Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SID:23621 System Infected Tidserv Activity Detected [Solved]


  • This topic is locked This topic is locked

#61
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Hi,

You didn't post the aswMBR scan log.

Does the PC freeze when you using any particular software or is it just surfing the net?

Have you installed the ErrorEnd.job that I can now see in your OTL log?

Sophos AntiVirus should work ok along with ZoneAlarm but you can try uninstalling/disabling Spybot for a while as you are also running MalwareBytes.


Please post the aswMBR log and answer the questions and then we'll move on from there :)
  • 0

Advertisements


#62
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Hello.


<<<Does the PC freeze when you using any particular software or is it just surfing the net?

surfing--at random times

<<<<Have you installed the ErrorEnd.job that I can now see in your OTL log?

I do not know what this means. I did not install any such thing to my knowledge.

Thanks

Edited by knarf1, 03 February 2012 - 07:01 AM.

  • 0

#63
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Sorry for not posting this.


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-02 06:09:12
-----------------------------
06:09:12.706 OS Version: Windows 6.0.6002 Service Pack 2
06:09:12.706 Number of processors: 2 586 0x1706
06:09:12.706 ComputerName: MSUMAN-PC UserName: msuman
06:09:14.422 Initialize success
06:11:41.552 AVAST engine defs: 12020201
06:11:58.525 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
06:11:58.525 Disk 0 Vendor: ST325031 4.AD Size: 238418MB BusType: 3
06:11:58.556 Disk 0 MBR read successfully
06:11:58.556 Disk 0 MBR scan
06:11:58.572 Disk 0 Windows VISTA default MBR code
06:11:58.572 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
06:11:58.634 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 112640
06:11:58.650 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 228122 MB offset 21084160
06:11:58.665 Disk 0 scanning sectors +488278016
06:11:58.728 Disk 0 scanning C:\Windows\system32\drivers
06:12:16.543 Service scanning
06:12:18.727 Modules scanning
06:12:25.997 Disk 0 trace - called modules:
06:12:26.527 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
06:12:26.543 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85e82ac8]
06:12:26.543 3 CLASSPNP.SYS[883a48b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x84dde028]
06:12:27.603 AVAST engine scan C:\Windows
06:12:31.082 AVAST engine scan C:\Windows\system32
06:17:08.719 AVAST engine scan C:\Windows\system32\drivers
06:17:35.115 AVAST engine scan C:\Users\msuman
06:52:29.016 AVAST engine scan C:\ProgramData
06:54:44.394 Scan finished successfully
06:59:34.710 Disk 0 MBR has been saved successfully to "C:\Users\msuman\Desktop\MBR.dat"
06:59:34.710 The log file has been saved successfully to "C:\Users\msuman\Desktop\aswMBR.txt"

Edited by knarf1, 03 February 2012 - 07:01 AM.

  • 0

#64
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
We'll just remove that job, then I have a couple more things to try before I'll ask someone with more knowledge than myself.



Step 1:

Run OTLPosted Image
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    [2012/02/02 05:07:14 | 000,000,384 | ---- | M] () -- C:\Windows\tasks\ErrorEND.job
    [2012/01/24 21:32:20 | 000,000,506 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job
    [2012/01/22 18:08:29 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\C4EE5
    [2012/01/22 18:08:40 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\E594A
    
    :Services
    
    :Reg
    
    :Files
    
    ipconfig /flushdns /c
    
    :Commands
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done and post the fix log
  • Open OTL again
  • Select All users
  • Click the Quick Scan button. Post the log it produces in your next reply.
Try to start Windows Updates. If won't start move to next step.


Step 2:

System file checker

Go to start > All Programs > Accessories
Right Click Command Prompt and select run as administrator
When the prompt opens type the following bolded text and press enter

sfc /scannow (Note: There is a space between sfc and /scannow)

It may ask for your Vista install disk, if you don't have it just click skip.

On completion reboot

Try to start Windows Updates. If won't start move to next step.


Step 3:

Try the Microsoft Fixits once more.
here and here.

Try to start Windows Updates.
  • 0

#65
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
All processes killed
========== OTL ==========
C:\Windows\Tasks\ErrorEND.job moved successfully.
C:\Windows\Tasks\SystemToolsDailyTest.job moved successfully.
C:\Users\msuman\AppData\Roaming\C4EE5 folder moved successfully.
C:\Users\msuman\AppData\Roaming\E594A folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\msuman\Desktop\cmd.bat deleted successfully.
C:\Users\msuman\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: McAfeeMVSUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: msuman
->Temp folder emptied: 55669229 bytes
->Temporary Internet Files folder emptied: 63693877 bytes
->Java cache emptied: 2023 bytes
->FireFox cache emptied: 48168857 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1404 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1278855 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 10072543 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 4379898 bytes

Total Files Cleaned = 175.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: McAfeeMVSUser

User: msuman
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb



OTL by OldTimer - Version 3.2.31.0 log created on 02032012_190959

Files\Folders moved on Reboot...
C:\Users\msuman\AppData\Local\Temp\~DFDA64.tmp moved successfully.
C:\Users\msuman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\msuman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZWG4PPFM\fastbutton[1].htm moved successfully.
C:\Users\msuman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZWG4PPFM\ga[1].js moved successfully.
C:\Users\msuman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZWG4PPFM\prototype[1].js moved successfully.
C:\Users\msuman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZWG4PPFM\scriptaculous[1].js moved successfully.
C:\Users\msuman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1FCGJN2\dragdrop[1].js moved successfully.
C:\Users\msuman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5MRNMS2M\builder[1].js moved successfully.
C:\Users\msuman\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5MRNMS2M\effects[1].js moved successfully.
File\Folder C:\Windows\temp\ZLT04fba.TMP not found!

Registry entries deleted on Reboot...
  • 0

#66
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
OTL logfile created on: 2/3/2012 7:58:31 PM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\msuman\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.97 Gb Total Physical Memory | 0.87 Gb Available Physical Memory | 44.21% Memory free
4.17 Gb Paging File | 2.93 Gb Available in Paging File | 70.19% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 222.78 Gb Total Space | 122.61 Gb Free Space | 55.04% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.74 Gb Free Space | 57.43% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive F: | 2794.52 Gb Total Space | 2349.97 Gb Free Space | 84.09% Space Free | Partition Type: NTFS

Computer Name: MSUMAN-PC | User Name: msuman | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/02/02 05:35:36 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\msuman\Desktop\OTL.exe
PRC - [2012/01/27 06:06:41 | 000,167,960 | ---- | M] (Sophos Limited) -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
PRC - [2012/01/27 06:05:27 | 001,543,704 | ---- | M] (Sophos Limited) -- C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
PRC - [2012/01/27 05:57:05 | 000,099,864 | ---- | M] (Sophos Limited) -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
PRC - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/01/13 14:53:18 | 000,460,872 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2011/12/18 21:08:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
PRC - [2011/12/18 21:04:24 | 000,073,360 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
PRC - [2011/11/04 19:48:26 | 000,273,528 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2011/11/03 06:44:28 | 000,497,280 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2011/11/03 06:44:24 | 000,738,944 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2011/05/06 12:36:09 | 000,494,616 | ---- | M] (Sophos Limited) -- C:\Program Files\Sophos\AutoUpdate\ALMon.exe
PRC - [2011/05/06 12:36:08 | 000,232,472 | ---- | M] (Sophos Limited) -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
PRC - [2009/04/10 22:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/08/18 22:19:38 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe
PRC - [2008/07/20 14:45:06 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe


========== Modules (No Company Name) ==========

MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/09/20 16:19:13 | 000,034,816 | ---- | M] () -- C:\Program Files\Google\Google Desktop Search\gzlib.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2012/01/27 06:06:41 | 000,167,960 | ---- | M] (Sophos Limited) [Unknown | Running] -- C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe -- (SAVAdminService)
SRV - [2012/01/27 06:05:27 | 001,543,704 | ---- | M] (Sophos Limited) [Auto | Running] -- C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe -- (swi_service)
SRV - [2012/01/27 05:57:05 | 000,099,864 | ---- | M] (Sophos Limited) [Unknown | Running] -- C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe -- (SAVService)
SRV - [2012/01/13 14:53:18 | 000,652,360 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/12/18 21:08:42 | 002,420,616 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe -- (vsmon)
SRV - [2011/11/03 06:44:28 | 000,497,280 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV - [2011/05/06 12:36:08 | 000,232,472 | ---- | M] (Sophos Limited) [Auto | Running] -- C:\Program Files\Sophos\AutoUpdate\ALsvc.exe -- (Sophos AutoUpdate Service)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/08/18 22:19:38 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)
SRV - [2008/07/20 14:45:06 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®


========== Driver Services (SafeList) ==========

DRV - [2012/01/27 06:06:00 | 000,123,680 | ---- | M] (Sophos Limited) [File_System | System | Running] -- C:\Windows\System32\drivers\savonaccess.sys -- (SAVOnAccess)
DRV - [2012/01/27 05:56:46 | 000,024,312 | ---- | M] (Sophos Plc) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sdcfilter.sys -- (sdcfilter)
DRV - [2012/01/27 05:56:43 | 000,031,736 | ---- | M] (Sophos Plc) [Kernel | System | Running] -- C:\Windows\System32\drivers\skmscan.sys -- (SKMScan)
DRV - [2012/01/27 05:56:31 | 000,022,536 | ---- | M] (Sophos Plc) [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\SophosBootDriver.sys -- (SophosBootDriver)
DRV - [2011/12/10 15:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/11/03 06:44:20 | 000,027,016 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2011/05/12 09:30:18 | 000,021,744 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand | Stopped] -- c:\Program Files\Dell Support Center\pcdsrvc.pkms -- (PCDSRVC{E9D79540-57D5953E-06020101}_0)
DRV - [2011/05/07 17:51:26 | 000,451,160 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\Windows\System32\drivers\vsdatant.sys -- (Vsdatant)
DRV - [2008/12/23 03:47:52 | 000,138,240 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/08/26 09:55:14 | 000,112,128 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel®
DRV - [2008/08/18 23:03:28 | 000,079,960 | ---- | M] (JMicron Technology Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\jraid.sys -- (JRAID)
DRV - [2008/06/10 12:04:26 | 000,033,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\point32k.sys -- (Point32)
DRV - [2008/01/20 18:32:51 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2006/11/01 23:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\..\URLSearchHook: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.7
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {91da5e8a-3318-4f8c-b67e-5964de3ab546}:3.9.0.3
FF - prefs.js..network.proxy.http: "127.0.0.1"
FF - prefs.js..network.proxy.http_port: 59273

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@checkpoint.com/FFApi: C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\npFFApi.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.669: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.669: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.669: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\[email protected]/YahooActiveXPluginBridge;version=1.0.0.1: C:\Program Files\Yahoo!\Common\npyaxmpb.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/01/11 08:30:28 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2012/01/27 13:44:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.26\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/02/01 09:09:59 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.26\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/02/01 09:09:59 | 000,000,000 | ---D | M]

[2011/01/14 18:40:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\msuman\AppData\Roaming\Mozilla\Extensions
[2012/02/02 20:29:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\msuman\AppData\Roaming\Mozilla\Firefox\Profiles\huiexf3r.default\extensions
[2011/02/24 16:46:54 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\msuman\AppData\Roaming\Mozilla\Firefox\Profiles\huiexf3r.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/01/28 15:23:56 | 000,000,000 | ---D | M] (ZoneAlarm Security Community Toolbar) -- C:\Users\msuman\AppData\Roaming\Mozilla\Firefox\Profiles\huiexf3r.default\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}
[2012/01/27 13:28:42 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/30 12:48:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/21 03:02:35 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2012/01/11 08:30:28 | 000,000,000 | ---D | M] (RealPlayer Browser Record Plugin) -- C:\PROGRAMDATA\REAL\REALPLAYER\BROWSERRECORDPLUGIN\FIREFOX\EXT
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.75\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.75\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\16.0.912.75\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.240.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U24 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
CHR - plugin: RealPlayer™ HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: RealNetworks™ Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\msuman\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.3_0\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Users\msuman\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\

O1 HOSTS File: ([2012/01/26 09:45:59 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Sophos Web Content Scanner) - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll (Sophos Limited)
O2 - BHO: (ZoneAlarm Security Engine Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Toolbar) - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\..\Toolbar\WebBrowser: (ZoneAlarm Security Toolbar) - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\..\Toolbar\WebBrowser: (ZoneAlarm Security Engine) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\ALMon.exe (Sophos Limited)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [ZoneAlarm] C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe (Check Point Software Technologies LTD)
O4 - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html File not found
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\ProgramData\Sophos Web Intelligence\swi_lsp.dll (Sophos Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\ProgramData\Sophos Web Intelligence\swi_lsp.dll (Sophos Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\ProgramData\Sophos Web Intelligence\swi_lsp.dll (Sophos Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\ProgramData\Sophos Web Intelligence\swi_lsp.dll (Sophos Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\ProgramData\Sophos Web Intelligence\swi_lsp.dll (Sophos Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\ProgramData\Sophos Web Intelligence\swi_lsp.dll (Sophos Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\ProgramData\Sophos Web Intelligence\swi_lsp.dll (Sophos Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\ProgramData\Sophos Web Intelligence\swi_lsp.dll (Sophos Limited)
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - C:\ProgramData\Sophos Web Intelligence\swi_lsp.dll (Sophos Limited)
O15 - HKU\.DEFAULT\..Trusted Ranges: GD ([http] in Local intranet)
O15 - HKU\S-1-5-18\..Trusted Ranges: GD ([http] in Local intranet)
O15 - HKU\S-1-5-21-1740862935-1246708322-3228964381-1001\..Trusted Domains: localhost ([]http in Local intranet)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9EF48691-42FF-4A13-8013-5A1CC8DE2354}: DhcpNameServer = 192.168.1.254
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll C:\PROGRA~1\Sophos\SOPHOS~1\sophos_detoured.dll) -C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - AppInit_DLLs: (C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL) -C:\Program Files\Sophos\Sophos Anti-Virus\sophos_detoured.dll (Sophos Limited)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\msuman\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\msuman\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 13:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2011/03/22 17:13:38 | 000,000,000 | R--D | M] - F:\autorun -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/02/03 19:09:59 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/02/02 06:08:47 | 004,733,440 | ---- | C] (AVAST Software) -- C:\Users\msuman\Desktop\aswMBR.exe
[2012/02/02 05:35:34 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\msuman\Desktop\OTL.exe
[2012/01/28 23:24:29 | 000,000,000 | ---D | C] -- C:\Users\msuman\Documents\Remote Assistance Logs
[2012/01/28 10:13:10 | 000,000,000 | --SD | C] -- C:\ComboFix
[2012/01/28 09:33:56 | 000,000,000 | ---D | C] -- C:\ProgramData\ErrorEND
[2012/01/28 09:33:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ErrorEND
[2012/01/28 08:19:20 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/01/27 15:39:14 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Local\WindowsUpdate
[2012/01/27 13:29:20 | 000,000,000 | ---D | C] -- C:\Users\msuman\Documents\ForceField Shared Files
[2012/01/27 13:29:19 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Roaming\CheckPoint
[2012/01/27 13:28:56 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2012/01/27 13:28:53 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Local\Conduit
[2012/01/27 13:28:51 | 000,000,000 | ---D | C] -- C:\Program Files\ZoneAlarm_Security
[2012/01/27 13:28:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Check Point
[2012/01/27 13:28:21 | 000,000,000 | ---D | C] -- C:\ProgramData\CheckPoint
[2012/01/27 13:26:30 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2012/01/27 11:10:14 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Local\ElevatedDiagnostics
[2012/01/27 06:06:00 | 000,123,680 | ---- | C] (Sophos Limited) -- C:\Windows\System32\drivers\savonaccess.sys
[2012/01/27 06:01:59 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Local\Sophos
[2012/01/27 05:58:41 | 000,000,000 | ---D | C] -- C:\ProgramData\Sophos Web Intelligence
[2012/01/27 05:58:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2012/01/27 05:58:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Cisco Systems
[2012/01/27 05:58:00 | 000,030,744 | ---- | C] (Sophos Limited) -- C:\Windows\System32\SophosBootTasks.exe
[2012/01/27 05:56:46 | 000,024,312 | ---- | C] (Sophos Plc) -- C:\Windows\System32\drivers\sdcfilter.sys
[2012/01/27 05:56:43 | 000,031,736 | ---- | C] (Sophos Plc) -- C:\Windows\System32\drivers\skmscan.sys
[2012/01/27 05:56:39 | 000,131,824 | ---- | C] (Sophos Plc) -- C:\Windows\System32\sdccoinstaller.dll
[2012/01/27 05:56:31 | 000,022,536 | ---- | C] (Sophos Plc) -- C:\Windows\System32\drivers\SophosBootDriver.sys
[2012/01/27 05:56:11 | 000,000,000 | ---D | C] -- C:\ProgramData\Sophos
[2012/01/27 05:56:11 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2012/01/26 16:59:23 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/01/26 10:05:32 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/01/26 09:43:53 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Local\temp
[2012/01/25 21:00:56 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/01/23 07:49:56 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2012/01/22 18:08:22 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Local\SanctionedMedia
[2012/01/11 12:04:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/01/11 12:04:21 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/01/11 10:47:30 | 000,000,000 | ---D | C] -- C:\Users\msuman\AppData\Roaming\Malwarebytes
[2012/01/11 10:47:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/01/11 10:47:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2012/01/11 10:47:19 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2012/01/11 10:47:19 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/01/11 09:33:37 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2012/01/11 09:33:37 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2012/01/11 09:33:24 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2012/01/11 09:16:34 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2012/01/04 20:38:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2012/01/04 20:37:49 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2012/01/04 20:37:40 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/08/25 18:59:08 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[1 C:\Users\msuman\*.tmp files -> C:\Users\msuman\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/03 19:54:06 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/03 19:54:01 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2012/02/03 19:53:53 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/03 19:53:53 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/03 19:53:48 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/03 19:53:47 | 2108,706,816 | -HS- | M] () -- C:\hiberfil.sys
[2012/02/03 19:27:50 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/02 06:59:34 | 000,000,512 | ---- | M] () -- C:\Users\msuman\Desktop\MBR.dat
[2012/02/02 06:09:03 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Users\msuman\Desktop\aswMBR.exe
[2012/02/02 05:35:36 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\msuman\Desktop\OTL.exe
[2012/02/01 06:20:16 | 000,000,908 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/28 07:42:43 | 000,330,200 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/01/27 17:03:34 | 000,604,264 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/01/27 17:03:34 | 000,103,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/01/27 13:31:08 | 000,415,859 | ---- | M] () -- C:\Windows\System32\drivers\vsconfig.xml
[2012/01/27 06:06:00 | 000,123,680 | ---- | M] (Sophos Limited) -- C:\Windows\System32\drivers\savonaccess.sys
[2012/01/27 05:56:59 | 000,030,744 | ---- | M] (Sophos Limited) -- C:\Windows\System32\SophosBootTasks.exe
[2012/01/27 05:56:46 | 000,024,312 | ---- | M] (Sophos Plc) -- C:\Windows\System32\drivers\sdcfilter.sys
[2012/01/27 05:56:43 | 000,031,736 | ---- | M] (Sophos Plc) -- C:\Windows\System32\drivers\skmscan.sys
[2012/01/27 05:56:39 | 000,131,824 | ---- | M] (Sophos Plc) -- C:\Windows\System32\sdccoinstaller.dll
[2012/01/27 05:56:31 | 000,022,536 | ---- | M] (Sophos Plc) -- C:\Windows\System32\drivers\SophosBootDriver.sys
[2012/01/27 05:48:50 | 000,000,600 | ---- | M] () -- C:\Users\msuman\Desktop\Norton_Removal_Tool - Shortcut.lnk
[2012/01/27 05:47:59 | 000,000,555 | ---- | M] () -- C:\Users\msuman\Desktop\AppRemover - Shortcut.lnk
[2012/01/26 09:45:59 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/01/26 08:48:16 | 000,001,356 | ---- | M] () -- C:\Users\msuman\AppData\Local\d3d9caps.dat
[2012/01/25 20:40:57 | 000,000,054 | ---- | M] () -- C:\Windows\System32\rp_stats.dat
[2012/01/25 20:40:57 | 000,000,039 | ---- | M] () -- C:\Windows\System32\rp_rules.dat
[2012/01/25 19:18:55 | 000,111,872 | ---- | M] () -- C:\Windows\System32\drivers\TrueSight.sys
[2012/01/25 06:29:13 | 000,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2012/01/24 20:04:26 | 000,030,735 | ---- | M] () -- C:\Users\msuman\Documents\malwarebytes BKD-7362011316.pdf
[2012/01/21 21:08:55 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2012/01/13 19:51:19 | 000,000,907 | ---- | M] () -- C:\Users\msuman\Application Data\Microsoft\Internet Explorer\Quick Launch\circles Asuka Kimishima 002 - Shortcut.lnk
[2012/01/11 12:04:22 | 000,000,806 | ---- | M] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/01/04 20:38:59 | 000,001,666 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[1 C:\Users\msuman\*.tmp files -> C:\Users\msuman\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/02 06:59:34 | 000,000,512 | ---- | C] () -- C:\Users\msuman\Desktop\MBR.dat
[2012/01/27 13:30:04 | 000,415,859 | ---- | C] () -- C:\Windows\System32\drivers\vsconfig.xml
[2012/01/27 05:48:50 | 000,000,600 | ---- | C] () -- C:\Users\msuman\Desktop\Norton_Removal_Tool - Shortcut.lnk
[2012/01/27 05:47:59 | 000,000,555 | ---- | C] () -- C:\Users\msuman\Desktop\AppRemover - Shortcut.lnk
[2012/01/26 08:54:41 | 2108,706,816 | -HS- | C] () -- C:\hiberfil.sys
[2012/01/25 19:11:15 | 000,111,872 | ---- | C] () -- C:\Windows\System32\drivers\TrueSight.sys
[2012/01/24 20:04:25 | 000,030,735 | ---- | C] () -- C:\Users\msuman\Documents\malwarebytes BKD-7362011316.pdf
[2012/01/21 21:08:55 | 000,001,889 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2012/01/21 21:08:54 | 000,001,804 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2012/01/13 19:51:19 | 000,000,907 | ---- | C] () -- C:\Users\msuman\Application Data\Microsoft\Internet Explorer\Quick Launch\circles Asuka Kimishima 002 - Shortcut.lnk
[2012/01/11 12:04:22 | 000,000,806 | ---- | C] () -- C:\Users\Public\Desktop\CCleaner.lnk
[2012/01/11 10:48:40 | 000,000,908 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/01/04 20:38:59 | 000,001,666 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2011/03/24 15:51:28 | 000,000,054 | ---- | C] () -- C:\Windows\System32\rp_stats.dat
[2011/03/24 15:51:28 | 000,000,039 | ---- | C] () -- C:\Windows\System32\rp_rules.dat
[2011/01/16 14:34:45 | 000,000,050 | ---- | C] () -- C:\Windows\MegaManager.INI
[2011/01/06 17:10:30 | 000,000,011 | ---- | C] () -- C:\Windows\VSWizard.ini
[2010/09/22 16:01:43 | 000,010,240 | ---- | C] () -- C:\Windows\System32\vidx16.dll
[2010/08/25 19:30:02 | 000,439,308 | ---- | C] () -- C:\Windows\System32\igcompkrng500.bin
[2010/08/25 19:30:00 | 000,982,240 | ---- | C] () -- C:\Windows\System32\igkrng500.bin
[2010/08/25 19:30:00 | 000,092,356 | ---- | C] () -- C:\Windows\System32\igfcg500m.bin
[2010/08/25 18:57:00 | 000,000,151 | ---- | C] () -- C:\Windows\System32\GfxUI.exe.config
[2010/08/25 18:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll
[2010/08/25 18:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll
[2009/10/20 17:40:38 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/10/20 17:40:38 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/02/16 14:01:04 | 000,061,678 | ---- | C] () -- C:\Users\msuman\AppData\Roaming\PFP100JPR.{PB
[2009/02/16 14:01:04 | 000,012,358 | ---- | C] () -- C:\Users\msuman\AppData\Roaming\PFP100JCM.{PB
[2009/02/13 20:48:41 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/02/06 09:53:44 | 000,017,920 | ---- | C] () -- C:\Users\msuman\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/05 18:39:21 | 000,001,356 | ---- | C] () -- C:\Users\msuman\AppData\Local\d3d9caps.dat
[2009/01/29 00:08:29 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1545.dll
[2009/01/29 00:08:29 | 000,147,172 | ---- | C] () -- C:\Windows\System32\igfcg550.bin
[2009/01/29 00:08:29 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2009/01/29 00:06:08 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/02/03 15:37:35 | 000,000,000 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2006/11/02 04:53:49 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 04:44:53 | 000,330,200 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 02:33:01 | 000,604,264 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 02:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 02:33:01 | 000,103,964 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 02:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 02:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 02:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 00:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 00:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/01 23:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/01 23:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

========== LOP Check ==========

[2012/01/27 13:29:19 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\CheckPoint
[2011/05/24 19:38:00 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\PCDr
[2009/08/23 10:36:56 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\Uniblue
[2010/02/25 15:12:11 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\uTorrent
[2010/11/27 13:17:24 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\WhiteSmokeSetup
[2010/11/27 15:04:11 | 000,000,000 | ---D | M] -- C:\Users\msuman\AppData\Roaming\WhiteSmokeTranslator
[2012/02/03 19:54:01 | 000,000,564 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
[2012/02/03 19:52:42 | 000,032,596 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 641 bytes -> C:\Users\msuman\Documents\bookmarks.eml:OECustomProperty

< End of report >
  • 0

#67
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
No luck with the Windows updates.
  • 0

#68
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Please download Farbar Service Scanner and run it on your computer.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

  • 0

#69
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Farbar Service Scanner Version: 04-02-2012 01
Ran by msuman (administrator) on 04-02-2012 at 07:53:17
Running from "C:\Users\msuman\Desktop"
Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is blocked.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-10-20 17:40] - [2009-04-10 22:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2009-10-20 17:40] - [2009-04-10 22:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#70
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
The Windows Update section looks ok but I can see a corrupt registry entry thats needs repairing and maybe influence the Updates from working.

Stop your ZoneAlarm firewall while we are doing this fix.


Step 1:

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Posted Image



Step 2:

Download the registry file and save it on your desktop:

registry file

Once the file is downloaded if it has a .txt on the end, right click it and select rename and name it firewall.reg

Right click Firewall.reg select Merge and OK the merge.

Restart your PC


Click Start and in the run box type services.msc in the dialog box and click OK

Next look in the services for Windows Firewall

Make sure it is set to Startup type: Automatic If it is not select Automatic

Now look at Service status: Started If it is not select Start

Then click OK

Now check to see that Windows Firewall is on and working.

Run Farbers Service Scanner as before and post the report.
  • 0

Advertisements


#71
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
At this point:

Download the registry file and save it on your desktop:

registry file



When I click on "registry file" I get nothing. It says the link "is not a vaild host name."

Edited by knarf1, 04 February 2012 - 06:56 PM.

  • 0

#72
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Apologies, try this link
  • 0

#73
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Farbar Service Scanner Version: 04-02-2012 01
Ran by msuman (administrator) on 05-02-2012 at 07:57:47
Running from "C:\Users\msuman\Desktop"
Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll
[2009-10-20 17:40] - [2009-04-10 22:28] - 0758784 ____A (Microsoft Corporation) 93952506C6D67330367F7E7934B6A02F

C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2009-10-20 17:40] - [2009-04-10 22:28] - 0129024 ____A (Microsoft Corporation) FB27772BEAF8E1D28CCD825C09DA939B

C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
  • 0

#74
Homburg

Homburg

    Trusted Helper

  • Malware Removal
  • 665 posts
Windows Updates:
Download this zip file and extract all the files to your desktop
Run the fixwu.exe file
This will re-register all dll's and ocx files

Check to see if you can turn on Windows Updates

Attached Files


  • 0

#75
knarf1

knarf1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts
Thanks.

I got the message: "The process completed successfully."

But it still does not work.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP