-Run: 58,615,099,392 bytes free
Post-Run: 58,515,841,024 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 24007FFF84F1A88612423586EE6815A8
  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,425 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

DirLook::
C:\Program Files\Common
%user%\library

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LegacyDrive"=-

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.

Ron
  • 0

#27
simplee55

simplee55

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 539 posts

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:: :unsure:
Kill All: WHAT, what does that mean. Are you saying I'm going to DELETE ???
Or are you talking about all I have HIGHLIGHTED below, am I going to delete this. Please be more specific will you because I'm confused and don't want to do the wrong thing ...


DirLook::
C:\Program Files\Common
%user%\library

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LegacyDrive"=-

******************************************


------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-14 18:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2288)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-14 18:13:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-15 01:13
.
Pre-Run: 58,615,099,392 bytes free
Post-Run: 58,515,841,024 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 24007FFF84F1A88612423586EE6815A8




Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop),
CFScript WHAT ???, OK. Close notepad.
(Overwrite the old one if it's still there.
OVERRIDE WHAT and if it's still there ??? You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.
So I'm running George -- ((( ComboFix ))) again ??? And will you please stop talking to me like I'm one of you, a Tech. I need you to hold my hand, really, if you will, because I don't understand what your talking about. I'm not this Technical. :)


Edited by simplee55, 15 May 2011 - 10:13 AM.

  • 0

#28
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,425 posts
  • MVP
If you don't want to be a tech don't question what the scripts do. KillAll just stops all the active processes. We are trying to delete an obviously bad registry entry.

Since you don't like my Combofix method we can do it with OTL. It's a bit easier and you have already done it once.

Copy the text in the code box by highlighting and Ctrl + c

:reg
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LegacyDrive"=-
     
:Commands
[RESETHOSTS]
[purity]
[emptytemp]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select either the Use SafeList or All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Now run Combofix again. Just double click on it. Copy and Paste the log. I want to verify that OTL removed the bad registry entry.

Ron
  • 0

#29
simplee55

simplee55

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 539 posts
Ron:

Here are the two (2) Logs:


All processes killed
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\\LegacyDrive deleted successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Debra Flowers
->Temp folder emptied: 5111926 bytes
->Temporary Internet Files folder emptied: 698384 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 110601615 bytes
->Flash cache emptied: 1115 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 913465 bytes

Total Files Cleaned = 112.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 05152011_101308

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


The 2nd Log:


OTL Extras logfile created on: 5/15/2011 10:27:04 AM - Run 3
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\Debra Flowers\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,022.00 Mb Total Physical Memory | 722.00 Mb Available Physical Memory | 71.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.62 Gb Total Space | 54.48 Gb Free Space | 76.07% Space Free | Partition Type: NTFS

Computer Name: DEBRA | User Name: Debra Flowers | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"443:TCP" = 443:TCP:*:Enabled:wildtangent games

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe" = C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe -- ()
"C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe" = C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe -- ( )
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00170409-78E1-11D2-B60F-006097C998E7}" = Microsoft Word 2000
"{0611BD4E-4FE4-4a62-B0C0-18A4CC463428}" = CP_Package_Variety1
"{06E6E30D-B498-442F-A943-07DE41D7F785}" = Microsoft Search Enhancement Pack
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{09984AEC-6B9F-4ca7-B78D-CB44D4771DA3}" = Destinations
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{0F756CD9-4A1E-409B-B101-601DDC4C03AA}" = Qualxserve Service Agreement
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections
"{1C139D7D-9FEA-468d-A9C8-2A6E3BDE564A}" = CP_Package_Variety3
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2466E904-7E48-4597-9321-722CF02930EB}" = 5600
"{26A24AE4-039D-4CA4-87B4-2F83216023FF}" = Java™ 6 Update 24
"{2CADCEAB-D5DA-44D6-B5FC-7DEE87AB3C0C}" = Unload
"{30C19FF2-7FBA-4d09-B9DE-1659977F64F6}" = TrayApp
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{54E3707F-808E-4fd4-95C9-15D1AB077E5D}" = NewCopy
"{56F8AFC3-FA98-4ff1-9673-8A026CBF85BE}" = WebReg
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B622B7A-60FB-4630-B11D-F121D20BCCD6}" = MarketResearch
"{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}" = HP PSC & OfficeJet 5.3.B
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6BB6627C-694F-4FDC-A3E5-C7F4BED4C724}" = DocProc
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7850A6D2-CBEA-4728-9877-F1BEDEA9F619}" = AiOSoftware
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7C9B95B7-B598-4398-B30F-7F6827192E6C}" = ProductContext
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8D8024F1-2945-49A5-9B78-5AB7B11D7942}_is1" = Auslogics Registry Cleaner
"{923A7F5A-1E8C-4FBE-8DF6-85940A60A79F}" = Readme
"{A195B13E-A5E3-4BAF-A995-7F70F445CD06}" = ScannerCopy
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.4
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}" = HP Update
"{B824B5C9-849F-4b9e-9EA7-6FD8CD8116DA}" = CP_Package_Variety2
"{B95B1BA9-F887-4B3C-8D3A-CCD4C4675120}" = Microsoft Default Manager
"{B996AE66-10DB-4ac5-B151-E8B4BFBC42FC}" = BufferChm
"{BFD5AC8A-5884-4da8-9873-3DF8E3DCCE18}" = 5600Trb
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC7984C5-020D-4944-85A0-58D09D4A8BFB}" = 5600_Help
"{CE24344F-DFD8-40C8-8FD8-C9740B5F25AC}" = Fax
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics Disk Defrag
"{E3F90083-80D4-4b5a-87C7-E97E12F5516D}" = HPProductAssistant
"{EA103B64-C0E4-4C0E-A506-751590E1653D}" = SolutionCenter
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F4C2E5F5-2970-45f4-ABD3-C180C4D961C4}" = Status
"{FE64AE29-0883-4C70-8388-DC026019C900}" = HP Image Zone Express
"Ad-Aware" = Ad-Aware
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Atomic Alarm Clock_is1" = Atomic Alarm Clock 5.87
"avast" = avast! Free Antivirus
"BFGC" = Big Fish Games: Game Manager
"BFG-Fear For Sale - Mystery of McInroy Manor" = Fear For Sale: Mystery of McInroy Manor
"BFG-Shadow Wolf Mysteries - Curse of the Full Moon" = Shadow Wolf Mysteries: Curse of the Full Moon
"HP Imaging Device Functions" = HP Imaging Device Functions 5.3
"HP Solution Center & Imaging Support Tools" = HP Solution Center & Imaging Support Tools 5.3
"HPExtendedCapabilities" = HP Extended Capabilities 5.3
"ie8" = Windows Internet Explorer 8
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = MSN
"Mystery Case Files: Return to Ravenhearst™" = Mystery Case Files: Return to Ravenhearst™
"PROSet" = Intel® PRO Network Adapters and Drivers
"Revo Uninstaller" = Revo Uninstaller 1.88
"StreetPlugin" = Learn2 Player (Uninstall Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/12/2011 9:28:19 PM | Computer Name = DEBRA | Source = Application Hang | ID = 1001
Description = Fault bucket -1853827371.

Error - 5/12/2011 9:37:28 PM | Computer Name = DEBRA | Source = Application Hang | ID = 1002
Description = Hanging application treasuresofmysteryisland3_at_tb1.tmp, version
51.51.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/12/2011 9:37:29 PM | Computer Name = DEBRA | Source = Application Hang | ID = 1002
Description = Hanging application treasuresofmysteryisland3_at_tb1.tmp, version
51.51.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/12/2011 9:37:34 PM | Computer Name = DEBRA | Source = Application Hang | ID = 1001
Description = Fault bucket -1853827371.

Error - 5/12/2011 9:37:36 PM | Computer Name = DEBRA | Source = Application Hang | ID = 1001
Description = Fault bucket -1853827371.

Error - 5/13/2011 2:12:37 AM | Computer Name = DEBRA | Source = Application Hang | ID = 1002
Description = Hanging application TOMI. The Ghost Ship.exe, version 1.0.0.2, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/13/2011 2:12:44 AM | Computer Name = DEBRA | Source = Application Hang | ID = 1001
Description = Fault bucket -1855718956.

Error - 5/14/2011 8:43:37 PM | Computer Name = DEBRA | Source = Application Hang | ID = 1002
Description = Hanging application Ad-Aware.exe, version 9.0.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 5/14/2011 8:43:44 PM | Computer Name = DEBRA | Source = Application Hang | ID = 1001
Description = Fault bucket -2031491355.

Error - 5/15/2011 12:59:33 PM | Computer Name = DEBRA | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 9.0.0.2717, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 5/13/2011 11:57:36 AM | Computer Name = DEBRA | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 5/13/2011 11:57:36 AM | Computer Name = DEBRA | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 5/13/2011 11:57:36 AM | Computer Name = DEBRA | Source = Service Control Manager | ID = 7034
Description = The McciCMService service terminated unexpectedly. It has done this
1 time(s).

Error - 5/13/2011 11:57:36 AM | Computer Name = DEBRA | Source = Service Control Manager | ID = 7034
Description = The SeaPort service terminated unexpectedly. It has done this 1 time(s).

Error - 5/13/2011 11:57:36 AM | Computer Name = DEBRA | Source = Service Control Manager | ID = 7034
Description = The Yahoo! Updater service terminated unexpectedly. It has done this
1 time(s).

Error - 5/13/2011 11:57:36 AM | Computer Name = DEBRA | Source = Service Control Manager | ID = 7031
Description = The Windows Live ID Sign-in Assistant service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
10000 milliseconds: Restart the service.

Error - 5/15/2011 1:13:09 PM | Computer Name = DEBRA | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 5/15/2011 1:13:09 PM | Computer Name = DEBRA | Source = Service Control Manager | ID = 7034
Description = The McciCMService service terminated unexpectedly. It has done this
1 time(s).

Error - 5/15/2011 1:13:09 PM | Computer Name = DEBRA | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 5/15/2011 1:13:09 PM | Computer Name = DEBRA | Source = Service Control Manager | ID = 7034
Description = The Yahoo! Updater service terminated unexpectedly. It has done this
1 time(s).


< End of report >
  • 0

#30
simplee55

simplee55

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 539 posts
Here is the ComboFix Log:


ComboFix 11-05-14.03 - Debra Flowers 05/15/2011 10:44:58.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.686 [GMT -7:00]
Running from: c:\documents and settings\Debra Flowers\Desktop\George.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-15 to 2011-05-15 )))))))))))))))))))))))))))))))
.
.
2011-05-15 17:13 . 2011-05-15 17:13 -------- d-----w- C:\_OTL
2011-05-13 18:46 . 2011-05-13 19:53 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\DailyMagic
2011-05-12 17:19 . 2011-05-12 17:19 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\LegacyInteractive
2011-05-12 04:04 . 2011-05-12 07:23 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2011-05-09 04:53 . 2011-05-09 04:53 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\quickclick
2011-05-01 13:01 . 2011-05-01 18:26 -------- d-----w- c:\documents and settings\Debra Flowers\Local Settings\Application Data\Digital Smoke
2011-05-01 13:01 . 2011-05-01 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Micro Digital
2011-05-01 13:01 . 2011-05-01 13:01 -------- d-----w- c:\documents and settings\Debra Flowers\Local Settings\Application Data\Downloaded Installations
2011-04-30 17:59 . 2011-04-30 17:59 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\Az-Art
2011-04-30 02:52 . 2011-04-30 02:52 -------- d-----w- c:\documents and settings\Debra Flowers\Local Settings\Application Data\dj3
2011-04-28 09:28 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-28 09:28 . 2011-04-28 09:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-28 09:28 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-28 00:18 . 2011-04-28 01:30 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\Maximize Games
2011-04-28 00:18 . 2011-04-28 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Maximize Games
2011-04-26 21:26 . 2011-04-26 21:26 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\Sungift Games
2011-04-26 21:26 . 2011-04-26 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Sungift Games
2011-04-24 19:25 . 2011-04-24 20:33 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\Happy Muffin Top
2011-04-21 18:07 . 2011-04-21 18:07 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\Funlinker
2011-04-19 03:58 . 2011-04-19 03:58 -------- d-----w- c:\documents and settings\Debra Flowers\Application Data\My Games
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-09 21:00 . 2009-08-18 18:30 564632 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\wlidui.dll
2011-03-09 21:00 . 2009-08-18 18:24 18328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-03-07 05:33 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-10 17:51 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 17:51 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-23 14:04 . 2011-04-12 22:46 40648 ----a-w- c:\windows\avastSS.scr
2011-02-23 14:04 . 2011-04-12 22:46 190016 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-23 13:56 . 2011-04-12 22:46 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-02-23 13:56 . 2011-04-12 22:46 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-23 13:55 . 2011-04-12 22:46 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-23 13:55 . 2011-04-12 22:46 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-23 13:55 . 2011-04-12 22:46 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-23 13:55 . 2011-04-12 22:46 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-23 13:54 . 2011-04-12 22:46 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-23 13:54 . 2011-04-12 22:46 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-22 23:06 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2005-07-12 02:06 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2005-07-12 02:06 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-15 12:56 . 2004-08-10 17:50 290432 ----a-w- c:\windows\system32\atmfd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkinClock]
2009-04-27 19:16 1742848 -c--a-w- c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mcupdmgr.exe"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:wildtangent games
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/5/2010 1:51 AM 64288]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/12/2011 3:46 PM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/12/2011 3:46 PM 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/12/2011 3:46 PM 19544]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 1:55 AM 2146496]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 11:26 PM 15232]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 15:14]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-15 10:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3556)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-15 10:59:35
ComboFix-quarantined-files.txt 2011-05-15 17:59
ComboFix2.txt 2011-05-15 01:13
.
Pre-Run: 58,465,771,520 bytes free
Post-Run: 58,450,268,160 bytes free
.
- - End Of File - - 4EC6C494897D80B28DDD46B3FA02320D
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP