Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Maleware: Rundll32.exe not found & Automatic Updates not turned on

Started by wisesilver , May 17 2011 06:09 PM

  • Please log in to reply

#1
wisesilver
Posted 17 May 2011 - 06:09 PM

wisesilver

    Member

  • Member
  • PipPipPip
  • 501 posts
Hello, We had several Malware items appear last week. :yes: I was able to remove several with Malwarebytes run in safe mode. But on booting up normally I encountered a few issues.
1) There is a red shield in the system tray on the right that has a balloon stating that "Your Computer may be at risk, Automatic Updates is turned off, Click this balloon to fix this problem".
2) When I right click "My Computer" and select Properties, to check if this is true, i get rundll32.exe is not found.
3) If I try to run other itrems I either get rundll32 not found or the popup to associate the item to an application appears.
4) Programs run in safe mode so the rundll32.exe problem is very suspect.
5) I ran the Prefetch (something like that) and deleted all the cache files - this didn't help.
6) I ran eset in safe mode and it removed 14 items. But this did not solve the problem. :)

Attached are the OTL scan results, also run in safe mode. Can you assist me? :unsure:
OTL logfile created on: 5/17/2011 7:44:10 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\All Users\Desktop\Anti Virus & Spyware
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 128.00 Gb Total Space | 16.16 Gb Free Space | 12.63% Space Free | Partition Type: NTFS
Drive D: | 21.05 Gb Total Space | 16.88 Gb Free Space | 80.18% Space Free | Partition Type: NTFS
Drive I: | 931.51 Gb Total Space | 694.96 Gb Free Space | 74.61% Space Free | Partition Type: NTFS

Computer Name: WEISS3GIG | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/17 19:43:06 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users\Desktop\Anti Virus & Spyware\OTL.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2011/05/17 19:43:06 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\All Users\Desktop\Anti Virus & Spyware\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/03/18 08:11:02 | 000,947,528 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2011/01/06 16:23:18 | 006,128,720 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2010/10/22 05:58:18 | 000,265,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG10\avgwdsvc.exe -- (avgwd)
SRV - [2010/08/24 05:38:18 | 000,092,008 | ---- | M] (TomTom) [Auto | Stopped] -- C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/07/15 13:43:46 | 000,109,168 | ---- | M] (Portrait Displays, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe -- (PdiService)
SRV - [2009/05/21 22:13:36 | 000,248,832 | ---- | M] (Hewlett-Packard Co.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll -- (hpqcxs08)
SRV - [2009/05/21 22:09:24 | 000,660,992 | ---- | M] (Hewlett-Packard Co.) [Auto | Stopped] -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HPSLPSVC32.DLL -- (HPSLPSVC)
SRV - [2009/05/21 22:03:06 | 000,133,120 | ---- | M] (Hewlett-Packard Co.) [Auto | Stopped] -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll -- (hpqddsvc)
SRV - [2008/07/30 14:23:26 | 000,161,064 | ---- | M] (Seagate Technology LLC) [Auto | Stopped] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2008/06/24 19:56:38 | 000,431,384 | ---- | M] (Seagate) [Auto | Stopped] -- C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe -- (SgtSch2Svc)
SRV - [2008/06/06 11:40:00 | 000,069,632 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe -- (DTSRVC)
SRV - [2005/01/27 19:16:58 | 000,856,064 | ---- | M] (Nero AG) [Auto | Stopped] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrvR) InCD Helper (read only)
SRV - [2005/01/27 19:16:58 | 000,856,064 | ---- | M] (Nero AG) [Auto | Stopped] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2003/03/03 14:33:40 | 000,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2010/12/20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/12/08 05:12:38 | 000,251,728 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2010/11/12 14:19:38 | 000,299,984 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2010/09/13 17:27:24 | 000,025,680 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys -- (AVGIDSEH)
DRV - [2010/09/07 04:48:56 | 000,034,384 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Stopped] -- C:\WINDOWS\system32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2010/09/07 04:48:50 | 000,026,064 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\avgrkx86.sys -- (Avgrkx86)
DRV - [2010/08/19 22:42:38 | 000,030,288 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2010/08/19 22:42:36 | 000,123,472 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/08/19 22:42:34 | 000,026,192 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Stopped] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/10/05 16:56:52 | 000,006,144 | ---- | M] (Promethean Technologies Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\activmouse.sys -- (prmvmouse)
DRV - [2009/07/15 14:48:36 | 000,229,208 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\VMM.sys -- (vmm)
DRV - [2009/07/15 13:43:32 | 000,017,136 | ---- | M] (Portrait Displays, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PdiPorts.sys -- (PdiPorts)
DRV - [2009/05/05 16:25:12 | 000,055,936 | ---- | M] (Promethean Technologies Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\activhidsermini.sys -- (ActivHidSerMini)
DRV - [2009/03/12 23:11:13 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/03/12 23:11:13 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/03/12 23:11:08 | 000,132,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2009/03/12 23:11:06 | 000,368,480 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpman.sys -- (tdrpman)
DRV - [2007/08/28 09:48:24 | 000,065,024 | ---- | M] (Kerio Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\kvpndrv.sys -- (kvpndev)
DRV - [2007/02/09 12:17:18 | 000,017,465 | ---- | M] (Portrait Displays, Inc.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\pivot.sys -- (Pivot)
DRV - [2007/02/09 12:17:16 | 000,011,323 | ---- | M] (Portrait Displays, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pivotmou.sys -- (pivotmou)
DRV - [2007/01/29 06:20:34 | 000,059,280 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VMNetSrv.sys -- (VPCNetS2)
DRV - [2006/11/09 11:59:36 | 000,061,067 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K)
DRV - [2006/11/09 11:59:36 | 000,047,249 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2005/01/27 19:08:02 | 000,099,200 | ---- | M] (Nero AG) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2005/01/27 19:07:34 | 000,028,928 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2005/01/27 13:07:28 | 000,027,776 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\InCDrm.sys -- (incdrm)
DRV - [2005/01/12 21:28:04 | 000,116,224 | ---- | M] (InterVideo) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\IviUdf.sys -- (iviudf)
DRV - [2005/01/12 07:29:28 | 000,038,784 | ---- | M] (InterVideo) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ivicd.sys -- (ivicd)
DRV - [2004/10/19 19:06:48 | 000,008,320 | R--- | M] () [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\sbfshook.sys -- (SBFSHOOK)
DRV - [2004/10/07 21:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/03/09 15:58:06 | 000,329,088 | ---- | M] (U.S. Robotics Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\3c1807pd.sys -- (3c1807pd)
DRV - [2003/10/28 16:17:52 | 000,005,273 | ---- | M] (Arrowkey) [Kernel | Auto | Stopped] -- C:\Program Files\321Studios\Shared\CDRPDACC.SYS -- (CDRPDACC)
DRV - [2003/09/19 02:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2002/08/14 16:03:36 | 000,017,005 | ---- | M] (Adaptec) [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2001/08/17 14:28:26 | 000,113,762 | ---- | M] (U.S. Robotics Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USRpdA.sys -- (USRpdA)
DRV - [2001/08/17 08:50:26 | 000,731,648 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4.sys -- (nv4)
DRV - [1999/06/30 03:49:10 | 000,023,200 | ---- | M] () [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\ppsio2.sys -- (ppsio2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Components: C:\Program Files\eMusic Download Manager\xulrunner\components [2011/02/26 00:15:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Plugins: C:\Program Files\eMusic Download Manager\xulrunner\plugins [2011/04/23 09:30:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/10/03 13:57:23 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\avg@igeared: C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared [2011/05/12 18:44:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG10\Firefox4\ [2011/03/30 18:13:44 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/30 23:29:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/23 09:30:58 | 000,000,000 | ---D | M]

[2011/03/27 14:54:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/30 23:28:55 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2010/08/01 13:07:00 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (HP Print Enhancer) - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Digital Imaging\smart web printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
O2 - BHO: (ZILLAbar Browser Helper Object) - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - File not found
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - No CLSID value found.
O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O3 - HKLM\..\Toolbar: (STOPzilla) - {98828DED-A591-462F-83BA-D2F62A68B8B8} - File not found
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [\\WEISSKIDS2\EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [\Weisskids2\EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [3c1807pd] File not found
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [ActivControl] C:\Program Files\Activ Software\ActivDriver\ActivControl2.exe (Promethean Technologies Group Ltd)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [Auto EPSON Stylus CX3800 Series on HME-VJQDGJMFP3P] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe (Seagate)
O4 - HKLM..\Run: [DT ACR] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe ()
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HpqSRmon.exe (Hewlett-Packard)
O4 - HKLM..\Run: [InstantAccess] C:\Program Files\TextBridge Pro 9.0\Bin\InstantAccess.exe ()
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe (Visioneer Inc)
O4 - HKLM..\Run: [PDF3 Registry Controller] C:\Program Files\ScanSoft\PDF Converter 3.0\RegistryController.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PivotSoftware] C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe ()
O4 - HKLM..\Run: [Seagate Scheduler2 Service] C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe (Seagate)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil10p_ActiveX.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk = C:\Program Files\The Print Shop 23.1\Remind.exe (Broderbund Properties LLC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ListProAlarms.lnk = C:\Program Files\Ilium Software\ListPro\ListProAlarms.exe (Ilium Software, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PKZIP Attachments Status.lnk = C:\Program Files\PKWARE\PKZIPM\9.00.0010\PKTray.exe (PKWARE, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SPB Backup Sync.lnk = C:\Program Files\Spb Backup\SPBBackupSync.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\smart web printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.appl...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} http://support.f-sec...m/ols/fscax.cab (F-Secure Online Scanner 3.1)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.t...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} http://webiq005.webi...6-6D5536C585C9} (WebIQ Engine Application Object)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.micros...ntent/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1134874155827 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1193394449812 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} https://www2.gotomee...ets/g2mdlax.cab (GoToMeeting/GoToWebinar Web Starter)
O16 - DPF: {A4069847-C342-48E2-9257-01A24E5C78EA} http://support.f-sec...3beta/fscax.cab (F-Secure Online Scanner 3.2)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadbl...ivex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} http://penncamera.li...PUploader57.cab (Image Uploader Control)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.252.0.12
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop BackupWallPaper:
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/03/23 17:39:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/08/01 13:34:40 | 000,000,067 | ---- | M] () - I:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgchsvx.exe /sync) - C:\Program Files\AVG\AVG10\avgchsvx.exe (AVG Technologies CZ, s.r.o.)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart) - C:\Program Files\AVG\AVG10\avgrsx.exe (AVG Technologies CZ, s.r.o.)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/16 18:46:33 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2011/05/15 21:57:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe
[2011/05/14 01:37:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2011/05/14 01:37:39 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE
[2011/05/08 17:32:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/05/08 17:30:19 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/05/08 17:24:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2011/05/08 17:21:25 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/17 19:37:58 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/17 19:37:39 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/17 19:28:44 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/17 19:25:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2D7F88AD-663C-43AA-AC8C-6D71D20ED591}.job
[2011/05/17 19:24:10 | 115,220,127 | ---- | M] () -- C:\WINDOWS\System32\drivers\AVG\incavi.avm
[2011/05/17 07:00:34 | 000,000,811 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/05/14 01:06:55 | 000,000,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/13 23:39:14 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/13 18:33:52 | 000,012,942 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\l1mt4nci68jk2ni176
[2011/05/08 17:32:05 | 000,001,551 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/05/07 10:03:06 | 000,000,077 | ---- | M] () -- C:\WINDOWS\mydebug.ini
[2011/05/06 22:28:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/04/23 09:30:58 | 000,001,738 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/14 01:06:55 | 000,000,811 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/05/14 01:06:55 | 000,000,793 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/05/13 18:31:44 | 000,012,942 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\l1mt4nci68jk2ni176
[2011/05/08 17:32:05 | 000,001,551 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/02/26 11:15:51 | 000,000,025 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2011/02/26 11:15:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\popcreg.dat
[2011/02/20 22:24:16 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/14 09:13:20 | 000,751,152 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1060284298-1563985344-725345543-1003-0.dat
[2011/02/13 22:45:23 | 000,714,750 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2010/10/03 13:50:26 | 000,206,789 | ---- | C] () -- C:\WINDOWS\hpoins35.dat
[2010/10/03 13:50:26 | 000,001,069 | ---- | C] () -- C:\WINDOWS\hpomdl35.dat
[2010/08/01 12:52:00 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/08/01 12:52:00 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/23 09:51:40 | 000,223,016 | ---- | C] () -- C:\WINDOWS\libactivboardex.dll
[2010/03/23 09:51:16 | 000,252,696 | ---- | C] () -- C:\WINDOWS\ActivDRV.dll
[2009/10/20 21:39:41 | 000,002,304 | ---- | C] () -- C:\WINDOWS\System32\Machnm32.sys
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/04/19 20:37:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhEdit.INI
[2009/04/19 20:31:43 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2009/04/19 20:31:43 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2009/03/15 22:36:38 | 000,151,552 | ---- | C] () -- C:\WINDOWS\System32\libexpat.dll
[2009/03/08 12:21:00 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/03/08 12:21:00 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/03/08 12:21:00 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/03/03 20:28:05 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\$_hpcst$.hpc
[2009/01/10 01:36:45 | 000,000,033 | ---- | C] () -- C:\WINDOWS\BiMonitor.ini
[2009/01/10 01:36:33 | 000,028,324 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2008/12/26 16:40:23 | 000,019,791 | ---- | C] () -- C:\WINDOWS\HPHins02.dat
[2008/12/26 16:40:23 | 000,004,284 | ---- | C] () -- C:\WINDOWS\hphmdl02.dat
[2008/12/26 16:35:52 | 000,019,349 | ---- | C] () -- C:\WINDOWS\HPHins02.dat.temp
[2008/12/26 16:35:52 | 000,004,284 | ---- | C] () -- C:\WINDOWS\hphmdl02.dat.temp
[2008/12/26 16:35:28 | 000,364,544 | ---- | C] () -- C:\WINDOWS\System32\hphped05.exe
[2008/12/26 16:35:22 | 000,006,478 | ---- | C] () -- C:\WINDOWS\System32\hphmon05.dat
[2008/12/07 14:45:43 | 007,764,768 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2008/12/07 14:45:43 | 000,225,056 | -HS- | C] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2008/04/13 16:53:07 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\ftdiunin.exe
[2008/04/13 16:53:07 | 000,000,133 | ---- | C] () -- C:\WINDOWS\System32\ftdiun2k.ini
[2007/12/28 22:32:03 | 000,000,172 | ---- | C] () -- C:\WINDOWS\bi_group.ini
[2007/06/06 19:58:30 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\ktzlib80.dll
[2006/09/20 20:05:02 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2006/09/15 20:24:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/07/31 12:00:41 | 000,000,081 | ---- | C] () -- C:\WINDOWS\Visit our web site at www.developerone.com for more great software solutions!
[2006/04/09 12:39:30 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/04/01 18:52:06 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2006/04/01 18:52:06 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2006/04/01 18:52:06 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2006/04/01 18:52:06 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2006/04/01 18:52:06 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2006/04/01 18:52:06 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2006/04/01 18:52:06 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2006/04/01 18:52:06 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2006/04/01 18:52:06 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2006/04/01 18:52:06 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2006/04/01 18:52:06 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2006/04/01 18:52:06 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2006/04/01 18:52:06 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2006/04/01 18:52:06 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2006/04/01 18:46:48 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPCX3800.ini
[2006/02/04 17:24:00 | 000,000,202 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/01/31 22:26:20 | 000,000,082 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2006/01/17 23:21:52 | 000,240,640 | ---- | C] () -- C:\WINDOWS\System32\nmocod.dll
[2006/01/17 23:20:35 | 000,000,082 | ---- | C] () -- C:\WINDOWS\usrwiz.ini
[2006/01/15 15:56:07 | 000,008,320 | R--- | C] () -- C:\WINDOWS\System32\drivers\sbfshook.sys
[2006/01/15 15:53:44 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\udffsrec.sys
[2006/01/15 15:53:19 | 000,026,694 | ---- | C] () -- C:\WINDOWS\HWS.exe
[2006/01/15 15:53:19 | 000,026,694 | ---- | C] () -- C:\WINDOWS\HMD.exe
[2006/01/15 15:53:02 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/01/15 15:53:02 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/01/15 15:53:02 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/01/15 15:53:02 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/01/15 15:53:01 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/01/15 15:53:01 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/01/15 15:52:05 | 000,831,600 | ---- | C] () -- C:\WINDOWS\System32\Ctaa1.dat
[2006/01/15 15:51:46 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\cddvdint.dll
[2006/01/15 14:27:01 | 000,000,030 | ---- | C] () -- C:\WINDOWS\INTURS.DAT
[2006/01/15 13:54:24 | 000,000,242 | ---- | C] () -- C:\WINDOWS\qwimp.ini
[2006/01/15 13:45:36 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2006/01/15 13:09:10 | 000,012,126 | ---- | C] () -- C:\WINDOWS\System32\Pixpcz.dll
[2006/01/15 13:09:10 | 000,011,934 | ---- | C] () -- C:\WINDOWS\System32\Pixpnr.dll
[2006/01/15 13:09:09 | 000,004,528 | ---- | C] () -- C:\WINDOWS\System32\Setbrows.exe
[2006/01/15 12:51:48 | 000,000,077 | ---- | C] () -- C:\WINDOWS\mydebug.ini
[2006/01/15 12:36:14 | 000,023,200 | ---- | C] () -- C:\WINDOWS\System32\drivers\ppsio2.sys
[2006/01/14 22:40:09 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2005/08/26 15:28:34 | 000,143,360 | ---- | C] () -- C:\WINDOWS\unzip.exe
[2005/08/26 15:27:58 | 000,045,056 | ---- | C] () -- C:\WINDOWS\devenum.exe
[2005/03/27 13:29:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2005/03/27 13:29:39 | 000,107,134 | ---- | C] () -- C:\WINDOWS\UninstallFirefox.exe
[2005/03/27 13:29:19 | 000,002,872 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2005/03/26 20:32:56 | 000,000,052 | ---- | C] () -- C:\WINDOWS\System32\nwt.sys
[2005/03/26 19:47:56 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/02 15:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2003/03/24 06:03:00 | 000,279,552 | ---- | C] () -- C:\WINDOWS\System32\FGWVB32.DLL
[2003/02/11 10:58:50 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\e1000msg.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/05/10 17:30:08 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\JPEG32.DLL
[2002/03/23 18:18:40 | 000,036,911 | ---- | C] () -- C:\WINDOWS\System32\pcimsg.dll
[2002/03/23 17:41:26 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2002/03/23 17:37:06 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2002/03/19 19:30:00 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\mag.dll
[2002/03/19 18:30:00 | 000,216,576 | ---- | C] () -- C:\WINDOWS\System32\PowerCalc.exe
[2001/12/31 21:03:39 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2001/12/31 21:02:49 | 001,141,808 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2001/09/28 14:44:58 | 000,257,536 | ---- | C] () -- C:\WINDOWS\System32\BiImg.dll
[2001/08/23 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 08:00:00 | 000,508,316 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 08:00:00 | 000,090,532 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2000/02/23 12:03:04 | 000,061,502 | ---- | C] () -- C:\WINDOWS\System32\ODBCMON.DLL
[1998/10/11 00:07:38 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll
[1997/12/03 06:20:00 | 000,335,360 | ---- | C] () -- C:\WINDOWS\System32\TX32.DLL
[1997/12/01 03:05:00 | 000,000,202 | ---- | C] () -- C:\WINDOWS\System32\IC32.INI
[1996/08/20 21:37:20 | 000,015,840 | ---- | C] () -- C:\WINDOWS\System32\Machnm1.exe

========== LOP Check ==========

[2007/10/20 14:45:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Grisoft
[2010/07/08 22:57:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Activ Software
[2011/02/20 13:52:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2010/11/13 12:46:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/11/13 12:36:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2006/01/15 17:46:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund
[2006/01/15 17:31:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
[2006/01/17 23:22:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2010/11/13 12:46:30 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2009/10/08 22:26:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ConeXware
[2009/03/15 22:36:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ContentWatch
[2007/10/27 12:47:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2009/12/26 16:34:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ilium Software
[2007/10/20 12:05:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iolo
[2007/11/05 23:34:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2009/08/30 00:08:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Metacafe
[2011/05/01 22:00:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2009/01/11 12:12:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2009/01/11 13:50:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PKWARE
[2011/02/26 11:16:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap Games
[2010/07/08 22:57:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Promethean
[2009/01/10 01:35:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2009/10/11 11:26:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2008/06/27 11:35:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TomTom
[2009/10/08 22:16:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2010/02/10 13:25:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YoYoGames
[2009/01/11 13:48:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zip
[2010/07/02 23:04:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/10/12 08:30:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/09/07 16:38:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2011/05/17 19:25:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{2D7F88AD-663C-43AA-AC8C-6D71D20ED591}.job

========== Purity Check ==========



< End of report >
  • 0

Advertisements

#2
Salagubang
Posted 19 May 2011 - 06:07 PM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Hi wisesilver,

What is the make and model of this machine?
  • 0

#3
wisesilver
Posted 19 May 2011 - 07:10 PM

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
Hi Salagubang. :) that is a good question. It is a Gateway with a 3.0 Intel processor. We built it with a gateway motherboard we had available. I'm not sure I have the model number. I might be able to find something if I boot it in safe mode. Will you need that to proceed? :unsure:
  • 0

#4
Salagubang
Posted 19 May 2011 - 07:15 PM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts

We built it with a gateway motherboard we had available. I'm not sure I have the model number. I might be able to find something if I boot it in safe mode. Will you need that to proceed?


No. :)

  • Download aswMBR.exe ( 511KB ) to your desktop.
  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • Click Save log button and Save the aswMBR.log to the desktop
  • Post content of that log here for me

  • 0

#5
wisesilver
Posted 19 May 2011 - 07:41 PM

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
Hi Salagubang. :) I ran aswMBR in safe mode. Is that OK? I don't think it would run from a regular boot up. Here is the scan:
aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-19 21:37:34
-----------------------------
21:37:34.828 OS Version: Windows 5.1.2600 Service Pack 3
21:37:34.828 Number of processors: 2 586 0x209
21:37:34.828 ComputerName: WEISS3GIG UserName:
21:37:35.468 Initialize success
21:38:06.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-1b
21:38:06.000 Disk 0 Vendor: WDC_WD1600JB-00REA0 20.00K20 Size: 152627MB BusType: 3
21:38:08.031 Disk 0 MBR read successfully
21:38:08.031 Disk 0 MBR scan
21:38:08.046 Disk 0 unknown MBR code
21:38:10.062 Disk 0 scanning sectors +312576705
21:38:10.093 Disk 0 scanning C:\WINDOWS\system32\drivers
21:38:17.265 Service scanning
21:38:21.453 Disk 0 trace - called modules:
21:38:21.468 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:38:21.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a70bab8]
21:38:21.468 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000076[0x8a75c400]
21:38:21.468 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-1b[0x8a707940]
21:38:21.468 Scan finished successfully
21:38:34.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\All Users\Desktop\Anti Virus & Spyware\MBR.dat"
21:38:34.828 The log file has been saved successfully to "C:\Documents and Settings\All Users\Desktop\Anti Virus & Spyware\aswMBR.txt"
  • 0

#6
Salagubang
Posted 19 May 2011 - 07:48 PM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Did you install the operating system in this machine yourself using a XP installation CD or did you use the proprietary Gateway re installation CD.

The reason I ask is because aswMBR is detecting an unknown MBR.

I ran aswMBR in safe mode. Is that OK?

It is alright.
  • 0

#7
wisesilver
Posted 19 May 2011 - 07:51 PM

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
My brother-in-law installed it.:) It was probably plain XP not the Gateway flavor.
  • 0

#8
Salagubang
Posted 19 May 2011 - 07:54 PM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Ok lets dig in.


Step One

Re-Run aswMBR

Click Scan

On completion of the scan

Click the FIXMBR

Save the log as before and post in your next reply


Step Two

Well remove AVG temporarily.

Download AppRemover and run it.

Click Next >>
Posted Image


Ensure "Remove Security Application" is collected and click Next >>
Posted Image


AppRemover will scan all the security applications on your PC
Posted Image

Select Any AVG entries from the applications offered and click Next >> twice.
Posted Image

Follow any further on-screen instructions. If asked to reboot,please do so.

Note: Please do not browse the internet or open any email attachments until your Anti-Virus is re-installed


Then

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#9
wisesilver
Posted 19 May 2011 - 08:44 PM

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
Hi Salagubang. :yes:

I ran everything in Safe mode as well as the reboot for ComboFix. I have the aswMBR log, removed three antimalware products with AppRemover and have the ComboFix log.

Here is the aswMBR Log: :)
aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-19 21:55:57
-----------------------------
21:55:57.250 OS Version: Windows 5.1.2600 Service Pack 3
21:55:57.250 Number of processors: 2 586 0x209
21:55:57.250 ComputerName: WEISS3GIG UserName:
21:55:57.781 Initialize success
21:56:07.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-1b
21:56:07.234 Disk 0 Vendor: WDC_WD1600JB-00REA0 20.00K20 Size: 152627MB BusType: 3
21:56:09.265 Disk 0 MBR read successfully
21:56:09.265 Disk 0 MBR scan
21:56:09.281 Disk 0 unknown MBR code
21:56:11.296 Disk 0 scanning sectors +312576705
21:56:11.328 Disk 0 scanning C:\WINDOWS\system32\drivers
21:56:16.890 Service scanning
21:56:18.328 Disk 0 trace - called modules:
21:56:18.328 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:56:18.328 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a70bab8]
21:56:18.328 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000076[0x8a75c400]
21:56:18.328 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-1b[0x8a707940]
21:56:18.328 Scan finished successfully
21:57:39.406 Disk 0 Windows 501 MBR fixed successfully
21:58:46.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\All Users\Desktop\Anti Virus & Spyware\MBR.dat"
21:58:46.687 The log file has been saved successfully to "C:\Documents and Settings\All Users\Desktop\Anti Virus & Spyware\aswMBR01.txt"


And here is the ComboFix Log: :unsure:
ComboFix 11-05-18.04 - Administrator 05/19/2011 22:18:00.4.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1746 [GMT -4:00]
Running from: c:\documents and settings\All Users\Desktop\Anti Virus & Spyware\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\COMPUTER\GoToAssistDownloadHelper.exe
c:\documents and settings\COMPUTER\WINDOWS
c:\documents and settings\Steve\Favorites\Thumbs.db
c:\documents and settings\sweiss\Favorites\Thumbs.db
C:\readme.txt
I:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 )))))))))))))))))))))))))))))))
.
.
2011-05-16 22:46 . 2011-05-16 22:46 -------- d-----w- c:\program files\ESET
2011-05-16 01:57 . 2011-05-16 02:11 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-05-14 05:37 . 2011-05-14 05:37 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-05-08 21:30 . 2011-05-08 21:30 -------- d-----w- c:\program files\iPod
2011-05-08 21:24 . 2011-05-08 21:24 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-05-08 21:21 . 2011-05-08 21:21 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2002-03-23 21:37 692736 ------w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2001-08-23 12:00 420864 ------w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2001-08-23 12:00 1857920 ------w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2001-08-23 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2002-03-23 22:10 385024 ------w- c:\windows\system32\html.iec
2011-02-21 22:59 . 2011-02-21 22:57 61152 ----a-w- C:\TestPresDay.exe
2011-02-20 23:25 . 2011-02-20 23:25 112832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
2011-05-01 03:28 . 2011-03-27 18:54 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"3c1807pd"="c:\windows\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-11-17 3022848]
"nwiz"="nwiz.exe" [2003-11-17 753664]
"OneTouch Monitor"="c:\program files\Visioneer OneTouch\OneTouchMon.exe" [2001-09-10 86016]
"PDF3 Registry Controller"="c:\program files\ScanSoft\PDF Converter 3.0\\RegistryController.exe" [2005-04-12 106496]
"\Weisskids2\EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"\\WEISSKIDS2\EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2006-02-07 36864]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2006-02-07 40960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-24 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 904768]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-24 136472]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-07-30 177448]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2008-06-06 81920]
"ActivControl"="c:\program files\Activ Software\ActivDriver\ActivControl2.exe" [2010-03-23 1088800]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"Auto EPSON Stylus CX3800 Series on HME-VJQDGJMFP3P"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\The Print Shop 23.1\Remind.exe [2010-6-21 344064]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
ListProAlarms.lnk - c:\program files\Ilium Software\ListPro\ListProAlarms.exe [2009-12-26 142200]
openURL.vbs [2011-5-19 131]
PKZIP Attachments Status.lnk - c:\program files\PKWARE\PKZIPM\9.00.0010\PKTray.exe [2009-1-10 169552]
SPB Backup Sync.lnk - c:\program files\Spb Backup\SPBBackupSync.exe [2008-8-19 610304]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\U.S. Robotics\\ControlCenter\\ctrlcntr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2640:TCP"= 2640:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"1033:TCP"= 1033:TCP:Akamai NetSession Interface
"1038:TCP"= 1038:TCP:Akamai NetSession Interface
.
R0 ivicd;Ivi CDVD Filter Driver;c:\windows\system32\drivers\ivicd.sys [1/15/2006 3:53 PM 38784]
R3 ActivHidSerMini;Promethean Serial Board Driver;c:\windows\system32\drivers\activhidsermini.sys [5/5/2009 4:25 PM 55936]
R3 prmvmouse;Promethean HID Mouse Service;c:\windows\system32\drivers\activmouse.sys [10/5/2009 4:56 PM 6144]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [7/30/2008 2:23 PM 161064]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 10:14 PM 135664]
S2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [10/20/2009 9:39 PM 109168]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [1/15/2006 12:36 PM 23200]
S2 SBFSHOOK;SBFSHOOK;c:\windows\system32\drivers\sbfshook.sys [1/15/2006 3:56 PM 8320]
S2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 7:56 PM 431384]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 5:38 AM 92008]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/28/2010 10:14 PM 135664]
S3 iviudf;iviudf;c:\windows\system32\drivers\IviUdf.sys [1/15/2006 3:53 PM 116224]
S3 kvpndev;Kerio VPN adapter;c:\windows\system32\drivers\kvpndrv.sys [8/28/2007 9:48 AM 65024]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
*Deregistered* - udffsrec
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:14]
.
2011-05-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 02:14]
.
2011-05-17 c:\windows\Tasks\User_Feed_Synchronization-{2D7F88AD-663C-43AA-AC8C-6D71D20ED591}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://penncamera.lifepics.com/net/Uploader/LPUploader57.cab
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
AddRemove-InstallShield_{F0840D6B-30DD-11D6-B2CB-00036D15D534} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-19 22:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1060284298-1563985344-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,5d,7f,f6,57,d1,1f,40,8d,46,90,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,5d,7f,f6,57,d1,1f,40,8d,46,90,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(992)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(500)
c:\windows\system32\WININET.dll
.
Completion time: 2011-05-19 22:36:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-20 02:36
ComboFix2.txt 2010-08-01 17:09
ComboFix3.txt 2009-03-08 16:32
ComboFix4.txt 2009-01-16 04:07
.
Pre-Run: 18,188,038,144 bytes free
Post-Run: 18,961,215,488 bytes free
.
- - End Of File - - 582BAD326D0572B75083F8715C52527B
  • 0

#10
Salagubang
Posted 19 May 2011 - 08:49 PM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Step One

  • Restart your computer
  • Before Windows loads, you will be prompted to choose which Operating System to start
  • Use the up and down arrow key to select Microsoft Windows Recovery Console
  • You must enter which Windows installation to log onto. Type 1 and press enter.
  • At the C:\Windows prompt, type the following bolded text, and press Enter:

    fixmbr
  • At the next prompt type the following bolded text, and press Enter:

    exit

Restart the machine in normal mode. Then run an aswMBR scan one more time. Post the log on your next reply.


Step Two

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

Advertisements

#11
wisesilver
Posted 20 May 2011 - 08:24 AM

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
For the recovery console, I may need to change the flag for the timeout to from 0 seconds to something larger. During a previous post with GrayKnight17 we set this to zero so I wouldn't see it on boot up.

Notes from that post for me :): To do this, right click on My Computer and go to Properties. Then go to the Advanced tab and click on the last Settings button for Startup and Recovery. On the first option there (Time to display list of operating systems), you can either check it or change it to something greater than 0.
  • 0

#12
Salagubang
Posted 20 May 2011 - 08:29 AM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
:)

Give it a go.
  • 0

#13
wisesilver
Posted 20 May 2011 - 06:30 PM

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
Hi Salagubang. :)

I Restarted my computer, selected the Recovery Console, seleceted Type 1 for my Windows installation, entered fixmbr and Y then exit. :unsure:

When I started normally I was unable to run aswMBR. :) Windows requested me to find an application to associate it with. :yes: So I didn't porceed any further.;) Do you want me to do the next 2 steps in safe mode instead (aswMBR and Malwarbytes)? :)
  • 0

#14
Salagubang
Posted 20 May 2011 - 06:36 PM

Salagubang

    Trusted Helper

  • Malware Removal
  • 3,891 posts
Ok proceed to the next steps please. (Trying normal mode first, else run it in safemode) :)
  • 0

#15
wisesilver
Posted 21 May 2011 - 06:25 AM

wisesilver

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 501 posts
Hi Salagubang. :)

I had to run both in safe mode. After runnin aswMBR I booted in normal mode but had the same problem where Windows wanted to know the application to associate with Malwarbytes. :unsure:

Here is my aswMBR log:
aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-20 21:09:11
-----------------------------
21:09:11.578 OS Version: Windows 5.1.2600 Service Pack 3
21:09:11.578 Number of processors: 2 586 0x209
21:09:11.578 ComputerName: WEISS3GIG UserName:
21:09:14.234 Initialize success
21:09:22.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T1L0-1b
21:09:22.375 Disk 0 Vendor: WDC_WD1600JB-00REA0 20.00K20 Size: 152627MB BusType: 3
21:09:24.406 Disk 0 MBR read successfully
21:09:24.406 Disk 0 MBR scan
21:09:24.421 Disk 0 Windows XP default MBR code
21:09:26.437 Disk 0 scanning sectors +312576705
21:09:26.468 Disk 0 scanning C:\WINDOWS\system32\drivers
21:09:33.375 Service scanning
21:09:37.734 Disk 0 trace - called modules:
21:09:37.750 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:09:37.765 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a709ab8]
21:09:37.765 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\00000070[0x8a75ef18]
21:09:37.781 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-1b[0x8a712940]
21:09:37.796 Scan finished successfully
21:09:49.609 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\All Users\Desktop\Anti Virus & Spyware\MBR.dat"
21:09:49.625 The log file has been saved successfully to "C:\Documents and Settings\All Users\Desktop\Anti Virus & Spyware\aswMBR02.txt"


And here is my MalwareBytes Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6630

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/20/2011 9:28:17 PM
mbam-log-2011-05-20 (21-28-17).txt

Scan type: Quick scan
Objects scanned: 223288
Time elapsed: 12 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP