Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please Help svchost.exe using 100 % CPU


  • This topic is locked This topic is locked

#1
lavega21

lavega21

    Member

  • Member
  • PipPip
  • 54 posts
Hi All,

I need some help I beleive this is Malware related. I am helpiing someone with this computer the svchost dot exe keep taking over the cpu usage and not allowing to perform at its best. I have run Malbarebytes and nothing was found. My friend said that this morning his anti virus said there was a trojan and it was quarantine here is the OTL log and Extra Log. Thank you for your help.


OTL logfile created on: 09/14/2011 5:01:23 PM - Run 1
OTL by OldTimer - Version 3.2.28.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

1014.33 Mb Total Physical Memory | 472.41 Mb Available Physical Memory | 46.57% Memory free
1.62 Gb Paging File | 1.24 Gb Available in Paging File | 76.56% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 50.74 Gb Free Space | 68.08% Space Free | Partition Type: NTFS
Drive H: | 93.08 Gb Total Space | 75.97 Gb Free Space | 81.63% Space Free | Partition Type: NTFS

Computer Name: ABCORDERING | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/14 17:00:51 | 000,581,632 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/07/06 16:32:20 | 000,136,584 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2011/07/06 16:32:14 | 000,374,152 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2010/02/10 13:51:44 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/12/20 11:29:40 | 000,125,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/12/20 11:29:20 | 000,031,424 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/11/21 18:38:40 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/11/21 18:38:32 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/11/21 18:38:28 | 000,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/04/11 18:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (srv820)
SRV - [2011/07/06 16:32:20 | 000,136,584 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2011/07/06 16:32:14 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2011/06/22 03:57:14 | 000,045,056 | ---- | M] (Intuit) [Auto | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2008/11/18 15:45:28 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2006/12/20 11:29:34 | 000,116,928 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/12/20 11:29:30 | 001,814,720 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/12/20 11:29:20 | 000,031,424 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/11/21 18:38:40 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/11/21 18:38:32 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/08/25 13:00:38 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/07 17:03:02 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2006/04/11 18:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/08/18 09:53:46 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110913.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/08/18 09:53:46 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110913.002\NAVENG.SYS -- (NAVENG)
DRV - [2011/07/28 01:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/07/28 01:00:00 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/07/06 16:32:48 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2008/08/11 12:40:58 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/08/11 12:40:58 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2007/01/30 10:49:18 | 000,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2007/01/26 13:49:36 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/09/06 15:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 15:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/08/07 17:02:26 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/08/07 17:02:22 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/04/11 18:13:34 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/08/08 12:52:58 | 001,035,008 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USR_MDMV.sys -- (HSF_DPV)
DRV - [2005/08/08 12:52:16 | 000,231,168 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USR_BSC2.sys -- (HSFHWBS2)
DRV - [2005/08/08 12:52:12 | 000,729,728 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_USR.sys -- (winachsf)
DRV - [2005/06/27 16:56:44 | 000,013,696 | ---- | M] (Winbond Electronics Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdtpm12.sys -- (TPM12)
DRV - [2005/01/07 17:07:16 | 000,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2004/02/24 22:18:46 | 001,041,536 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/defaultc.aspx
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/08 14:21:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/08 14:21:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6b4\extensions\\Components: C:\Program Files\Mozilla Firefox 3.6 Beta 4\components [2009/12/22 17:56:05 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6b4\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3.6 Beta 4\plugins [2009/12/08 19:09:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6b5\extensions\\Components: C:\Program Files\Mozilla Firefox 3.6 Beta 5\components [2010/01/04 19:31:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6b5\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3.6 Beta 5\plugins [2010/01/04 19:31:36 | 000,000,000 | ---D | M]

[2009/10/28 18:44:41 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2011/09/14 16:45:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\glec0fjr.default\extensions
[2011/02/10 11:10:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\glec0fjr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/02/10 11:10:59 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\glec0fjr.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/12/14 17:55:20 | 000,002,306 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\glec0fjr.default\searchplugins\nrb.xml
[2009/12/08 16:13:01 | 000,001,863 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\glec0fjr.default\searchplugins\searchalot.xml
[2011/09/14 16:45:08 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/10 13:51:45 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

O1 HOSTS File: ([2011/09/14 11:49:59 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Runtime\YontooIEClient_2.dll (Yontoo LLC)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKCU..\RunOnce: [2011914_16_60391] C:\Documents and Settings\Administrator\Local Settings\temp\LMIR0001.tmp.bat.js ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17220B00-60CD-4E50-A244-02ED7C8E6385} http://10.0.0.10//DvrMaster.cab (DvrMaster Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1241456964156 (WUWebControl Class)
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} http://www-307.ibm.c...rt/IbmEgath.cab (IBM Access Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{903CF798-8BBC-4EB1-8964-0AAEF13D7D1B}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{903CF798-8BBC-4EB1-8964-0AAEF13D7D1B}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A0C0CEF2-4FCD-4C94-8CFC-4E7F70DE0F03}: DhcpNameServer = 10.101.225.31 10.205.225.25
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\My Documents\My Pictures\ABC web logo.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\My Documents\My Pictures\ABC web logo.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/22 14:25:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/14 16:57:11 | 000,581,632 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/09/14 16:45:48 | 000,378,240 | ---- | C] (Neuber Software) -- C:\Documents and Settings\Administrator\Desktop\SvchostAnalyzer.exe
[2011/09/14 14:33:40 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/09/14 14:27:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/09/14 14:27:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/14 14:27:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/09/14 14:27:13 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/14 14:27:13 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/14 11:35:43 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/09/14 11:23:10 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/09/14 11:23:10 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/09/14 11:23:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/09/14 11:23:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/09/14 11:22:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/09/14 11:22:44 | 000,000,000 | ---D | C] -- C:\123abcdlo
[2011/09/14 11:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/09/14 11:02:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/09/14 11:02:15 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2011/09/14 10:55:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/09/14 10:55:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/09/14 10:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/09/14 10:43:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Deployment
[2011/09/14 10:38:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/09/07 17:29:15 | 000,000,000 | ---D | C] -- C:\Program Files\Yontoo Layers Runtime
[2011/09/07 17:28:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\C64C0D38F203FC6C69DA91C16D81D447
[2011/09/07 17:27:29 | 000,000,000 | ---D | C] -- C:\Adobe
[2011/09/07 15:17:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/09/07 15:16:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/09/07 15:15:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/09/07 15:03:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/09/07 15:01:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[1998/08/24 09:31:44 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/09/14 17:04:59 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/14 17:00:51 | 000,581,632 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/09/14 16:45:48 | 000,378,240 | ---- | M] (Neuber Software) -- C:\Documents and Settings\Administrator\Desktop\SvchostAnalyzer.exe
[2011/09/14 16:39:49 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/14 16:14:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/14 15:22:42 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/09/14 14:48:00 | 000,000,483 | ---- | M] () -- C:\Documents and Settings\Administrator\Shortcut to Administrator.lnk
[2011/09/14 14:27:18 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/14 14:01:09 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/09/14 14:01:09 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/09/14 13:58:21 | 000,003,038 | ---- | M] () -- C:\fix_svchost.bat
[2011/09/14 11:49:59 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/09/14 10:54:48 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/09/14 08:04:08 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/09/09 12:05:48 | 000,000,090 | ---- | M] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2011/09/02 13:05:45 | 000,002,329 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Word 2007.lnk
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/29 13:14:54 | 000,057,579 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Reconciliation Detail for July 2011.pdf
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/09/14 14:48:00 | 000,000,483 | ---- | C] () -- C:\Documents and Settings\Administrator\Shortcut to Administrator.lnk
[2011/09/14 14:27:18 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/14 13:58:21 | 000,003,038 | ---- | C] () -- C:\fix_svchost.bat
[2011/09/14 12:17:14 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/14 11:35:49 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/09/14 11:35:45 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/09/14 11:23:10 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/09/14 11:23:10 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/09/14 11:23:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/09/14 11:23:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/09/14 11:23:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/08/29 13:14:54 | 000,057,579 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Reconciliation Detail for July 2011.pdf
[2009/10/28 18:44:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/10/14 19:10:06 | 009,019,392 | ---- | C] () -- C:\WINDOWS\System32\DvrPlayer.exe
[2009/10/14 19:09:32 | 032,223,232 | ---- | C] () -- C:\WINDOWS\System32\DvrMaster.exe
[2009/09/29 17:20:34 | 008,627,712 | ---- | C] () -- C:\WINDOWS\System32\avcodec-52.dll
[2009/09/29 17:20:34 | 000,654,848 | ---- | C] () -- C:\WINDOWS\System32\avformat-52.dll
[2009/09/29 17:20:34 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\swscale-0.dll
[2009/09/29 17:20:34 | 000,061,952 | ---- | C] () -- C:\WINDOWS\System32\avutil-49.dll
[2009/09/29 17:20:34 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\avdevice-52.dll
[2009/08/24 14:11:18 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/08/21 15:25:28 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/08/21 15:25:28 | 000,000,034 | ---- | C] () -- C:\WINDOWS\System32\BD2140.DAT
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2008/06/06 13:53:26 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\BTRDRVR.SYS
[2007/06/01 15:02:26 | 000,000,129 | ---- | C] () -- C:\WINDOWS\usrwiz.ini
[2007/04/23 11:14:08 | 000,650,608 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2007/04/23 11:14:08 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4764.dll
[2007/03/13 12:32:48 | 000,569,344 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/06/26 12:31:08 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/06/26 12:31:08 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/06/26 12:31:08 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/06/26 12:31:08 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/06/26 12:31:08 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/06/26 12:31:08 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/06/23 12:22:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.INI
[2006/06/23 12:22:04 | 000,164,864 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.EXE
[2006/06/23 12:11:02 | 000,000,332 | ---- | C] () -- C:\WINDOWS\upsa.ini
[2006/06/23 09:18:41 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\dm.ini
[2006/06/23 08:32:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/06/22 14:31:05 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/06/22 14:27:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/06/22 14:22:21 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/06/22 10:15:28 | 000,004,633 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/06/22 10:14:25 | 000,283,720 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/05/25 21:08:36 | 000,724,992 | ---- | C] () -- C:\WINDOWS\System32\slmp4core.dll
[2004/08/04 01:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2002/12/10 00:00:00 | 001,708,032 | ---- | C] () -- C:\WINDOWS\System32\MSO97V.DLL
[2002/12/10 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\MSORFS.DLL
[2001/08/23 05:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 05:00:00 | 000,493,136 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 05:00:00 | 000,091,156 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 05:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2000/01/07 08:15:42 | 000,270,336 | ---- | C] () -- C:\WINDOWS\System32\p2molap.dll
[2000/01/07 08:15:42 | 000,258,048 | ---- | C] () -- C:\WINDOWS\System32\p2solap.dll
[1999/12/10 07:17:22 | 000,282,624 | ---- | C] () -- C:\WINDOWS\System32\p2smcube.dll
[1999/09/22 14:03:54 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\PG32CONV.DLL
[1998/11/08 17:00:00 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\u2lbar.dll
[1997/08/28 17:00:00 | 000,070,656 | ---- | C] () -- C:\WINDOWS\System32\u2lesbse.dll
[1997/08/28 17:00:00 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\u25store.dll
[1997/08/28 17:00:00 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\u25total.dll
[1997/06/18 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/06/18 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2009/10/29 15:12:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
[2006/06/26 12:06:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterVideo
[2010/05/12 14:44:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SmartDraw
[2009/08/24 14:11:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2011/09/14 08:26:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2010/04/15 12:09:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pervasive Software
[2009/08/25 11:27:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10

========== Purity Check ==========



< End of report >


OTL Extras logfile created on: 09/14/2011 5:01:23 PM - Run 1
OTL by OldTimer - Version 3.2.28.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

1014.33 Mb Total Physical Memory | 472.41 Mb Available Physical Memory | 46.57% Memory free
1.62 Gb Paging File | 1.24 Gb Available in Paging File | 76.56% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 50.74 Gb Free Space | 68.08% Space Free | Partition Type: NTFS
Drive H: | 93.08 Gb Total Space | 75.97 Gb Free Space | 81.63% Space Free | Partition Type: NTFS

Computer Name: ABCORDERING | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"67:UDP" = 67:UDP:*:Enabled:DHCP Server

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager -- (Intuit, Inc.)
"C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe" = C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe:*:Enabled:Database Service Manager -- (Pervasive Software Inc.)
"C:\Documents and Settings\Administrator\Local Settings\Temp\LMIR0001.tmp\lmi_rescue.exe" = C:\Documents and Settings\Administrator\Local Settings\Temp\LMIR0001.tmp\lmi_rescue.exe:*:Enabled:LogMeIn Rescue -- (LogMeIn, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
" iScan Barcode Receiving System 3.2" = iScan Barcode Receiving System 3.2
"{0A3238D7-AB32-1010-B717-F3E3F18B4A8C}" = Pervasive PSQL v10.10 Workgroup (32-bit)
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 17
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{3248F0A8-6813-11D6-A77B-00B0D0150070}" = J2SE Runtime Environment 5.0 Update 7
"{3248F0A8-6813-11D6-A77B-00B0D0150100}" = J2SE Runtime Environment 5.0 Update 10
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{33CFCF98-F8D6-4549-B469-6F4295676D83}" = Symantec AntiVirus
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7670D32F-DAE6-4E49-8C8B-B3F08B5B1686}" = Microsoft SQL Server Native Client
"{7E7658A2-CD3F-48A7-93EA-0882BCA4FD2A}" = LogMeIn
"{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = Yontoo Layers Runtime 1.10.01
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{BB3E60DA-6E70-4A6A-9B9A-DF90E46CEA64}" =
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B2-0409-0000-0000000FF1CE}" = Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{9A2F0810-3622-4E86-9072-973FBE1679C5}" = QuickBooks Pro 2009
"{9A2F0810-369F-4E86-9072-973FBE1679C5}" = QuickBooks
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A70800000002}" = Adobe Reader 7.0.8
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B525BB2C-9338-11D4-8B84-00B0D03E6A83}" = Palm Conduit Support for COM
"{BA0F44C2-A883-11D1-AD0A-006097D15E2C}" = Palm Desktop
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CAF3BDA7-22CF-11D5-B057-00609443A854}" = UltraPhase Upload to Catalog & Order Entry
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E7084B89-69E0-46B3-A118-8F99D06988CD}" = Microsoft SQL Server VSS Writer
"{E7835D4A-C2FF-4F25-A30F-1253250A114A}" = ECHO
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{FCBF9A51-0B27-4B86-919B-2FE5E34E0B55}" = DvrMaster
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AdobeESD" = Adobe Download Manager 2.0 (Remove Only)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_201414F1" = HSF2014 56K Data Fax Modem
"HDMI" = Intel® Graphics Media Accelerator Driver
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{E7835D4A-C2FF-4F25-A30F-1253250A114A}" = ECHO
"iScan Barcode Receiving System 3.1" = iScan Barcode Receiving System 3.1
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Mozilla Firefox (3.6.20)" = Mozilla Firefox (3.6.20)
"Mozilla Firefox (3.6b4)" = Mozilla Firefox (3.6b4)
"Mozilla Firefox (3.6b5)" = Mozilla Firefox (3.6b5)
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PPTView97" = Microsoft PowerPoint Viewer 97
"PROPLUS" = Microsoft Office Professional Plus 2007
"PROR" = Microsoft Office Professional 2007
"PROSet" = Intel® PRO Network Connections Drivers
"USR_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_200014F1" = U.S. Robotics V.92 PCI Faxmodem
"Viewer97" = Microsoft Word Viewer 97
"VLC media player" = VideoLAN VLC media player 0.8.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"XLViewer97" = Microsoft Excel Viewer 97
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.1.0.366

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 09/14/2011 6:18:58 PM | Computer Name = ABCORDERING | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 09/14/2011 6:18:58 PM | Computer Name = ABCORDERING | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 09/14/2011 7:29:07 PM | Computer Name = ABCORDERING | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 09/14/2011 7:29:07 PM | Computer Name = ABCORDERING | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 09/14/2011 7:29:07 PM | Computer Name = ABCORDERING | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 09/14/2011 7:29:07 PM | Computer Name = ABCORDERING | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 09/14/2011 7:36:12 PM | Computer Name = ABCORDERING | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 09/14/2011 7:36:12 PM | Computer Name = ABCORDERING | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 09/14/2011 7:36:12 PM | Computer Name = ABCORDERING | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

Error - 09/14/2011 7:36:12 PM | Computer Name = ABCORDERING | Source = QuickBooks | ID = 4
Description = An unexpected error has occured in "QuickBooks": Returning NULL QBWinInstance
Hand

[ System Events ]
Error - 09/14/2011 5:58:02 PM | Computer Name = ABCORDERING | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 09/14/2011 6:00:25 PM | Computer Name = ABCORDERING | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 09/14/2011 6:02:17 PM | Computer Name = ABCORDERING | Source = Service Control Manager | ID = 7023
Description = The srv820 service terminated with the following error: %%126

Error - 09/14/2011 7:17:51 PM | Computer Name = ABCORDERING | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the QBCFMonitorService service
to connect.

Error - 09/14/2011 7:17:51 PM | Computer Name = ABCORDERING | Source = Service Control Manager | ID = 7023
Description = The srv820 service terminated with the following error: %%126

Error - 09/14/2011 7:17:51 PM | Computer Name = ABCORDERING | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Symantec AntiVirus service
to connect.

Error - 09/14/2011 7:40:21 PM | Computer Name = ABCORDERING | Source = Service Control Manager | ID = 7034
Description = The COM+ Event System service terminated unexpectedly. It has done
this 3 time(s).

Error - 09/14/2011 7:40:21 PM | Computer Name = ABCORDERING | Source = Service Control Manager | ID = 7034
Description = The Help and Support service terminated unexpectedly. It has done
this 3 time(s).

Error - 09/14/2011 7:40:21 PM | Computer Name = ABCORDERING | Source = Service Control Manager | ID = 7034
Description = The Network Location Awareness (NLA) service terminated unexpectedly.
It has done this 3 time(s).

Error - 09/14/2011 7:40:55 PM | Computer Name = ABCORDERING | Source = Service Control Manager | ID = 7032
Description = The Service Control Manager tried to take a corrective action (Restart
the service) after the unexpected termination of the Windows Management Instrumentation
service, but this action failed with the following error: %%1056


< End of report >
  • 0

Advertisements


#2
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello lavega21 and welcome to G2G! :)

My nick is maliprog and I'll will be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O4 - HKCU..\RunOnce: [2011914_16_60391] C:\Documents and Settings\Administrator\Local Settings\temp\LMIR0001.tmp.bat.js ()
    O16 - DPF: {17220B00-60CD-4E50-A244-02ED7C8E6385} http://10.0.0.10//DvrMaster.cab (DvrMaster Control)

    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles

Step 2

Download GMER from Here. Note the file's name and save it to your root folder, such as C:.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.
Step 3

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

Click the cog in the upper right
Posted Image


Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
Posted Image

Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threads report from the left and press Save button
Save it to your desktop and attach to your next post

Step 4

Please don't forget to include these items in your reply:

  • OTL fix log
  • GMER log
  • AVP log
It would be helpful if you could post each log in separate post
  • 0

#3
lavega21

lavega21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Here is the results for step 1, thank you for your help.



All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\\2011914_16_60391 not found.
File C:\Documents and Settings\Administrator\Local Settings\temp\LMIR0001.tmp.bat.js not found.
Starting removal of ActiveX control {17220B00-60CD-4E50-A244-02ED7C8E6385}
C:\WINDOWS\Downloaded Program Files\DvrMaster.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17220B00-60CD-4E50-A244-02ED7C8E6385}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17220B00-60CD-4E50-A244-02ED7C8E6385}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{17220B00-60CD-4E50-A244-02ED7C8E6385}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17220B00-60CD-4E50-A244-02ED7C8E6385}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: abcbackdoor
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 348 bytes

User: Administrator
->Temp folder emptied: 170383 bytes
->Temporary Internet Files folder emptied: 10453470 bytes
->Java cache emptied: 35006008 bytes
->FireFox cache emptied: 45630765 bytes
->Flash cache emptied: 1146 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 56113506 bytes
->Java cache emptied: 6152 bytes
->Flash cache emptied: 6912 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService
->Temp folder emptied: 196608 bytes
->Temporary Internet Files folder emptied: 149707228 bytes
->Java cache emptied: 17105 bytes
->Flash cache emptied: 13690 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17010560 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33453 bytes
RecycleBin emptied: 14786291 bytes

Total Files Cleaned = 316.00 mb


[EMPTYFLASH]

User: abcbackdoor
->Flash cache emptied: 0 bytes

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User

User: LocalService
->Flash cache emptied: 0 bytes

User: LogMeInRemoteUser

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.28.0 log created on 09212011_100107

Files\Folders moved on Reboot...
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FY14A973\307501-please-help-svchostexe-using-100-cpu[1].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C37FZFYU\google[2].htm moved successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_560.dat moved successfully.

Registry entries deleted on Reboot...
  • 0

#4
lavega21

lavega21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Here is the log for step 2....

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-21 10:32:11
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800JD-08MSA1 rev.10.01E01
Running: 6bng9n6n.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwliipog.sys


---- System - GMER 1.0.15 ----

SSDT 86E6E008 ZwAlertResumeThread
SSDT 86E9B548 ZwAlertThread
SSDT 86E8BF30 ZwAllocateVirtualMemory
SSDT 86EB8130 ZwConnectPort
SSDT 86E810F8 ZwCreateMutant
SSDT 86DF6F58 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA11A350]
SSDT 86D50758 ZwFreeVirtualMemory
SSDT 86E6CA40 ZwImpersonateAnonymousToken
SSDT 86E6F308 ZwImpersonateThread
SSDT 86DF8828 ZwMapViewOfSection
SSDT 86D1F138 ZwOpenEvent
SSDT 86D505E0 ZwOpenProcessToken
SSDT 86D50D48 ZwOpenThreadToken
SSDT 86EBAD78 ZwQueryValueKey
SSDT 86D4A630 ZwResumeThread
SSDT 86D50E98 ZwSetContextThread
SSDT 86D50A90 ZwSetInformationProcess
SSDT 86D510C0 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA11A580]
SSDT 86E87CC8 ZwSuspendProcess
SSDT 86D51318 ZwSuspendThread
SSDT 86D50450 ZwTerminateProcess
SSDT 86D51198 ZwTerminateThread
SSDT 86D50830 ZwUnmapViewOfSection
SSDT 86E8B730 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 8 Bytes [C8, 7C, E8, 86, 18, 13, D5, ...] {ENTER 0xe87c, 0x86; SBB [EBX], DL; AAD 0x86}

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[880] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[968] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\System32\svchost.exe[1020] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 0092000C
.text C:\WINDOWS\System32\svchost.exe[1020] ole32.dll!CoCreateInstance 774FF1AC 3 Bytes JMP 00DB000A
.text C:\WINDOWS\System32\svchost.exe[1020] ole32.dll!CoCreateInstance + 4 774FF1B0 1 Byte [89]
.text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C
.text C:\WINDOWS\system32\svchost.exe[1660] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 001A000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:364] AA0AA4F2

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected] 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[email protected]_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----
  • 0

#5
lavega21

lavega21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Here is the AVP Log, the thing is that I went away and someone did the recommneded action and then I tried to go back delete instead and this is the log, I wanted to re run the program but I rather just wait for you. Thank you for help.

Status: Absent (events: 8)
09/21/2011 12:29:05 PM Not found virus HEUR:Trojan.Win32.Generic c:\Documents and Settings\Default User\Start Menu\Programs\Startup\vyxu.exe High
09/21/2011 12:29:05 PM Not found virus HEUR:Trojan.Win32.Generic c:\Documents and Settings\Default User\Start Menu\Programs\Startup\eleq.exe High
09/21/2011 12:29:05 PM Not found virus HEUR:Trojan.Win32.Generic c:\Documents and Settings\LogMeInRemoteUser\Start Menu\Programs\Startup\oryc.exe High
09/21/2011 12:29:05 PM Not found virus HEUR:Trojan.Win32.Generic c:\Documents and Settings\LogMeInRemoteUser\Start Menu\Programs\Startup\olety.exe High
09/21/2011 12:29:05 PM Not found virus HEUR:Trojan.Win32.Generic c:\Documents and Settings\abcbackdoor\Start Menu\Programs\Startup\ivatyf.exe High
09/21/2011 12:29:05 PM Not found virus HEUR:Trojan.Win32.Generic c:\Documents and Settings\abcbackdoor\Start Menu\Programs\Startup\itxud.exe High
09/21/2011 12:29:05 PM Not found virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\abcbackdoor\Start Menu\Programs\Startup\itxud.exe High
09/21/2011 12:29:05 PM Not found virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\abcbackdoor\Start Menu\Programs\Startup\ivatyf.exe High
Status: Disinfected (events: 1)
09/21/2011 12:09:44 PM Disinfected Trojan program Trojan.Win32.Hosts2.gen c:\WINDOWS\system32\drivers\etc\hosts High
Status: Quarantined (events: 7)
09/21/2011 12:20:22 PM Quarantined virus HEUR:Trojan.Win32.Generic c:\Documents and Settings\LogMeInRemoteUser\Start Menu\Programs\Startup\olety.exe High
09/21/2011 12:20:22 PM Quarantined virus HEUR:Trojan.Win32.Generic c:\Documents and Settings\LogMeInRemoteUser\Start Menu\Programs\Startup\oryc.exe High
09/21/2011 12:20:22 PM Quarantined virus HEUR:Trojan.Win32.Generic c:\Documents and Settings\abcbackdoor\Start Menu\Programs\Startup\itxud.exe High
09/21/2011 12:20:21 PM Quarantined virus HEUR:Trojan.Win32.Generic c:\Documents and Settings\Default User\Start Menu\Programs\Startup\vyxu.exe High
09/21/2011 12:20:21 PM Quarantined virus HEUR:Trojan.Win32.Generic c:\Documents and Settings\Default User\Start Menu\Programs\Startup\eleq.exe High
09/21/2011 12:20:21 PM Quarantined virus HEUR:Trojan.Win32.Generic c:\Documents and Settings\abcbackdoor\Start Menu\Programs\Startup\ivatyf.exe High
09/21/2011 12:02:00 PM Quarantined virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\Administrator\Application Data\Yxexi\erraucz.exe High
  • 0

#6
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi lavega21,

Looks like they are all quarantined so you don't need to run AVP again. Let's continue:

Step 1

Please read carefully and follow these steps.

Download TDSSKiller.zip from Kaspersky and save it to your Desktop.
  • Extract the zip file to its own folder.
  • Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).
  • Click Start scan to start scanning.
  • If infection is detected, the default setting for "action" should be Cure
    • (If suspicious file is detected please click on it and change it to Skip).
  • Click Continue button
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Step 2

Download aswMBR.exe ( 511KB ) to your desktop.

  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply

Step 3

Please don't forget to include these items in your reply:

  • TDSSKiller log
  • aswMBR log
It would be helpful if you could post each log in separate post
  • 0

#7
lavega21

lavega21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Here are the result on step 1...Thnak you.


2011/09/22 11:17:19.0028 2336 TDSS rootkit removing tool 2.5.23.0 Sep 20 2011 08:53:10
2011/09/22 11:17:19.0653 2336 ================================================================================
2011/09/22 11:17:19.0653 2336 SystemInfo:
2011/09/22 11:17:19.0653 2336
2011/09/22 11:17:19.0653 2336 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/22 11:17:19.0653 2336 Product type: Workstation
2011/09/22 11:17:19.0653 2336 ComputerName: ABCORDERING
2011/09/22 11:17:19.0653 2336 UserName: Administrator
2011/09/22 11:17:19.0653 2336 Windows directory: C:\WINDOWS
2011/09/22 11:17:19.0653 2336 System windows directory: C:\WINDOWS
2011/09/22 11:17:19.0653 2336 Processor architecture: Intel x86
2011/09/22 11:17:19.0653 2336 Number of processors: 2
2011/09/22 11:17:19.0653 2336 Page size: 0x1000
2011/09/22 11:17:19.0653 2336 Boot type: Normal boot
2011/09/22 11:17:19.0653 2336 ================================================================================
2011/09/22 11:17:20.0778 2336 Initialize success
2011/09/22 11:17:32.0997 4008 ================================================================================
2011/09/22 11:17:32.0997 4008 Scan started
2011/09/22 11:17:32.0997 4008 Mode: Manual;
2011/09/22 11:17:32.0997 4008 ================================================================================
2011/09/22 11:17:33.0560 4008 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/22 11:17:33.0591 4008 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/22 11:17:33.0653 4008 ADIHdAudAddService (45e7a5e6963fa9d69cb85f50a271e3df) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/09/22 11:17:33.0731 4008 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/22 11:17:33.0810 4008 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/22 11:17:33.0981 4008 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/22 11:17:34.0013 4008 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/22 11:17:34.0044 4008 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/22 11:17:34.0106 4008 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/22 11:17:34.0169 4008 b57w2k (133ad3794572bce689763a8356c7ed06) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/09/22 11:17:34.0247 4008 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/22 11:17:34.0372 4008 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/22 11:17:34.0450 4008 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/22 11:17:34.0513 4008 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/22 11:17:34.0560 4008 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/22 11:17:34.0747 4008 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/22 11:17:34.0810 4008 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/22 11:17:34.0872 4008 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/22 11:17:34.0919 4008 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/22 11:17:34.0966 4008 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/22 11:17:35.0091 4008 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/22 11:17:35.0153 4008 e1express (0849eacdc01487573add86f5e470806c) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/09/22 11:17:35.0263 4008 eeCtrl (8f7dbc4be48f5388a6fe1f285e7948ef) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/09/22 11:17:35.0325 4008 EGATHDRV (938f1ec77ba35858248e584b2d2e9776) C:\WINDOWS\system32\EGATHDRV.SYS
2011/09/22 11:17:35.0356 4008 EraserUtilRebootDrv (3ee14d400e0fdd0d214275a4a20b7022) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/09/22 11:17:35.0403 4008 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/22 11:17:35.0513 4008 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/22 11:17:35.0606 4008 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/22 11:17:35.0700 4008 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/22 11:17:35.0763 4008 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/22 11:17:35.0825 4008 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/22 11:17:35.0856 4008 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/22 11:17:35.0919 4008 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/22 11:17:35.0981 4008 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys
2011/09/22 11:17:36.0028 4008 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/22 11:17:36.0075 4008 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/22 11:17:36.0153 4008 HSFHWBS2 (6db36593abdda54c505b77a4f135d5f3) C:\WINDOWS\system32\DRIVERS\USR_BSC2.sys
2011/09/22 11:17:36.0263 4008 HSF_DP (d9eb0b254da1a80ebe607cdac8c38e5d) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/09/22 11:17:36.0466 4008 HSF_DPV (01dc6300bd5b4eaa3de6fc3fa4adb82a) C:\WINDOWS\system32\DRIVERS\USR_MDMV.sys
2011/09/22 11:17:36.0638 4008 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/22 11:17:36.0716 4008 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/22 11:17:36.0981 4008 ialm (2aae7be67911f4aec9ad28e9cfb9096f) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/09/22 11:17:37.0341 4008 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/22 11:17:37.0450 4008 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/22 11:17:37.0497 4008 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/22 11:17:37.0544 4008 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/22 11:17:37.0622 4008 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/22 11:17:37.0669 4008 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/22 11:17:37.0700 4008 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/22 11:17:37.0810 4008 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/22 11:17:37.0856 4008 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/22 11:17:37.0966 4008 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/22 11:17:38.0028 4008 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/22 11:17:38.0060 4008 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/22 11:17:38.0106 4008 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/22 11:17:38.0247 4008 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
2011/09/22 11:17:38.0310 4008 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
2011/09/22 11:17:38.0372 4008 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
2011/09/22 11:17:38.0435 4008 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/09/22 11:17:38.0497 4008 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/22 11:17:38.0591 4008 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/22 11:17:38.0622 4008 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/22 11:17:38.0669 4008 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/22 11:17:38.0747 4008 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/22 11:17:38.0794 4008 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/22 11:17:38.0841 4008 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/22 11:17:38.0872 4008 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/22 11:17:38.0919 4008 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/22 11:17:38.0950 4008 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/22 11:17:38.0981 4008 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/22 11:17:39.0060 4008 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/22 11:17:39.0106 4008 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/22 11:17:39.0200 4008 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110920.002\naveng.sys
2011/09/22 11:17:39.0310 4008 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110920.002\navex15.sys
2011/09/22 11:17:39.0481 4008 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/22 11:17:39.0591 4008 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/22 11:17:39.0638 4008 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/22 11:17:39.0731 4008 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/22 11:17:40.0481 4008 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/22 11:17:40.0747 4008 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/22 11:17:41.0044 4008 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/22 11:17:41.0560 4008 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/22 11:17:41.0872 4008 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/22 11:17:42.0263 4008 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/22 11:17:42.0388 4008 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/22 11:17:42.0544 4008 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/22 11:17:42.0841 4008 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/22 11:17:43.0278 4008 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/22 11:17:43.0435 4008 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/22 11:17:43.0560 4008 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/22 11:17:43.0935 4008 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/22 11:17:44.0044 4008 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/22 11:17:44.0763 4008 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/22 11:17:45.0247 4008 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/22 11:17:45.0544 4008 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/22 11:17:46.0356 4008 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/22 11:17:46.0685 4008 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/22 11:17:47.0075 4008 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/22 11:17:47.0310 4008 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/22 11:17:47.0606 4008 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/22 11:17:48.0028 4008 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/22 11:17:48.0325 4008 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/22 11:17:48.0856 4008 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/22 11:17:49.0263 4008 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/22 11:17:50.0075 4008 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
2011/09/22 11:17:50.0919 4008 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2011/09/22 11:17:51.0247 4008 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/22 11:17:51.0528 4008 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/22 11:17:51.0888 4008 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/22 11:17:52.0372 4008 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/09/22 11:17:53.0013 4008 SPBBCDrv (677b10906838d3bfb1c07ac9087e4bf7) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/09/22 11:17:53.0481 4008 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/22 11:17:53.0825 4008 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/22 11:17:54.0138 4008 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/22 11:17:54.0450 4008 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/22 11:17:54.0794 4008 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/22 11:17:55.0450 4008 SymEvent (49b20b430a4f219173f823536944474a) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2011/09/22 11:17:55.0528 4008 SYMREDRV (6c0a85982f4e0d672b85a2bfb50a24b5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/09/22 11:17:55.0872 4008 SYMTDI (cdda3ba3f7d5b63ff9f85cb478c11473) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/09/22 11:17:56.0544 4008 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/22 11:17:57.0778 4008 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/22 11:17:58.0310 4008 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/22 11:17:58.0763 4008 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/22 11:17:59.0513 4008 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/22 11:18:00.0294 4008 TPM12 (00e22f0091fbfab64dbd73c7224d71a0) C:\WINDOWS\system32\DRIVERS\wdtpm12.sys
2011/09/22 11:18:00.0481 4008 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/22 11:18:00.0981 4008 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/22 11:18:01.0685 4008 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/22 11:18:01.0966 4008 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/22 11:18:02.0185 4008 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/22 11:18:02.0872 4008 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/22 11:18:03.0169 4008 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/22 11:18:03.0716 4008 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/22 11:18:04.0060 4008 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/22 11:18:04.0466 4008 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/22 11:18:04.0606 4008 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/22 11:18:04.0856 4008 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/22 11:18:05.0216 4008 winachsf (35104d888a90ebc18f71fdc2374d2bb9) C:\WINDOWS\system32\DRIVERS\HSF_USR.sys
2011/09/22 11:18:05.0403 4008 MBR (0x1B8) (cdac57608c39097805c8c958f1f73d97) \Device\Harddisk0\DR0
2011/09/22 11:18:05.0403 4008 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)
2011/09/22 11:18:05.0403 4008 Boot (0x1200) (3c3940d8e0dc00edc8ed566b73601307) \Device\Harddisk0\DR0\Partition0
2011/09/22 11:18:05.0419 4008 ================================================================================
2011/09/22 11:18:05.0419 4008 Scan finished
2011/09/22 11:18:05.0419 4008 ================================================================================
2011/09/22 11:18:05.0419 2172 Detected object count: 1
2011/09/22 11:18:05.0419 2172 Actual detected object count: 1
2011/09/22 11:42:39.0716 2172 \Device\Harddisk0\DR0 (Rootkit.Boot.Pihar.a) - will be cured after reboot
2011/09/22 11:42:39.0716 2172 \Device\Harddisk0\DR0 - ok
2011/09/22 11:42:39.0716 2172 Rootkit.Boot.Pihar.a(\Device\Harddisk0\DR0) - User select action: Cure
2011/09/22 11:43:07.0185 3276 Deinitialize success
  • 0

#8
lavega21

lavega21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Here is the post for step 2...When I ran the program it asked if I wanted to download avast for better results and download virus definition. I said no and hit scan and then save here is the log


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-22 13:03:19
-----------------------------
13:03:19.371 OS Version: Windows 5.1.2600 Service Pack 3
13:03:19.371 Number of processors: 2 586 0x605
13:03:19.371 ComputerName: ABCORDERING UserName:
13:03:19.637 Initialize success
13:03:36.451 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:03:36.467 Disk 0 Vendor: WDC_WD800JD-08MSA1 10.01E01 Size: 76324MB BusType: 3
13:03:38.467 Disk 0 MBR read successfully
13:03:38.467 Disk 0 MBR scan
13:03:38.467 Disk 0 Windows XP default MBR code
13:03:38.467 Disk 0 scanning sectors +156296385
13:03:38.529 Disk 0 scanning C:\WINDOWS\system32\drivers
13:03:47.921 Service scanning
13:03:49.155 Modules scanning
13:03:55.437 Disk 0 trace - called modules:
13:03:55.453 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:03:55.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f71ab8]
13:03:55.469 3 CLASSPNP.SYS[f757dfd7] -> nt!IofCallDriver -> \Device\0000006b[0x86f87f18]
13:03:55.469 5 ACPI.sys[f7414620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f76b00]
13:03:55.469 Scan finished successfully
13:05:42.494 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
13:05:42.494 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
  • 0

#9
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi lavega21,

How is your system now? Problems?
  • 0

#10
lavega21

lavega21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Before I did the last two steps last night I ran the AVP again and it created a new log which is below. After that I did the the two steps you advised last night which I already posted. I just felt I needed to share this with you.

Also, just so you know before I stated working with you the computer was starting as "Selective Start-up" I do not want to enable Normal Start-up until you tell me it's ok. Thank you.


Status: Deleted (events: 14)
09/21/2011 6:17:53 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BD40000\4FFE34CE.VBN High
09/21/2011 6:17:53 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BD40000\4FFE34CE.VBN//CryptZ High
09/21/2011 6:17:54 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\16\1f1f6ad0-6d0024db High
09/21/2011 6:17:55 PM Deleted virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\36\84b7364-2c6dd4fa High
09/21/2011 6:31:02 PM Deleted Trojan program Trojan-Downloader.JS.Iframe.cks C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OY0K1HGP\lazkano_net[1].htm High
09/22/2011 9:33:44 AM Deleted Trojan program Backdoor.Win32.Papras.dod C:\Qoobox\Quarantine\C\WINDOWS\system32\BRRBuery.dll.vir High
09/22/2011 9:33:44 AM Deleted Trojan program Backdoor.Win32.Papras.dod C:\Qoobox\Quarantine\C\WINDOWS\system32\cacltson.dll.vir High
09/22/2011 9:33:46 AM Deleted Trojan program Backdoor.Win32.Papras.dod C:\System Volume Information\_restore{FAD6CB1D-4580-42F7-B9AC-AD54F3135187}\RP780\A0054979.dll High
09/22/2011 9:33:54 AM Deleted Trojan program Backdoor.Win32.Papras.dod C:\System Volume Information\_restore{FAD6CB1D-4580-42F7-B9AC-AD54F3135187}\RP780\A0054980.dll High
09/22/2011 9:43:36 AM Deleted Trojan program Trojan-FakeAV.Win32.OpenCloud.a C:\System Volume Information\_restore{FAD6CB1D-4580-42F7-B9AC-AD54F3135187}\RP780\A0073324.exe High
09/22/2011 10:33:26 AM Deleted virus HEUR:Exploit.Script.Generic C:\WINDOWS\Temp\AcrBB32.tmp High
09/22/2011 10:33:26 AM Deleted virus HEUR:Exploit.Script.Generic C:\WINDOWS\Temp\AcrBB32.tmp//data0001 High
09/22/2011 10:33:25 AM Deleted Trojan program Exploit.JS.Pdfka.exf C:\WINDOWS\Temp\Acr7FFD.tmp High
09/22/2011 10:33:25 AM Deleted Trojan program Exploit.JS.Pdfka.exf C:\WINDOWS\Temp\Acr7FFD.tmp//data0001 High
Status: Disinfected (events: 4)
09/21/2011 6:14:40 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.cs C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\36\364826e4-3580bfa2 High
09/21/2011 6:14:40 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.cs C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\36\364826e4-3580bfa2/mail/MailAgent.class High
09/22/2011 10:32:17 AM Disinfected Trojan program Exploit.Java.CVE-2010-0840.cn C:\WINDOWS\Temp\jar_cache1863853923387033330.tmp High
09/22/2011 10:32:17 AM Disinfected Trojan program Exploit.Java.CVE-2010-0840.cn C:\WINDOWS\Temp\jar_cache1863853923387033330.tmp/bingo/nikon.class High
  • 0

Advertisements


#11
lavega21

lavega21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Computer is def running better....I do not see the svchost taking over but graphics are slow to load for example in this forum the avatar is not loaded completly. Since we are on different time zone I wanted to share as much as possible on the status of the computer. Also I'm not sure how the system got infected so bad we have Symantec AV and per windows virus defintions are up to date, I know we are not finished but just a question....should I unistall that one and choose a different one? Thank you for all your help.
  • 0

#12
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi lavega21,

Please start your system in Normal mode and test it. Get back to me with results. If you think you need different antivirus software I'll give you Free recommendation after we are finish with this.

  • Run OTL.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open notepad window. OTL.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file, and post it with your next reply.

  • 0

#13
lavega21

lavega21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Computer is running a lot better but it is still a little slow and hasitating a little. I start a normal startup and no problems. Here is the OTL Log after starting Normal.


OTL logfile created on: 09/23/2011 6:11:14 PM - Run 2
OTL by OldTimer - Version 3.2.28.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: MM/dd/yyyy

1014.35 Mb Total Physical Memory | 181.14 Mb Available Physical Memory | 17.86% Memory free
1.62 Gb Paging File | 1.07 Gb Available in Paging File | 66.07% Paging File free
Paging file location(s): C:\pagefile.sys 744 1488 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 51.14 Gb Free Space | 68.62% Space Free | Partition Type: NTFS
Drive H: | 93.08 Gb Total Space | 75.47 Gb Free Space | 81.08% Space Free | Partition Type: NTFS

Computer Name: ABCORDERING | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/14 17:00:51 | 000,581,632 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2011/07/06 16:32:20 | 000,136,584 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\ramaint.exe
PRC - [2011/07/06 16:32:14 | 000,374,152 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
PRC - [2011/06/22 05:13:46 | 000,984,936 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2011/06/22 03:57:14 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe
PRC - [2010/02/10 13:51:44 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2008/11/18 15:45:28 | 000,061,440 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
PRC - [2008/07/30 20:56:26 | 000,435,488 | ---- | M] (Pervasive Software Inc.) -- C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/03 15:09:34 | 000,063,048 | ---- | M] (LogMeIn, Inc.) -- C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
PRC - [2006/12/20 11:29:40 | 000,125,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/12/20 11:29:30 | 001,814,720 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/12/20 11:29:20 | 000,031,424 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/11/21 18:38:40 | 000,169,576 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/11/21 18:38:32 | 000,192,104 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/11/21 18:38:28 | 000,052,840 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/04/11 18:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe


========== Modules (No Company Name) ==========

MOD - [2011/08/11 08:10:29 | 000,679,936 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\de9cd25ccb24bcf8a0316756e766721f\System.Security.ni.dll
MOD - [2011/08/11 08:10:23 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\10154dcad2d62f226af2fd4211460a4b\System.Xml.ni.dll
MOD - [2011/08/11 08:10:15 | 000,971,264 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\77df2cd21a5b85a1605b335aa9ad9d44\System.Configuration.ni.dll
MOD - [2011/08/11 08:10:12 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\70a1400affdc775d7c7398e036359286\System.ServiceProcess.ni.dll
MOD - [2011/08/11 08:10:00 | 007,950,848 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e6c79e1d71b0c9000afd7e5e439b5c54\System.ni.dll
MOD - [2011/06/29 08:09:56 | 011,490,816 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (srv820)
SRV - [2011/07/06 16:32:20 | 000,136,584 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\RaMaint.exe -- (LMIMaint)
SRV - [2011/07/06 16:32:14 | 000,374,152 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2011/06/22 03:57:14 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2010/11/08 13:04:18 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Running] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2008/11/18 15:45:28 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2006/12/20 11:29:34 | 000,116,928 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/12/20 11:29:30 | 001,814,720 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/12/20 11:29:20 | 000,031,424 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/11/21 18:38:40 | 000,169,576 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/11/21 18:38:32 | 000,192,104 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/08/25 13:00:38 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/07 17:03:02 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
SRV - [2006/04/11 18:13:38 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)


========== Driver Services (SafeList) ==========

DRV - [2011/08/18 09:53:46 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110920.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/08/18 09:53:46 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20110920.002\NAVENG.SYS -- (NAVENG)
DRV - [2011/07/28 01:00:00 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2011/07/28 01:00:00 | 000,105,592 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/07/06 16:32:48 | 000,083,360 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2008/08/11 12:40:58 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2008/08/11 12:40:58 | 000,012,856 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Running] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2007/01/30 10:49:18 | 000,160,256 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2007/01/26 13:49:36 | 000,110,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/09/06 15:41:20 | 000,337,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\savrt.sys -- (SAVRT)
DRV - [2006/09/06 15:41:20 | 000,054,968 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Symantec AntiVirus\Savrtpel.sys -- (SAVRTPEL)
DRV - [2006/08/07 17:02:26 | 000,195,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/08/07 17:02:22 | 000,024,768 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/04/11 18:13:34 | 000,389,776 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2005/08/08 12:52:58 | 001,035,008 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USR_MDMV.sys -- (HSF_DPV)
DRV - [2005/08/08 12:52:16 | 000,231,168 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USR_BSC2.sys -- (HSFHWBS2)
DRV - [2005/08/08 12:52:12 | 000,729,728 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_USR.sys -- (winachsf)
DRV - [2005/06/27 16:56:44 | 000,013,696 | ---- | M] (Winbond Electronics Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wdtpm12.sys -- (TPM12)
DRV - [2005/01/07 17:07:16 | 000,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)
DRV - [2004/02/24 22:18:46 | 001,041,536 | R--- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/defaultc.aspx
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.3.20100310105313


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/09/08 14:21:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.20\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/08 14:21:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6b4\extensions\\Components: C:\Program Files\Mozilla Firefox 3.6 Beta 4\components [2009/12/22 17:56:05 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6b4\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3.6 Beta 4\plugins [2009/12/08 19:09:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6b5\extensions\\Components: C:\Program Files\Mozilla Firefox 3.6 Beta 5\components [2010/01/04 19:31:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6b5\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3.6 Beta 5\plugins [2010/01/04 19:31:36 | 000,000,000 | ---D | M]

[2009/10/28 18:44:41 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2011/09/14 16:45:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\glec0fjr.default\extensions
[2011/02/10 11:10:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\glec0fjr.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/02/10 11:10:59 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\glec0fjr.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/12/14 17:55:20 | 000,002,306 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\glec0fjr.default\searchplugins\nrb.xml
[2009/12/08 16:13:01 | 000,001,863 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\glec0fjr.default\searchplugins\searchalot.xml
[2011/09/14 16:45:08 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/10 13:51:45 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF

O1 HOSTS File: ([2011/09/21 12:16:57 | 000,000,147 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Runtime\YontooIEClient_2.dll (Yontoo LLC)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HdAShCut.exe (Windows ® Server 2003 DDK provider)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - HKLM..\Run: [volmgr] %APPDATA%\volmgr.exe File not found
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Start Pervasive PSQL Workgroup Engine.lnk = C:\WINDOWS\Installer\{0A3238D7-AB32-1010-B717-F3E3F18B4A8C}\WGE.14A03FCD_EA43_4130_A5C0_F02D38895A13.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1241456964156 (WUWebControl Class)
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} http://www-307.ibm.c...rt/IbmEgath.cab (IBM Access Support)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_07)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{903CF798-8BBC-4EB1-8964-0AAEF13D7D1B}: DhcpNameServer = 10.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{903CF798-8BBC-4EB1-8964-0AAEF13D7D1B}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A0C0CEF2-4FCD-4C94-8CFC-4E7F70DE0F03}: DhcpNameServer = 10.101.225.31 10.205.225.25
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - (C:\WINDOWS\system32\NavLogon.dll) - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\My Documents\My Pictures\ABC web logo.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/06/22 14:25:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/22 13:02:48 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2011/09/22 11:17:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\tdsskiller
[2011/09/21 10:42:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities
[2011/09/21 10:42:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Yxexi
[2011/09/21 10:42:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Eqqaa
[2011/09/21 10:01:07 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/09/15 12:18:59 | 000,000,000 | ---D | C] -- C:\OpenCloud Security
[2011/09/14 17:47:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\AdobeUM
[2011/09/14 16:57:11 | 000,581,632 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/09/14 16:45:48 | 000,378,240 | ---- | C] (Neuber Software) -- C:\Documents and Settings\Administrator\Desktop\SvchostAnalyzer.exe
[2011/09/14 14:33:40 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/09/14 14:27:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2011/09/14 14:27:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/09/14 14:27:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/09/14 14:27:13 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/09/14 14:27:13 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/09/14 11:35:43 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/09/14 11:23:10 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/09/14 11:23:10 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/09/14 11:23:09 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/09/14 11:23:09 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/09/14 11:22:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/09/14 11:22:44 | 000,000,000 | ---D | C] -- C:\123abcdlo
[2011/09/14 11:14:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/09/14 11:02:26 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/09/14 11:02:15 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2011/09/14 10:55:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/09/14 10:55:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/09/14 10:55:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/09/14 10:43:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Deployment
[2011/09/14 10:38:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/09/07 17:29:15 | 000,000,000 | ---D | C] -- C:\Program Files\Yontoo Layers Runtime
[2011/09/07 17:28:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\C64C0D38F203FC6C69DA91C16D81D447
[2011/09/07 17:27:29 | 000,000,000 | ---D | C] -- C:\Adobe
[2011/09/07 15:17:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\AdobeUM
[2011/09/07 15:16:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/09/07 15:15:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/09/07 15:03:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/09/07 15:01:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[1998/08/24 09:31:44 | 000,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL

========== Files - Modified Within 30 Days ==========

[2011/09/23 18:06:51 | 000,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/09/23 18:05:28 | 000,002,537 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Start Pervasive PSQL Workgroup Engine.lnk
[2011/09/23 18:04:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/09/23 18:03:01 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/09/23 12:40:28 | 000,002,329 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Office Word 2007.lnk
[2011/09/23 12:20:35 | 001,031,444 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Burts_Pharmacy_20112012_Contract.jpg
[2011/09/23 12:18:49 | 000,054,546 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Reconciliation Detail for August 2011.pdf
[2011/09/22 13:05:42 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2011/09/22 13:02:58 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Administrator\Desktop\aswMBR.exe
[2011/09/22 11:16:07 | 001,386,742 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2011/09/22 11:10:41 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/21 17:12:54 | 002,446,848 | ---- | M] () -- C:\WINDOWS\System32\OpenCloud Security.exe
[2011/09/21 16:55:25 | 000,196,096 | ---- | M] () -- C:\WINDOWS\System32\0.4584698091623789.exe
[2011/09/21 12:43:35 | 000,196,608 | ---- | M] () -- C:\WINDOWS\System32\0.02110555497997013.exe
[2011/09/21 12:43:33 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\0.24334014795480885.exe
[2011/09/21 12:16:57 | 000,000,147 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/09/21 10:39:10 | 099,396,960 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\setup_11.0.0.1245.x01_2011_09_21_21_10.exe
[2011/09/21 10:18:05 | 000,302,592 | ---- | M] () -- C:\6bng9n6n.exe
[2011/09/15 14:38:23 | 027,832,320 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Burt's Pharmacy (Backup Sep 15,2011 02 37 PM).QBB
[2011/09/14 17:00:51 | 000,581,632 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2011/09/14 16:45:48 | 000,378,240 | ---- | M] (Neuber Software) -- C:\Documents and Settings\Administrator\Desktop\SvchostAnalyzer.exe
[2011/09/14 14:48:00 | 000,000,483 | ---- | M] () -- C:\Documents and Settings\Administrator\Shortcut to Administrator.lnk
[2011/09/14 14:27:18 | 000,000,786 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/14 14:01:09 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/09/14 14:01:09 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/09/14 13:58:21 | 000,003,038 | ---- | M] () -- C:\fix_svchost.bat
[2011/09/14 10:54:48 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/09/14 08:04:08 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/09/09 12:05:48 | 000,000,090 | ---- | M] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/08/29 13:14:54 | 000,057,579 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Reconciliation Detail for July 2011.pdf

========== Files Created - No Company Name ==========

[2011/09/23 18:02:44 | 000,002,537 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Start Pervasive PSQL Workgroup Engine.lnk
[2011/09/23 18:02:44 | 000,002,111 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
[2011/09/23 12:20:34 | 001,031,444 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Burts_Pharmacy_20112012_Contract.jpg
[2011/09/23 12:18:49 | 000,054,546 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Reconciliation Detail for August 2011.pdf
[2011/09/22 13:05:42 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\MBR.dat
[2011/09/22 11:16:02 | 001,386,742 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2011/09/21 16:54:57 | 000,196,096 | ---- | C] () -- C:\WINDOWS\System32\0.4584698091623789.exe
[2011/09/21 12:43:33 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\0.02110555497997013.exe
[2011/09/21 12:43:33 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\0.24334014795480885.exe
[2011/09/21 10:39:08 | 099,396,960 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\setup_11.0.0.1245.x01_2011_09_21_21_10.exe
[2011/09/21 10:18:03 | 000,302,592 | ---- | C] () -- C:\6bng9n6n.exe
[2011/09/15 14:37:59 | 027,832,320 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Burt's Pharmacy (Backup Sep 15,2011 02 37 PM).QBB
[2011/09/15 12:19:00 | 002,446,848 | ---- | C] () -- C:\WINDOWS\System32\OpenCloud Security.exe
[2011/09/14 14:48:00 | 000,000,483 | ---- | C] () -- C:\Documents and Settings\Administrator\Shortcut to Administrator.lnk
[2011/09/14 14:27:18 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/09/14 13:58:21 | 000,003,038 | ---- | C] () -- C:\fix_svchost.bat
[2011/09/14 12:17:14 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/09/14 11:35:49 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/09/14 11:35:45 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/09/14 11:23:10 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/09/14 11:23:10 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/09/14 11:23:10 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/09/14 11:23:10 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/09/14 11:23:10 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/08/29 13:14:54 | 000,057,579 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Reconciliation Detail for July 2011.pdf
[2009/10/28 18:44:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/10/14 19:10:06 | 009,019,392 | ---- | C] () -- C:\WINDOWS\System32\DvrPlayer.exe
[2009/10/14 19:09:32 | 032,223,232 | ---- | C] () -- C:\WINDOWS\System32\DvrMaster.exe
[2009/09/29 17:20:34 | 008,627,712 | ---- | C] () -- C:\WINDOWS\System32\avcodec-52.dll
[2009/09/29 17:20:34 | 000,654,848 | ---- | C] () -- C:\WINDOWS\System32\avformat-52.dll
[2009/09/29 17:20:34 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\swscale-0.dll
[2009/09/29 17:20:34 | 000,061,952 | ---- | C] () -- C:\WINDOWS\System32\avutil-49.dll
[2009/09/29 17:20:34 | 000,009,216 | ---- | C] () -- C:\WINDOWS\System32\avdevice-52.dll
[2009/08/24 14:11:18 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2009/08/21 15:25:28 | 000,000,426 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2009/08/21 15:25:28 | 000,000,034 | ---- | C] () -- C:\WINDOWS\System32\BD2140.DAT
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2008/06/06 13:53:26 | 000,000,392 | ---- | C] () -- C:\WINDOWS\System32\BTRDRVR.SYS
[2007/06/01 15:02:26 | 000,000,129 | ---- | C] () -- C:\WINDOWS\usrwiz.ini
[2007/04/23 11:14:08 | 000,650,608 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2007/04/23 11:14:08 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4764.dll
[2007/03/13 12:32:48 | 000,569,344 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006/06/26 12:31:08 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/06/26 12:31:08 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/06/26 12:31:08 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/06/26 12:31:08 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/06/26 12:31:08 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/06/26 12:31:08 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/06/23 12:22:31 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.INI
[2006/06/23 12:22:04 | 000,164,864 | ---- | C] () -- C:\WINDOWS\System32\UNWISE.EXE
[2006/06/23 12:11:02 | 000,000,332 | ---- | C] () -- C:\WINDOWS\upsa.ini
[2006/06/23 09:18:41 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\dm.ini
[2006/06/23 08:32:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2006/06/22 14:31:05 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2006/06/22 14:27:31 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2006/06/22 14:22:21 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2006/06/22 10:15:28 | 000,004,633 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2006/06/22 10:14:25 | 000,283,720 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2006/05/25 21:08:36 | 000,724,992 | ---- | C] () -- C:\WINDOWS\System32\slmp4core.dll
[2004/08/04 01:07:22 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2004/08/02 14:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2002/12/10 00:00:00 | 001,708,032 | ---- | C] () -- C:\WINDOWS\System32\MSO97V.DLL
[2002/12/10 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\MSORFS.DLL
[2001/08/23 05:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 05:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 05:00:00 | 000,493,136 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 05:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 05:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 05:00:00 | 000,091,156 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 05:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 05:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 05:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 05:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2000/01/07 08:15:42 | 000,270,336 | ---- | C] () -- C:\WINDOWS\System32\p2molap.dll
[2000/01/07 08:15:42 | 000,258,048 | ---- | C] () -- C:\WINDOWS\System32\p2solap.dll
[1999/12/10 07:17:22 | 000,282,624 | ---- | C] () -- C:\WINDOWS\System32\p2smcube.dll
[1999/09/22 14:03:54 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\PG32CONV.DLL
[1998/11/08 17:00:00 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\u2lbar.dll
[1997/08/28 17:00:00 | 000,070,656 | ---- | C] () -- C:\WINDOWS\System32\u2lesbse.dll
[1997/08/28 17:00:00 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\u25store.dll
[1997/08/28 17:00:00 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\u25total.dll
[1997/06/18 00:00:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1997/06/18 00:00:00 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== LOP Check ==========

[2011/09/21 11:20:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Eqqaa
[2009/10/29 15:12:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
[2006/06/26 12:06:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterVideo
[2010/05/12 14:44:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SmartDraw
[2011/09/21 12:02:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Yxexi
[2009/08/24 14:11:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\COMMON FILES
[2011/09/23 09:59:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LogMeIn
[2010/04/15 12:09:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pervasive Software
[2009/08/25 11:27:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SQL Anywhere 10

========== Purity Check ==========



< End of report >
  • 0

#14
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi lavega21,

Glad to hear that. Let's do some system maintains to speed it a little.

Step 1

Startuplite is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed.

Run the tool and it will disable all unnecessary sturtup entries.
Click on Continue button to save changes.

Step 2

Download and run Puran Disc Defragmenter
Click on Boot Time Defrag button and choose Restart-Defrag-Restart

Posted Image
  • 0

#15
lavega21

lavega21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
So I went ahead and ran both tools and everything looks good. Any final recommendations?? Also, it looks like Symantec AV has some virus/infections quarantined. Should I delete them or leave them alone??
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP