|
#1
March 22nd, 2012, 01:53 AM
|
|||
|
|||
Slow Computer - HJT Log Review Request
May you review for feedback on items that are OK to fix. Please and thank you! 'bout ready to scream.
 Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 9:32:57 PM, on 3/21/2012 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xfinity.comcast.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.4.0.12\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.4.0.12\IPSBHO.DLL O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\s wg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Search Toolbar - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.4.0.12\coIEPlg.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm1 2.exe -- End of file - 7135 bytes 
|
|
#2
March 22nd, 2012, 11:40 PM
|
||||
|
||||
|
Hello Nottatech,
Some search hijacking showing here. Let's get a more detailed look. To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed. ------- Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time. When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please. ----------- Click here and download the installer for Gmer to your desktop, then click that file to run Gmer. Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan). When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please. ----------- Download aswMBR ( 511KB ) to your desktop.
A lot, but comprehensive, and will make sure we get a good view of everything.
|
|
#3
March 25th, 2012, 07:22 PM
|
|||
|
|||
|
Sorry for the delay. I had to block out some time to accomplish this
 Below are the logs from OTL.txt, EXTRAS.txt, GMER.txt and ansMBR.txt that you requested. Many thanks for your assistance! OTL logfile created on: 3/25/2012 10:08:02 AM - Run 1 OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Administrator\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 509.98 Mb Total Physical Memory | 144.63 Mb Available Physical Memory | 28.36% Memory free 1.22 Gb Paging File | 0.50 Gb Available in Paging File | 41.43% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 33.70 Gb Total Space | 11.31 Gb Free Space | 33.57% Space Free | Partition Type: NTFS Unable to calculate disk information. Computer Name: | User Name: Administrator | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012/03/25 10:07:43 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe PRC - [2011/08/04 00:18:43 | 000,126,400 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccsvchst.exe PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe ========== Modules (No Company Name) ========== MOD - [2011/11/02 00:26:32 | 000,087,912 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2011/11/02 00:26:12 | 001,242,472 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll MOD - [2011/01/18 21:17:34 | 000,895,488 | ---- | M] () -- C:\Program Files\DivX\DivX Plus Web Player\libxml2.dll MOD - [2006/01/02 18:23:16 | 000,003,584 | ---- | M] () -- C:\WINDOWS\SYSTEM32\wmfhotfix.dll MOD - [2005/02/21 16:52:38 | 000,024,048 | ---- | M] () -- C:\WINDOWS\SYSTEM32\ddmon.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Auto | Unknown] -- -- (WinDefend) SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ) SRV - [2011/08/04 00:18:43 | 000,126,400 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe -- (N360) SRV - [2011/03/16 11:42:06 | 000,407,336 | ---- | M] (Valve Corporation) [Disabled | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\wanatw4.sys -- (wanatw) WAN Miniport (ATW) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP) DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump) DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipsecw2k.sys -- (IPSECSHM) DRV - File not found [Kernel | System | Stopped] -- -- (Changer) DRV - [2012/03/06 17:04:10 | 000,356,280 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\2 0120323.002\IDSXpx86.sys -- (IDSxpx86) DRV - [2012/03/02 14:58:02 | 000,820,856 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\ 20120317.002\BHDrvx86.sys -- (BHDrvx86) DRV - [2012/02/03 23:29:09 | 000,106,104 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2012/02/03 23:29:08 | 000,374,392 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl) DRV - [2011/08/21 22:53:36 | 000,362,360 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\N360\0404000.00C\symtd i.sys -- (SYMTDI) DRV - [2011/08/21 22:53:35 | 000,173,176 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\N360\0404000.00C\symef a.sys -- (SymEFA) DRV - [2011/08/04 00:19:30 | 000,485,512 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\N360\0404000.00C\cchpx 86.sys -- (ccHP) DRV - [2011/08/03 21:19:06 | 001,576,312 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs \20120324.019\NAVEX15.SYS -- (NAVEX15) DRV - [2011/08/03 21:19:06 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs \20120324.019\NAVENG.SYS -- (NAVENG) DRV - [2011/02/10 20:27:44 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS -- (SymEvent) DRV - [2010/04/29 01:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\N360\0404000.00C\ironx 86.sys -- (SymIRON) DRV - [2010/04/21 22:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\N360\0404000.00C\srtsp .sys -- (SRTSP) DRV - [2010/04/21 22:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\N360\0404000.00C\srtsp x.sys -- (SRTSPX) Symantec Real Time Storage Protection (PEL) DRV - [2009/10/14 23:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\N360\0404000.00C\symds .sys -- (SymDS) DRV - [2004/10/27 14:37:34 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\System32\drivers\asctrm.sys -- (ASCTRM) DRV - [2001/08/17 15:05:44 | 000,141,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\Icam3.sys -- (ICAM3NT5) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?...eferrer:source?} IE - HKLM\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" = http://search.mywebsearch.com/mywebs...r={searchTerms} IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sear...}&sourceid=ie7 IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/mywaybiz IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/mywaybiz IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://xfinity.comcast.net/ IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.comcast.net/ IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?...ox&Form=IE8SRC IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\..\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}: "URL" = http://websearch.ask.com/redirect?cl...2-6AD2C2C61015 IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\..\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0}: "URL" = http://search.mywebsearch.com/mywebs...r={searchTerms} IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sear...I7GGLL_enUS407 IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\Software\Microsoft\Windows\CurrentVersion\Inte rnet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\Software\Microsoft\Windows\CurrentVersion\Inte rnet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC) FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extens ions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2011/07/19 18:14:49 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extens ions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn_2010_9_0_6 [2012/03/25 09:38:42 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extens ions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/03/06 06:07:56 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extens ions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/03/06 06:07:57 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extens ions\\{27182e60-b5f3-411c-b545-b44205977502}: C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension\ [2011/04/29 03:04:27 | 000,000,000 | ---D | M] O1 HOSTS File: ([2011/02/23 03:25:48 | 000,000,764 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 192.168.1.101 HP0015604BCF52 O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC) O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC) O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions) O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\4.4.0.12\coieplg.dll (Symantec Corporation) O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ipsbho.dll (Symantec Corporation) O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll () O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\s wg.dll (Google Inc.) O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.4.0.12\coieplg.dll (Symantec Corporation) O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll () O3 - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\4.4.0.12\coieplg.dll (Symantec Corporation) O3 - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files\Search Toolbar\SearchToolbar.dll () O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\Explorer: HonorAutoRunSetting = 1 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVer sion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-3569547105-2397995239-3485945241-500\SOFTWARE\Microsoft\Windows\CurrentVersion\poli cies\Explorer: NoDriveTypeAutoRun = 145 O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/s...irector/sw.cab (Shockwave ActiveX Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} http://java.sun.com/products/plugin/...ndows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jin...ndows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_29) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get...sh/swflash.cab (Shockwave Flash Object) O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EHR.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfac es\{A3E12037-509B-4017-AD9E-F86504492185}: DhcpNameServer = 75.75.75.75 75.75.76.76 O20 - AppInit_DLLs: (C:\WINDOWS\system32\wmfhotfix.dll) - C:\WINDOWS\SYSTEM32\wmfhotfix.dll () O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\SYSTEM32\userinit.exe (Microsoft Corporation) O20 - HKU\.DEFAULT Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKU\S-1-5-18 Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKU\S-1-5-19 Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKU\S-1-5-20 Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKU\S-1-5-21-3569547105-2397995239-3485945241-500 Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O33 - MountPoints2\{0a84152a-7d06-11e0-9f10-001111470173}\Shell - "" = AutoRun O33 - MountPoints2\{0a84152a-7d06-11e0-9f10-001111470173}\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\{0a84152a-7d06-11e0-9f10-001111470173}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2012/03/25 10:07:42 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe [2012/03/24 12:01:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Leadertech [2012/03/24 11:58:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\AVIConverter [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012/03/25 10:07:43 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe [2012/03/25 10:02:19 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job [2012/03/25 09:39:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL [2012/03/25 09:38:00 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job [2012/03/25 09:36:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT [2012/03/25 09:36:11 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys [2012/03/24 11:58:24 | 000,000,863 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\AVIConverter.lnk [2012/03/21 21:32:59 | 000,007,136 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\hijackthis 3_19_12 [2012/03/18 13:06:36 | 000,017,240 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\CIPPE-Page4-Fill-In.pdf [2012/03/15 11:54:41 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk [2012/03/14 03:30:38 | 000,221,632 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2012/03/14 03:04:52 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2012/03/12 13:49:19 | 000,445,798 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT [2012/03/12 13:49:18 | 000,073,004 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT [2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2012/03/24 11:58:23 | 000,000,863 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\AVIConverter.lnk [2012/03/21 21:32:52 | 000,007,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\hijackthis 3_19_12 [2012/03/18 13:06:36 | 000,017,240 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\CIPPE-Page4-Fill-In.pdf [2012/02/16 13:55:44 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2011/05/18 17:11:22 | 000,001,940 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini [2011/02/23 03:22:18 | 000,000,146 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini [2011/02/23 03:21:52 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini [2011/02/23 03:14:55 | 000,000,698 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini [2011/02/23 02:56:34 | 000,068,274 | ---- | C] () -- C:\WINDOWS\hpoins05.dat.temp [2011/02/23 02:56:33 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat.temp [2011/02/10 18:31:25 | 000,374,199 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\census.cache [2011/02/10 18:30:40 | 000,190,795 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\ars.cache [2011/02/10 18:23:14 | 000,000,444 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat [2011/02/10 18:21:09 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\housecall.guid.cache [2011/02/06 14:03:48 | 000,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat [2011/01/22 15:44:57 | 000,000,658 | ---- | C] () -- C:\WINDOWS\EReg515.dat [2011/01/02 10:13:34 | 000,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat [2010/12/18 12:55:39 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini < End of report > OTL Extras logfile created on: 3/25/2012 10:08:02 AM - Run 1 OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Administrator\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 509.98 Mb Total Physical Memory | 144.63 Mb Available Physical Memory | 28.36% Memory free 1.22 Gb Paging File | 0.50 Gb Available in Paging File | 41.43% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 33.70 Gb Total Space | 11.31 Gb Free Space | 33.57% Space Free | Partition Type: NTFS Unable to calculate disk information. Computer Name: | User Name: Administrator | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "3389:TCP" = 3389:TCP:*  isabled:@xpsp2res.dll,-22009[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile] "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "3389:TCP" = 3389:TCP:* isabled:@xpsp2res.dll,-22009"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List] "C:\Program Files\Microsoft Office\Office\EXCEL.EXE" = C:\Program Files\Microsoft Office\Office\EXCEL.EXE:*:Enabled:Microsoft Excel for Windows -- (Microsoft Corporation) "C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater "C:\Program Files\Nortel Networks\Extranet.exe" = C:\Program Files\Nortel Networks\Extranet.exe:* isabled:Contivity VPN Client[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List] "C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe" = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe:* isabled:Kodak Software Updater"C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth "C:\Documents and Settings\Administrator\Local Settings\Temp\7zS15.tmp\SymNRT.exe" = C:\Documents and Settings\Administrator\Local Settings\Temp\7zS15.tmp\SymNRT.exe:*:Enabled:Norto n Removal Tool "C:\Documents and Settings\Administrator\Local Settings\Temp\7zS17.tmp\SymNRT.exe" = C:\Documents and Settings\Administrator\Local Settings\Temp\7zS17.tmp\SymNRT.exe:*:Enabled:Norto n Removal Tool "C:\Documents and Settings\Administrator\Local Settings\Temp\7zS5BE2\Setup\HPZnet01.exe" = C:\Documents and Settings\Administrator\Local Settings\Temp\7zS5BE2\Setup\HPZnet01.exe:*:Enabled :Install Consumer Experience Network Plug in "C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation) "C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.) "C:\Program Files\Steam\steamapps\hainesy12\garrysmod\hl2.exe" = C:\Program Files\Steam\steamapps\hainesy12\garrysmod\hl2.exe: *:Enabled:Garry's Mod -- () ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall] "{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium "{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 "{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam "{06E6E30D-B498-442F-A943-07DE41D7F785}" = Microsoft Search Enhancement Pack "{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant "{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager "{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan "{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA "{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant "{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel(R) PROSet for Wired Connections "{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{2656D0AB-9EA4-4C58-A117-635F3CED8B93}" = Microsoft UI Engine "{26A24AE4-039D-4CA4-87B4-2F83216022FF}" = Java(TM) 6 Update 29 "{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2 "{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10 "{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7 "{343666E2-A059-48AC-AD67-230BF74E2DB2}" = Apple Application Support "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page "{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}" = NVIDIA PhysX "{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement "{5469D537-9B44-4c78-BF2D-5F9807564F74}" = HP PSC & OfficeJet 4.7 "{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool "{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053 "{61BEA823-ECAF-49F1-8378-A59B3B8AD247}" = Microsoft Default Manager "{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan "{65FA5E6D-B3D7-46D9-9571-CBBA1968346B}" = FileMaker Pro 7 "{66468F4D-BC4E-470C-9093-B3B6A1BB378C}" = MSN Toolbar Platform "{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03 "{7148F0A8-6813-11D6-A77B-00B0D0142050}" = Java 2 Runtime Environment, SE v1.4.2_05 "{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update "{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour "{8153ED9A-C94A-426E-9880-5E6775C08B62}" = Apple Mobile Device Support "{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition "{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware "{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics 2 Driver "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{90E00409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Outlook 2003 "{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow! "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0.8 "{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12 "{BD29EBAC-AD7D-4b27-B727-4CC6AC52D36B}" = MarketResearch "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66}" = WMFHotFix, MSI Version 1, Hotfix Version 14 "{F6D6B258-E3CA-4AAC-965A-68D3E3140A8C}" = iTunes "{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard "{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "DellSupport" = Dell Support 5.0.0 (630) "DivX Setup.divx.com" = DivX Setup "HP Photo & Imaging" = HP Image Zone 4.7 "HPExtendedCapabilities" = HP Extended Capabilities 4.7 "ie8" = Windows Internet Explorer 8 "LiveUpdate" = LiveUpdate 2.0 (Symantec Corporation) "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "N360" = Norton Security Suite "Nano AVIConverter" = Nano AVIConverter 1.1.6 "Non Driver CIO Components" = Non Driver CIO Components "PROSet" = Intel(R) PRO Network Adapters and Drivers "QuickTime" = QuickTime "RealPlayer 6.0" = RealPlayer Basic "Search Toolbar" = Search Toolbar "Steam App 4000" = Garry's Mod "WIC" = Windows Imaging Component "Windows Media Format Runtime" = Windows Media Format Runtime "Windows Media Player" = Windows Media Player 10 "Windows XP Service Pack" = Windows XP Service Pack 3 ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 3/25/2012 8:18:46 AM | Computer Name = | Source = ESENT | ID = 489 Description = wuauclt (3816) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\ed b.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8). Error - 3/25/2012 8:18:46 AM | Computer Name = | Source = ESENT | ID = 455 Description = wuaueng.dll (3816) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb .log. Error - 3/25/2012 8:19:01 AM | Computer Name = | Source = ESENT | ID = 489 Description = wuauclt (3816) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\ed b.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8). Error - 3/25/2012 8:19:01 AM | Computer Name = | Source = ESENT | ID = 455 Description = wuaueng.dll (3816) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb .log. Error - 3/25/2012 8:24:34 AM | Computer Name = | Source = ESENT | ID = 489 Description = wuauclt (2284) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\ed b.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8). Error - 3/25/2012 8:24:34 AM | Computer Name = | Source = ESENT | ID = 455 Description = wuaueng.dll (2284) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb .log. Error - 3/25/2012 8:24:44 AM | Computer Name = | Source = ESENT | ID = 489 Description = wuauclt (2284) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\ed b.log" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8). Error - 3/25/2012 8:24:44 AM | Computer Name = | Source = ESENT | ID = 455 Description = wuaueng.dll (2284) SUS20ClientDataStore: Error -1032 (0xfffffbf8) occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb .log. Error - 3/25/2012 9:37:26 AM | Computer Name = | Source = Userenv | ID = 1054 Description = Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted. Error - 3/25/2012 9:37:27 AM | Computer Name = | Source = AutoEnrollment | ID = 15 Description = Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. [ System Events ] Error - 3/25/2012 9:01:09 AM | Computer Name = | Source = DCOM | ID = 10010 Description = The server {6295DF2D-35EE-11D1-8707-00C04FD93327} did not register with DCOM within the required timeout. Error - 3/25/2012 9:23:33 AM | Computer Name = | Source = DCOM | ID = 10010 Description = The server {6295DF2D-35EE-11D1-8707-00C04FD93327} did not register with DCOM within the required timeout. Error - 3/25/2012 9:31:07 AM | Computer Name = | Source = DCOM | ID = 10010 Description = The server {6295DF2D-35EE-11D1-8707-00C04FD93327} did not register with DCOM within the required timeout. Error - 3/25/2012 9:37:31 AM | Computer Name = | Source = NETLOGON | ID = 5719 Description = No Domain Controller is available for domain EHR due to the following: %%1311. Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator. Error - 3/25/2012 9:44:19 AM | Computer Name = | Source = Service Control Manager | ID = 7031 Description = The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. Error - 3/25/2012 9:44:27 AM | Computer Name = | Source = Service Control Manager | ID = 7034 Description = The SeaPort service terminated unexpectedly. It has done this 1 time(s). Error - 3/25/2012 9:44:35 AM | Computer Name = | Source = Service Control Manager | ID = 7031 Description = The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service. Error - 3/25/2012 9:57:48 AM | Computer Name = | Source = Service Control Manager | ID = 7031 Description = The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service. Error - 3/25/2012 9:57:53 AM | Computer Name = | Source = Service Control Manager | ID = 7031 Description = The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service. Error - 3/25/2012 9:57:58 AM | Computer Name = | Source = Service Control Manager | ID = 7034 Description = The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s). < End of report >
|
|
#4
March 25th, 2012, 07:23 PM
|
|||
|
|||
|
Part 2 of 2.
GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-25 12:39:23 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-75FJA1 rev.14.03G14 Running: id6tuj3b.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwtyqaod.sys ---- System - GMER 1.0.15 ---- SSDT 82C01050 ZwAlertResumeThread SSDT 82BFC050 ZwAlertThread SSDT 82AE9C80 ZwAllocateVirtualMemory SSDT 82BBB050 ZwAssignProcessToJobObject SSDT 82D338F8 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEF679210] SSDT 82971300 ZwCreateMutant SSDT 82971700 ZwCreateSymbolicLinkObject SSDT 82C74520 ZwCreateThread SSDT 82C09050 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEF679490] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEF6799F0] SSDT 8296F750 ZwDuplicateObject SSDT 8298C4C0 ZwFreeVirtualMemory SSDT 82BE8050 ZwImpersonateAnonymousToken SSDT 82BBD050 ZwImpersonateThread SSDT 82CC1780 ZwLoadDriver SSDT 8298C3E0 ZwMapViewOfSection SSDT 82C3A050 ZwOpenEvent SSDT 82975F80 ZwOpenProcess SSDT 82BED050 ZwOpenProcessToken SSDT 82BC7050 ZwOpenSection SSDT 82975EB0 ZwOpenThread SSDT 829717D0 ZwProtectVirtualMemory SSDT 82BDF050 ZwResumeThread SSDT 82C43050 ZwSetContextThread SSDT 82988958 ZwSetInformationProcess SSDT 82C3F050 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEF679C40] SSDT 82C06050 ZwSuspendProcess SSDT 82C42050 ZwSuspendThread SSDT 82BCB050 ZwTerminateProcess SSDT 82BE0050 ZwTerminateThread SSDT 82C0A050 ZwUnmapViewOfSection SSDT 82AE9BB0 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- ? SYMDS.SYS The system cannot find the file specified. ! ? SYMEFA.SYS The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe[452] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\system32\wmfhotfix.dll .text C:\WINDOWS\system32\winlogon.exe[680] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\system32\wmfhotfix.dll .text C:\WINDOWS\system32\services.exe[724] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\system32\wmfhotfix.dll .text C:\WINDOWS\system32\lsass.exe[736] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\system32\wmfhotfix.dll .text C:\WINDOWS\system32\svchost.exe[740] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\system32\wmfhotfix.dll .text ... .text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2872] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2872] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\system32\wmfhotfix.dll .text C:\WINDOWS\system32\dla\tfswctrl.exe[3064] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 003A1000 C:\WINDOWS\system32\wmfhotfix.dll .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3120] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\system32\wmfhotfix.dll .text C:\WINDOWS\system32\hkcmd.exe[3156] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 00851000 C:\WINDOWS\system32\wmfhotfix.dll .text C:\Documents and Settings\Administrator\Desktop\id6tuj3b.exe[3200] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\system32\wmfhotfix.dll .text ... .text C:\Program Files\Internet Explorer\iexplore.exe[3344] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 05FC003A .text C:\Program Files\Internet Explorer\iexplore.exe[3344] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 05FC00F7 .text C:\Program Files\Internet Explorer\iexplore.exe[3344] kernel32.dll!VirtualProtectEx + 6E 7C801ACF 7 Bytes JMP 05FC03D2 .text C:\Program Files\Internet Explorer\iexplore.exe[3344] kernel32.dll!ReadProcessMemory + 3E 7C80220E 7 Bytes JMP 05FC01B0 .text C:\Program Files\Internet Explorer\iexplore.exe[3344] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 05FC031C .text C:\Program Files\Internet Explorer\iexplore.exe[3344] kernel32.dll!GetVersionExA + D3 7C812C51 7 Bytes JMP 05FC0488 .text C:\Program Files\Internet Explorer\iexplore.exe[3344] kernel32.dll!GetProcessHandleCount + 35 7C86229F 7 Bytes JMP 05FC0266 .text C:\Program Files\Internet Explorer\iexplore.exe[3344] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AA5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD119 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254686 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\system32\wmfhotfix.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3344] ole32.dll!CreateBindCtx + B5F 774FF15F 7 Bytes JMP 05FC05F8 .text C:\Program Files\Internet Explorer\iexplore.exe[3344] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3344] ole32.dll!CoImpersonateClient + 51 77515200 7 Bytes JMP 05FC053E .text C:\Program Files\Internet Explorer\iexplore.exe[3344] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\WINDOWS\system32\ctfmon.exe[3432] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\system32\wmfhotfix.dll .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3864] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\system32\wmfhotfix.dll .text C:\Program Files\Norton Security Suite\Engine\4.4.0.12\ccSvcHst.exe[4076] GDI32.dll!Escape 77F26F5A 5 Bytes JMP 10001000 C:\WINDOWS\system32\wmfhotfix.dll ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Internet Explorer\iexplore.exe[3344] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) Device EDB56D20 AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation) Device tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) ---- EOF - GMER 1.0.15 ---- aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software Run date: 2012-03-25 13:13:49 ----------------------------- 13:13:49.815 OS Version: Windows 5.1.2600 Service Pack 3 13:13:49.815 Number of processors: 1 586 0x304 13:13:49.815 ComputerName: UserName: 13:13:50.688 Initialize success 13:14:08.120 AVAST engine defs: 12032500 13:14:16.119 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 13:14:16.119 Disk 0 Vendor: WDC_WD400BB-75FJA1 14.03G14 Size: 38146MB BusType: 3 13:14:16.244 Disk 0 MBR read successfully 13:14:16.259 Disk 0 MBR scan 13:14:16.805 Disk 0 unknown MBR code 13:14:16.867 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 47 MB offset 63 13:14:16.961 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 34506 MB offset 96390 13:14:17.070 Disk 0 Partition 3 00 DB CP/M / CTOS MSWIN4.1 3584 MB offset 70766325 13:14:17.179 Disk 0 scanning sectors +78108030 13:14:18.006 Disk 0 scanning C:\WINDOWS\system32\drivers 13:15:44.683 Service scanning 13:16:48.378 Modules scanning 13:18:36.261 Disk 0 trace - called modules: 13:18:36.807 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 13:18:36.823 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f59030] 13:18:36.823 3 CLASSPNP.SYS[f8577fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82fa0b00] 13:18:37.353 AVAST engine scan C:\WINDOWS 13:20:03.610 AVAST engine scan C:\WINDOWS\system32 13:38:02.189 AVAST engine scan C:\WINDOWS\system32\drivers 13:40:41.122 AVAST engine scan C:\Documents and Settings\Administrator 13:57:17.771 AVAST engine scan C:\Documents and Settings\All Users 14:02:22.214 Scan finished successfully 14:05:29.290 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat" 14:05:29.336 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR3.25.12.txt"
|
|
#5
March 25th, 2012, 11:01 PM
|
||||
|
||||
|
Well, nothing that would suggest system slowness, but a search hijacker showing that can cause Internet issues.
Go to Start - Control Panel - Programs - Programs and Features, then click on each of the following programs, if they show there, and click "Uninstall/Change". Internet Explorer Default Page - Home page hijacker. Search Toolbar - Adware, spyware, search hijacker. If you don't use it, uninstall these resource wasters. Google Toolbar for Internet Explorer Google Update Helper And some older, more vulnerable Java versions that need to be manually uninstalled. J2SE Runtime Environment 5.0 Update 2 Java 2 Runtime Environment, SE v1.4.2_03 Java 2 Runtime Environment, SE v1.4.2_05 Then reboot. After the reboot, Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Download Malwarebytes' Anti-Malware from Here. Double Click mbam-setup-1.60.01800.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform quick scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. * The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes. * Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then. ---------- Disable your antivirus program and click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file to run the scanner. If you accept the Terms of Use, check the box and click Start. It will take a couple minutes for the scanner to get ready. When the Computer scan settings display shows, check the following boxes: Remove found threats Scan unwanted applications Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives). Then click the Advanced option, the place a check next to the following (if it is not already checked): Enable Anti-Stealth technology Click Start. This scan may take a while, so please be patient. If infection is found, at the end of the scan click "List of found threats". In that display, at the bottom, select the option to save the results as a text file, and save that to your desktop. Post that back here please. Post that log and the Malwarebytes log please.
|
|
#6
April 5th, 2012, 02:54 AM
|
|||
|
|||
|
Slow, but steady...below are the MBAM and ESET logs you requested. All other steps were completed as instructed.
Thank you so much for all of your help and patience! Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org Database version: v2012.04.04.10 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Administrator :: EPURCELL-EHR [administrator] 4/4/2012 8:34:32 PM mbam-log-2012-04-04 (20-34-32).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 204748 Time elapsed: 9 minute(s), 1 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 17 HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Settings\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Stats\{00A6FAF6-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> Quarantined and deleted successfully. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Stats\{07B18EAB-A523-4961-B6BB-170DE4475CCA} (PUP.MyWebSearch) -> Quarantined and deleted successfully. HKCR\CLSID\{E856B973-45FD-4559-8F82-EAB539144667} (Adware.Gdown) -> Quarantined and deleted successfully. HKCR\TypeLib\{DF058C45-CD18-453e-8745-5A77F60722AB} (Adware.Gdown) -> Quarantined and deleted successfully. HKCR\Interface\{B5A33C35-7298-4D15-8753-A2E851E2EAB3} (Adware.Gdown) -> Quarantined and deleted successfully. HKCR\GTDOWNDE.GTAutoFixDLCtrl.1 (Adware.Gdown) -> Quarantined and deleted successfully. HKCR\GTDOWNDE.GTAutoFixDLCtrl (Adware.Gdown) -> Quarantined and deleted successfully. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\WINDOWS\SYSTEM32\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully. (end) C:\Documents and Settings\team1\Local Settings\Temporary Internet Files\Content.IE5\6TCFAPSX\hack-windows-xp-administrator-password[1].htm HTML/ScrInject.B.Gen virus deleted - quarantined C:\Documents and Settings\team1\Local Settings\Temporary Internet Files\Content.IE5\ATUNA1IJ\jquery.validate.min[1].htm HTML/ScrInject.B.Gen virus deleted - quarantined C:\Documents and Settings\team1\Local Settings\Temporary Internet Files\Content.IE5\ATUNA1IJ\jquery.validate.min[2].htm HTML/ScrInject.B.Gen virus deleted - quarantined C:\Documents and Settings\team1\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\ajax-comments[1].htm HTML/ScrInject.B.Gen virus deleted - quarantined C:\Documents and Settings\team1\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\ajax-comments[2].htm HTML/ScrInject.B.Gen virus deleted - quarantined C:\Documents and Settings\team1\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\CAW9QF8H.htm HTML/ScrInject.B.Gen virus deleted - quarantined C:\Documents and Settings\team1\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\jquery.validate.min[1].htm HTML/ScrInject.B.Gen virus deleted - quarantined C:\Documents and Settings\team1\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\mygateway[1].htm JS/TrojanClicker.Agent.NCQ trojan cleaned by deleting - quarantined C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application cleaned by deleting - quarantined C:\Program Files\Trend Micro\HiJackThis\backups\backup-20110328-195635-157.dll a variant of Win32/Toolbar.MyWebSearch.K application cleaned by deleting - quarantined C:\Program Files\Trend Micro\HiJackThis\backups\backup-20110328-195635-231.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
|
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 10:01 AM.
