Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32:Malware-gen trojan infection


  • Please log in to reply

#1
gregahoffman

gregahoffman

    Member

  • Member
  • PipPipPip
  • 400 posts
hello,

i hope someone can help me with my work stations. they have been slow for months and have recently gotten slower. the shop had 3 different AV programs on 3 different work stations. i installed avast on all 3 after removing the other AV programs. the scan indicated they are infected with Win32:Malware-gen. i looked this up on the internet and tried a solution that had me run combo fix. still have the problem, but now i keep getting a pop up that says my version of windows xp is not valid. can someone help me out please?

thank you.
  • 1

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Download : ADWCleaner to your desktop.

NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on the warning and allow the download to complete.

Close all programs, pause your anti-virus and run AdwCleaner (Vista or Win 7 => right click and Run As Administrator).

Posted Image

Click on Scan and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.

The report will be saved in the C:\AdwCleaner folder.



Junkware-Removal-Tool

Please download Junkware Removal Tool to your desktop.
  • Pause your anti-virus. Close all browsers.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


Download aswMBR.exe to your desktop.
Run aswMBR.exe (Vista or Win 7 => right click and Run As Administrator)

uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply


Get the free version of Speccy:

http://www.filehippo...download_speccy (Look in the upper right for the Download
Latest Version button) Download, Save and Install it. Run Speccy. When it finishes (the little icon in the bottom left will stop moving), File, Save as Text File, (to your desktop) note the name it gives. OK. Open the file in notepad and delete the line that gives the serial number of your Operating System. (It will be near the top about 10 lines down.) Attach the file to your next post.

(If you do not already have OTL then: Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop.)

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
rsvpsp.dll
pnrpnsp.dll 
nwprovau.dll
nlaapi.dll
napinsp.dll
mswsock.dll
winrnr.dll
wshelper.dll
services.exe
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
csrss.exe
PrintIsolationHost.exe
consrv.dll
user32.dll
/md5stop
dir C:\ /S /A:L /C
C:\Windows\assembly\tmp\U\*.* /s
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%ProgramFiles%\WINDOWS NT\*.* /s
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.

Ron
  • 0

#3
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
In addition to my first post - since you have Avast: do a boot-time scan on each one. I usually let it do the scan while I sleep because it takes so long:


First mute the speakers so it won't wake you up when Windows loads. Click on the Orange ball. Click on Security. Click on AntiVirus. Scroll down to the bottom and find Boot-time scan. Click on Settings. Where it says Heuristic Sensitivity click on the last rectangle so that all of them are orange and it says High. Then change When a threat is found ... to: Move to Chest. OK. Now click on Schedule Now. Close the Avast window and then reboot. The scan will start. It will tell you where it will save the report. Usually it's
C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location. When Windows loads Click on the Orange Ball then Maintenance then Scan Logs. Click on the Boot-time scan log and then View Results. IF it found anything then open the saved Report and copy and paste the text into a reply so I can see it.
  • 0

#4
gregahoffman

gregahoffman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 400 posts
ok, i'll work on. should i do just the server or all 3 machines?
  • 0

#5
gregahoffman

gregahoffman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 400 posts
got through all the downloads until i got to OTL. keep getting the pop up message that OTL cannot be run from a temporary folder. please download it to your desktop or other suitable location. i tried all the downloads you provided and also tried to save it in my documents, it will not run.
  • 0

#6
gregahoffman

gregahoffman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 400 posts
attached are the other logs you requested

Attached Files


  • 0

#7
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
OK. Try DDS

Please download DDS from http://download.blee...om/sUBs/dds.com or http://download.blee...om/sUBs/dds.scr
and save it to your desktop.

* Disable any script blocking protection
* Double click dds.pif to run the tool. (Vista and Win 7 please right click and Run As Admin)
* When done, two DDS.txt's will open.
* Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
  • 0

#8
gregahoffman

gregahoffman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 400 posts
dds txt attached, the boot scan found 6 infected files, where would i find the log for that?

Attached Files


  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

The boot scan found 6 infected files, where would i find the log for that?


Usually it's
C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt

This is a hidden file so you may need to:

Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and exit

Will OTL run now that you have run the boot-time scan?

I am seeing AVG errors so

Download and save the AVG removal tool
http://download.avg....6_2011_1184.exe

Run the Avg Remover.

ComboFix

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Double click on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.


Get Process Explorer

http://live.sysinter...com/procexp.exe
Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top.

Wait a full minute then:

File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply.
  • 0

#10
gregahoffman

gregahoffman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 400 posts
i am still not able to open OTL. also cannot acces one of our other shops via a VPN GUI connection. also cannot acces my outlook, a pop up tells me C:\documents and settings\temp\local settings\application data\microsoft\outlook\outlook.pst cannot be found.

here is the log from combofix.

ComboFix 13-09-24.02 - Temp 09/25/2013 11:53:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1635 [GMT -5:00]
Running from: c:\documents and settings\Temp\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\msgsvc.dll was found and disinfected
Restored copy from - c:\windows\erdnt\cache\msgsvc.dll
.
.
((((((((((((((((((((((((( Files Created from 2013-08-25 to 2013-09-25 )))))))))))))))))))))))))))))))
.
.
2013-09-25 14:53 . 2013-09-25 14:53 -------- d-----w- c:\documents and settings\Temp\Local Settings\Application Data\PCHealth
2013-09-25 14:32 . 2013-09-25 14:32 -------- d-----w- c:\documents and settings\Temp\Local Settings\Application Data\Microsoft Help
2013-09-24 22:35 . 2013-08-30 07:48 177864 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-09-24 22:35 . 2013-08-30 07:48 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-09-24 22:35 . 2013-08-30 07:48 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-09-24 22:14 . 2013-09-24 22:14 -------- d-----w- c:\program files\Speccy
2013-09-24 21:21 . 2013-09-24 21:21 -------- d-----w- c:\windows\ERUNT
2013-09-24 21:13 . 2013-09-24 21:14 -------- d-----w- C:\AdwCleaner
2013-09-24 21:10 . 2013-08-30 07:48 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-09-24 21:10 . 2013-08-30 07:48 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-09-24 21:10 . 2013-08-30 07:48 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-09-24 21:10 . 2013-08-30 07:48 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-09-24 21:10 . 2013-08-30 07:48 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-09-24 21:09 . 2013-08-30 07:47 41664 ----a-w- c:\windows\avastSS.scr
2013-09-24 21:09 . 2013-08-30 07:47 229648 ----a-w- c:\windows\system32\aswBoot.exe
2013-09-24 15:38 . 2013-09-24 15:38 -------- d-----w- c:\documents and settings\Temp\Local Settings\Application Data\LogMeIn
2013-09-24 15:38 . 2013-09-24 15:38 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Intuit
2013-09-24 14:34 . 2013-09-24 14:34 -------- d-----w- c:\windows\system32\wbem\Repository
2013-09-24 14:30 . 2013-09-24 14:30 -------- d-----w- c:\documents and settings\Temp\Application Data\AVG SafeGuard toolbar
2013-09-24 13:02 . 2013-09-24 14:27 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\AVG2013(2)
2013-09-23 17:58 . 2013-09-24 21:09 -------- d-----w- c:\program files\AVAST Software
2013-09-23 17:58 . 2013-09-24 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2013-09-23 12:49 . 2013-09-24 14:31 -------- d-----w- c:\documents and settings\Temp\Application Data\AVG
2013-09-23 12:45 . 2013-09-23 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG
2013-09-19 12:55 . 2013-09-24 14:32 -------- d-----w- c:\program files\WinUtilities
2013-09-18 14:42 . 2013-09-18 14:42 -------- d-----w- c:\documents and settings\Temp\Application Data\Malwarebytes
2013-09-18 14:41 . 2013-09-18 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-09-18 14:41 . 2013-09-24 14:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-24 15:24 . 2012-09-20 16:28 71048 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-24 15:24 . 2012-09-20 16:28 692616 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2013-08-09 01:56 . 2002-12-31 12:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2002-12-31 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2002-12-31 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2002-12-31 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-08-08 06:05 . 2002-12-31 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2002-12-31 12:00 1877760 ----a-w- c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2002-12-31 12:00 385024 ------w- c:\windows\system32\html.iec
2013-08-05 13:30 . 2002-12-31 12:00 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-07-31 20:11 . 2002-12-31 12:00 810496 ----a-w- c:\windows\system32\wmvdmod.dll
2013-07-26 02:47 . 2002-12-31 12:00 920064 ----a-w- c:\windows\system32\wininet(4).dll
2013-07-26 02:47 . 2002-12-31 12:00 1215488 ----a-w- c:\windows\system32\urlmon(4).dll
2013-07-26 02:47 . 2002-12-31 12:00 105984 ----a-w- c:\windows\system32\url(4).dll
2013-07-10 10:37 . 2002-12-31 12:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2002-12-31 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-07-01 12:34 . 2013-07-01 12:34 1409 ----a-w- c:\windows\Fonts\OCRAEXT.FOT
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-08-30 07:47 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-05 114688]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2012-06-08 63048]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-02-22 1497352]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-08-30 4858968]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-7-25 1155472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2013-06-07 23:26 92488 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [9/24/2013 5:35 PM 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [9/24/2013 5:35 PM 177864]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [9/24/2013 4:10 PM 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/24/2013 4:10 PM 369584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/24/2013 4:10 PM 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [9/24/2013 5:35 PM 66336]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [7/5/2012 6:09 PM 375120]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/8/2012 12:06 PM 13624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-09-20 15:24]
.
2013-09-25 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-09-24 07:47]
.
2003-08-26 c:\windows\Tasks\CommShop Receive PUT.job
- c:\vast\CommShop.exe [2008-05-27 03:03]
.
2003-08-26 c:\windows\Tasks\CommShop Send EOD.job
- c:\vast\CommShop.exe [2008-05-27 03:03]
.
2003-08-21 c:\windows\Tasks\compactdb.job
- c:\vast\CompactDB.exe [2008-05-27 16:27]
.
2003-08-21 c:\windows\Tasks\Credit Process.job
- c:\vast\midascrd.exe [2006-12-30 16:32]
.
2003-08-21 c:\windows\Tasks\Daily Update Process.job
- c:\vast\Put.exe [2007-11-28 20:57]
.
2003-08-21 c:\windows\Tasks\DBBackUp.job
- c:\vast\DBBackUp.exe [2007-11-26 15:52]
.
2003-08-21 c:\windows\Tasks\EOD.job
- c:\vast\EOD.exe [2008-03-14 13:58]
.
2003-08-21 c:\windows\Tasks\EOM.job
- c:\vast\EOD.exe [2008-03-14 13:58]
.
2008-05-06 c:\windows\Tasks\RepairDB.job
- c:\vast\Repairdb.exe [2008-05-27 16:28]
.
2003-08-21 c:\windows\Tasks\Sunday Update Process.job
- c:\vast\Put.exe [2007-11-28 20:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.alldatapro.com/alldata/PRO~OF1~C8000~N/0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-25 12:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1076)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3612)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\WgaTray.exe
.
**************************************************************************
.
Completion time: 2013-09-25 12:25:39 - machine was rebooted
ComboFix-quarantined-files.txt 2013-09-25 17:25
ComboFix2.txt 2013-09-24 16:22
.
Pre-Run: 58,349,965,312 bytes free
Post-Run: 58,644,078,592 bytes free
.
- - End Of File - - 4B5C44B193C91085947F12BD2937C5B7
8F558EB6672622401DA993E1E865C861
  • 0

Advertisements


#11
gregahoffman

gregahoffman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 400 posts
process explorere log

Process CPU Private Bytes Working Set PID Verified Signer
System Idle Process 98.44 0 K 28 K 0
procexp.exe 0.78 25,688 K 30,548 K 2452 (Verified) Microsoft Corporation
Interrupts 0.78 0 K 0 K n/a
wmiprvse.exe 2,188 K 5,452 K 2920 (Verified) Microsoft Windows Component Publisher
winlogon.exe 7,272 K 2,960 K 1076 (Verified) Microsoft Windows Component Publisher
WgaTray.exe 4,816 K 1,300 K 2064 (Verified) Microsoft Corporation
System 0 K 252 K 4
svchost.exe 3,188 K 5,300 K 1308 (Verified) Microsoft Windows Component Publisher
svchost.exe 1,876 K 4,500 K 1376 (Verified) Microsoft Windows Component Publisher
svchost.exe 19,648 K 31,660 K 1520 (Verified) Microsoft Windows Component Publisher
svchost.exe 1,412 K 3,808 K 1676 (Verified) Microsoft Windows Component Publisher
svchost.exe 1,584 K 4,064 K 1784 (Verified) Microsoft Windows Component Publisher
svchost.exe 1,348 K 3,992 K 972 (Verified) Microsoft Windows Component Publisher
svchost.exe 1,076 K 3,080 K 1596 (Verified) Microsoft Windows Component Publisher
svchost.exe 1,072 K 3,056 K 1712 (Verified) Microsoft Windows Component Publisher
svchost.exe 2,436 K 4,308 K 348 (Verified) Microsoft Windows Component Publisher
svchost.exe 5,740 K 7,828 K 2976 (Verified) Microsoft Windows Component Publisher
spoolsv.exe 3,560 K 5,680 K 212 (Verified) Microsoft Windows Component Publisher
smss.exe 176 K 432 K 1004 (Verified) Microsoft Windows Component Publisher
services.exe 1,840 K 3,600 K 1120 (Verified) Microsoft Windows Component Publisher
ramaint.exe 1,192 K 3,552 K 1316 (Verified) LogMeIn
QBCFMonitorService.exe 12,852 K 9,240 K 1744 (No signature was present in the subject) Intuit
lsass.exe 4,164 K 2,908 K 1132 (Verified) Microsoft Windows Component Publisher
LogMeInSystray.exe 4,172 K 8,080 K 1572 (Verified) LogMeIn
LogMeIn.exe 12,516 K 13,924 K 1480 (Verified) LogMeIn
LMIGuardianSvc.exe 1,352 K 4,352 K 1056 (Verified) LogMeIn
igfxpers.exe 964 K 3,280 K 3308 (Verified) Microsoft Windows Hardware Compatibility Publisher
iexplore.exe 11,380 K 800 K 1904 (Verified) Microsoft Windows
iexplore.exe 63,900 K 77,232 K 1844 (Verified) Microsoft Windows
hkcmd.exe 940 K 3,172 K 3256 (Verified) Microsoft Windows Hardware Compatibility Publisher
GrooveMonitor.exe 2,068 K 5,924 K 3124 (Verified) Microsoft Corporation
explorer.exe 15,820 K 23,776 K 3612 (Verified) Microsoft Windows Component Publisher
ctfmon.exe 1,260 K 4,180 K 1136 (Verified) Microsoft Windows Component Publisher
csrss.exe 1,908 K 4,224 K 1052 (Verified) Microsoft Windows Component Publisher
AvastUI.exe 9,724 K 4,760 K 2872 (Verified) AVAST Software
AvastSvc.exe 27,236 K 2,060 K 1828 (Verified) AVAST Software
alg.exe 1,504 K 4,108 K 2184 (Verified) Microsoft Windows Component Publisher
  • 0

#12
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Copy the text in the code box:

/md5start
msgsvc.dll
outlook.pst
/md5stop
CREATERESTOREPOINT

Run OTL (Vista or Win 7 => right click and Run As Administrator)

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes

Select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.




Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs. Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.
  • 0

#13
gregahoffman

gregahoffman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 400 posts
i still can't get otl to open
  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Oops forgot.

Try OTL in Safe Mode:


(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Networking. Login with your usual login.)

If that doesn't work go on with the other steps.
  • 0

#15
gregahoffman

gregahoffman

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 400 posts
got otl to run in safe mode.

OTL logfile created on: 9/25/2013 1:58:31 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.74 Gb Available Physical Memory | 87.54% Memory free
3.84 Gb Paging File | 3.77 Gb Available in Paging File | 98.04% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 54.69 Gb Free Space | 73.41% Space Free | Partition Type: NTFS

Computer Name: TEMP-6A27591C80 | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/09/25 13:56:47 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2009/03/10 22:18:14 | 000,934,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\WgaTray.exe
PRC - [2002/12/31 07:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2002/12/31 07:00:00 | 000,015,360 | ---- | M] () -- C:\WINDOWS\system32\tsd32.dll


========== Services (SafeList) ==========

SRV - [2013/09/24 10:24:51 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/08/30 02:47:33 | 000,046,808 | ---- | M] (AVAST Software) [Auto | Stopped] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2013/06/07 18:27:01 | 000,202,576 | ---- | M] (LogMeIn, Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn\x86\ramaint.exe -- (LMIMaint)
SRV - [2013/06/07 18:26:33 | 000,375,120 | ---- | M] (LogMeIn, Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe -- (LMIGuardianSvc)
SRV - [2013/01/31 11:58:04 | 000,014,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)
SRV - [2012/07/25 16:03:12 | 000,045,056 | ---- | M] (Intuit) [Auto | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2012/06/08 12:06:24 | 000,390,528 | ---- | M] (LogMeIn, Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn\x86\LogMeIn.exe -- (LogMeIn)
SRV - [2009/07/23 21:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2013/08/30 02:48:13 | 000,369,584 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2013/08/30 02:48:13 | 000,177,864 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\aswVmm.sys -- (aswVmm)
DRV - [2013/08/30 02:48:13 | 000,056,080 | ---- | M] (AVAST Software) [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2013/08/30 02:48:12 | 000,770,344 | ---- | M] (AVAST Software) [File_System | System | Stopped] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2013/08/30 02:48:12 | 000,049,760 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2013/08/30 02:48:12 | 000,049,376 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\aswRvrt.sys -- (aswRvrt)
DRV - [2013/08/30 02:48:11 | 000,066,336 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2013/08/30 02:48:11 | 000,029,816 | ---- | M] (AVAST Software) [File_System | Auto | Stopped] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2013/06/07 18:26:34 | 000,086,888 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\WINDOWS\System32\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV - [2013/05/29 18:27:34 | 000,013,624 | ---- | M] (LogMeIn, Inc.) [Kernel | Auto | Stopped] -- C:\Program Files\LogMeIn\x86\rainfo.sys -- (LMIInfo)
DRV - [2013/01/31 11:58:04 | 000,026,624 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tap0901.sys -- (tap0901)
DRV - [2012/06/08 12:06:24 | 000,047,640 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV - [2009/02/25 04:27:32 | 000,118,656 | ---- | M] (TRENDware International, Inc ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2005/11/16 15:36:00 | 001,047,816 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2005/10/22 07:22:52 | 000,016,800 | ---- | M] (HP) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hppaufd0.sys -- (dot4ufd)
DRV - [2003/11/17 15:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 15:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 15:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 72 58 C3 A3 20 BA CE 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2013/09/25 12:23:06 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...rl.cab?lmi=1007 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{308E3A72-D076-4737-B06F-201DDC587F7C}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LMIinit: DllName - (LMIinit.dll) - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/09/20 10:14:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

CREATERESTOREPOINT
Unable to start System Restore Service. Error code 10

========== Files/Folders - Created Within 30 Days ==========

[2013/09/25 13:56:41 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2013/09/25 13:54:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2013/09/25 13:54:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2013/09/25 13:54:19 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\PrivacIE
[2013/09/25 13:54:00 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\IETldCache
[2013/09/25 13:53:47 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator\Cookies
[2013/09/25 13:53:37 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2013/09/25 13:53:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Application Data
[2013/09/25 13:53:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft
[2013/09/25 13:53:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Favorites
[2013/09/25 13:53:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop
[2013/09/25 13:53:36 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\SendTo
[2013/09/25 13:53:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
[2013/09/25 13:53:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu
[2013/09/25 13:53:36 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories
[2013/09/25 13:53:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Templates
[2013/09/25 13:53:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Recent
[2013/09/25 13:53:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\PrintHood
[2013/09/25 13:53:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\NetHood
[2013/09/25 13:53:36 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator\Local Settings
[2013/09/25 13:53:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents
[2013/09/25 13:53:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2013/09/25 13:42:47 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/09/25 11:58:34 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2013/09/24 17:35:33 | 000,066,336 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswMonFlt.sys
[2013/09/24 17:14:14 | 000,000,000 | ---D | C] -- C:\Program Files\Speccy
[2013/09/24 16:21:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2013/09/24 16:13:45 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2013/09/24 16:10:13 | 000,029,816 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2013/09/24 16:10:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2013/09/24 16:10:12 | 000,369,584 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2013/09/24 16:10:10 | 000,056,080 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2013/09/24 16:10:10 | 000,049,760 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2013/09/24 16:10:09 | 000,770,344 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2013/09/24 16:09:38 | 000,041,664 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2013/09/24 16:09:37 | 000,229,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2013/09/24 11:04:58 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013/09/24 10:48:04 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/09/24 10:48:04 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/09/24 10:48:04 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/09/24 10:48:04 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/09/24 10:38:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Intuit
[2013/09/24 08:48:21 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/09/24 08:48:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/09/23 14:04:01 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2013/09/23 12:58:19 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2013/09/23 12:58:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2013/09/23 07:45:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG
[2013/09/19 07:55:02 | 000,000,000 | ---D | C] -- C:\Program Files\WinUtilities
[2013/09/18 09:41:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2013/09/18 09:41:51 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

========== Files - Modified Within 30 Days ==========

[2013/09/25 13:56:47 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2013/09/25 13:53:55 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/09/25 13:53:25 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/09/25 13:50:48 | 000,000,316 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2013/09/25 13:23:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/09/25 12:23:06 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/09/25 10:52:32 | 000,280,536 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/09/24 17:35:33 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2013/09/24 17:14:15 | 000,000,654 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Speccy.lnk
[2013/09/24 16:10:13 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2013/09/24 11:05:03 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2013/09/24 10:32:04 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/09/24 10:30:44 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2013/09/24 10:24:50 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/09/24 10:24:50 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2013/08/30 02:48:13 | 000,369,584 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2013/08/30 02:48:13 | 000,177,864 | ---- | M] () -- C:\WINDOWS\System32\drivers\aswVmm.sys
[2013/08/30 02:48:13 | 000,056,080 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2013/08/30 02:48:12 | 000,770,344 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2013/08/30 02:48:12 | 000,049,760 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2013/08/30 02:48:12 | 000,049,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\aswRvrt.sys
[2013/08/30 02:48:11 | 000,066,336 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswMonFlt.sys
[2013/08/30 02:48:11 | 000,029,816 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2013/08/30 02:47:40 | 000,041,664 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2013/08/30 02:47:32 | 000,229,648 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe

========== Files Created - No Company Name ==========

[2013/09/25 13:53:37 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk
[2013/09/25 13:53:37 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk
[2013/09/24 17:35:35 | 000,177,864 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswVmm.sys
[2013/09/24 17:35:34 | 000,049,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\aswRvrt.sys
[2013/09/24 17:14:15 | 000,000,654 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Speccy.lnk
[2013/09/24 16:10:13 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2013/09/24 16:10:08 | 000,000,316 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2013/09/24 11:05:03 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2013/09/24 11:05:01 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2013/09/24 10:48:04 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/09/24 10:48:04 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/09/24 10:48:04 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/09/24 10:48:04 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/09/24 10:48:04 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/09/24 10:31:51 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2013/07/01 07:35:02 | 000,098,816 | ---- | C] () -- C:\WINDOWS\System32\Pbtrvd32.dll
[2013/07/01 07:35:02 | 000,046,592 | ---- | C] () -- C:\WINDOWS\System32\Sbtrv32.dll
[2013/07/01 07:35:02 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\Swcomp32.dll
[2013/07/01 07:35:01 | 000,320,512 | ---- | C] () -- C:\WINDOWS\System32\W32mkde.exe
[2013/07/01 07:35:01 | 000,092,160 | ---- | C] () -- C:\WINDOWS\System32\Pedtconv.dll
[2013/07/01 07:35:01 | 000,008,192 | ---- | C] () -- C:\WINDOWS\System32\Vamngr32.dll
[2013/07/01 07:34:51 | 000,748,160 | ---- | C] () -- C:\WINDOWS\System32\CO2C40EN.DLL
[2013/07/01 07:34:51 | 000,054,272 | ---- | C] () -- C:\WINDOWS\System32\P2IRDAO.DLL
[2013/07/01 07:34:51 | 000,050,176 | ---- | C] () -- C:\WINDOWS\System32\P2CTDAO.DLL
[2013/07/01 07:34:51 | 000,036,352 | ---- | C] () -- C:\WINDOWS\System32\P2BBND.DLL
[2012/10/01 07:22:35 | 000,000,090 | ---- | C] () -- C:\WINDOWS\QBChanUtil_Trigger.ini
[2012/09/20 10:40:40 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/09/20 10:17:20 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012/09/20 10:11:21 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/09/20 04:56:34 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012/09/20 04:55:06 | 000,280,536 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/04/11 16:59:30 | 000,009,584 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll

========== ZeroAccess Check ==========

[2012/09/27 07:20:09 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2012/06/28 16:33:05 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 07:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2002/12/31 07:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

< MD5 for: MSGSVC.DLL >
[2002/12/31 07:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) MD5=986B1FF5814366D71E0AC5755C88F2D3 -- C:\WINDOWS\erdnt\cache\msgsvc.dll
[2002/12/31 07:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) MD5=986B1FF5814366D71E0AC5755C88F2D3 -- C:\WINDOWS\system32\msgsvc.dll

< >

< End of report >


OTL Extras logfile created on: 9/25/2013 1:58:31 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.74 Gb Available Physical Memory | 87.54% Memory free
3.84 Gb Paging File | 3.77 Gb Available in Paging File | 98.04% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 54.69 Gb Free Space | 73.41% Space Free | Partition Type: NTFS

Computer Name: TEMP-6A27591C80 | User Name: Administrator | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- "%1" %*
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.cmd [@ = cmdfile] -- "%1" %*
.com [@ = ComFile] -- "%1" %*
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.exe [@ = exefile] -- "%1" %*
.hlp [@ = hlpfile] -- C:\WINDOWS\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS\System32\rundll32.exe (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.pif [@ = piffile] -- "%1" %*
.reg [@ = regfile] -- C:\WINDOWS\regedit.exe (Microsoft Corporation)
.scr [@ = scrfile] -- "%1" /S
.txt [@ = txtfile] -- C:\WINDOWS\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS\System32\WScript.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Intuit\QuickBooks 2010\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2010\QBDBMgrN.exe:*:Enabled:QuickBooks 2010 Data Manager -- (Intuit, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06A9E630-DBA6-4D92-9DE7-A235AA6496C7}" = QuickBooks
"{0700E22B-A422-40A5-BD20-04BF618CA0F9}" = QuickBooks Pro 2010
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{22461A1C-BD68-4D90-9897-1DB146D55ECB}" = LogMeIn
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{455CF228-9805-4F94-9246-D475F4C90829}" = Citrix Online Launcher
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{98333358-268C-4164-B6D4-C96DF5153727}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = 2007 Microsoft Office Suite Service Pack 3 (SP3)
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DE3F260-B88E-42CE-90E7-73C78C37D95E}" = 32 Bit HP BiDi Channel Components Installer
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.8)
"{BCB4C18A-ACA6-4383-8688-E19933A705DD}" = Microsoft SOAP Toolkit 3.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DABE24BE-C757-40D1-BB5B-1F494BD33049}" = VAST Point of Sale Complete or Upgrade 6.11.61
"{DDD076BF-C5C3-468C-AA1B-F9A7E47446FE}" = Intel® Network Connections 13.1.33.0
"{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1" = Auslogics DiskDefrag
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"avast" = avast! Free Antivirus
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"ENTERPRISE" = Microsoft Office Enterprise 2007
"FileZilla Client" = FileZilla Client 3.5.0
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Microsoft Visual Studio 2005 Tools for Office Runtime
"OpenVPN" = OpenVPN 2.2.2-gui-1.0.3
"Speccy" = Speccy

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 9/24/2013 9:04:04 AM | Computer Name = TEMP-6A27591C80 | Source = Application Error | ID = 1000
Description = Faulting application avgdiagex.exe, version 13.0.0.3304, faulting
module avgduix.dll, version 13.0.0.3211, fault address 0x000527d9.

Error - 9/24/2013 9:52:38 AM | Computer Name = TEMP-6A27591C80 | Source = Application Error | ID = 1000
Description = Faulting application avgwdsvc.exe, version 13.0.0.3390, faulting module
avgwd.dll, version 13.0.0.3406, fault address 0x000808f1.

Error - 9/24/2013 9:52:46 AM | Computer Name = TEMP-6A27591C80 | Source = Application Error | ID = 1000
Description = Faulting application avgdiagex.exe, version 13.0.0.3304, faulting
module avgduix.dll, version 13.0.0.3211, fault address 0x000527d9.

Error - 9/24/2013 10:13:56 AM | Computer Name = TEMP-6A27591C80 | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 9/24/2013 10:14:04 AM | Computer Name = TEMP-6A27591C80 | Source = Application Error | ID = 1000
Description = Faulting application avgdiagex.exe, version 13.0.0.3304, faulting
module avgduix.dll, version 13.0.0.3211, fault address 0x000527d9.

Error - 9/24/2013 10:35:25 AM | Computer Name = TEMP-6A27591C80 | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module unknown, version
0.0.0.0, fault address 0x00000000.

Error - 9/24/2013 10:35:29 AM | Computer Name = TEMP-6A27591C80 | Source = Application Error | ID = 1000
Description = Faulting application avgdiagex.exe, version 13.0.0.3304, faulting
module avgduix.dll, version 13.0.0.3211, fault address 0x000527d9.

Error - 9/24/2013 6:41:40 PM | Computer Name = TEMP-6A27591C80 | Source = Application Error | ID = 1000
Description = Faulting application , version 0.0.0.0, faulting module ntdll.dll,
version 5.1.2600.6055, fault address 0x00010a73.

Error - 9/25/2013 8:36:06 AM | Computer Name = TEMP-6A27591C80 | Source = Application Error | ID = 1004
Description = Faulting application winlogon.exe, version 0.0.0.0, faulting module
ntdll.dll, version 5.1.2600.6055, fault address 0x00010a73.

Error - 9/25/2013 10:53:33 AM | Computer Name = TEMP-6A27591C80 | Source = Microsoft Office 12 | ID = 5000
Description = EventType offdiag12, P1 c8dafaf2-f7a4-417b-84a2-18f91e379224d2d984e8-6bf9-4f8b-a72e-956853e48882,
P2 NIL, P3 NIL, P4 NIL, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

[ OSession Events ]
Error - 9/3/2013 5:23:02 PM | Computer Name = TEMP-6A27591C80 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 18
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 9/24/2013 10:16:52 AM | Computer Name = TEMP-6A27591C80 | Source = Service Control Manager | ID = 7022
Description = The AVG WatchDog service hung on starting.

Error - 9/24/2013 10:16:52 AM | Computer Name = TEMP-6A27591C80 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avgldx86

Error - 9/24/2013 10:16:52 AM | Computer Name = TEMP-6A27591C80 | Source = Service Control Manager | ID = 7034
Description = The AVG WatchDog service terminated unexpectedly. It has done this
1 time(s).

Error - 9/24/2013 10:35:22 AM | Computer Name = TEMP-6A27591C80 | Source = Service Control Manager | ID = 7024
Description = The AVGIDSAgent service terminated with service-specific error 3758213659
(0xE001CA1B).

Error - 9/24/2013 10:38:15 AM | Computer Name = TEMP-6A27591C80 | Source = Service Control Manager | ID = 7022
Description = The AVG WatchDog service hung on starting.

Error - 9/24/2013 10:38:15 AM | Computer Name = TEMP-6A27591C80 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Avgldx86

Error - 9/24/2013 10:40:27 AM | Computer Name = TEMP-6A27591C80 | Source = Service Control Manager | ID = 7034
Description = The AVG WatchDog service terminated unexpectedly. It has done this
1 time(s).

Error - 9/25/2013 11:53:49 AM | Computer Name = TEMP-6A27591C80 | Source = Dhcp | ID = 1002
Description = The IP address lease 172.16.0.17 for the Network Card with network
address 00FF03CF4955 has been denied by the DHCP server 172.16.0.18 (The DHCP Server
sent a DHCPNACK message).

Error - 9/25/2013 2:54:07 PM | Computer Name = TEMP-6A27591C80 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 9/25/2013 2:55:14 PM | Computer Name = TEMP-6A27591C80 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
aswRvrt aswSnx aswSP aswTdi aswVmm Fips intelppm


< End of report >
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP