Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help Requested - Recurring Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby ndmmxiaomayi » November 4th, 2007, 1:01 pm

Hi alleycat. :)

Please open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all
File::
C:\WINDOWS\system32\ccbeg.ini2
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcc]


Click on File > Save As....

In the File Name box, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

Image

Combofix will start running. Once done, a log will be produced. Please post this Combofix log as well as new HijackThis log in your next reply.

In your next reply, please post:

  1. Combofix log (C:\Combofix.txt)
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am
Advertisement
Register to Remove

Unread postby alleycat » November 4th, 2007, 1:30 pm

This is the ConboFix file and HiJack log:

ComboFix 07-11-02.3 - CEA 2007-11-04 11:24:44.2 - NTFSx86
Running from: C:\Documents and Settings\CEA\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\CEA\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\ccbeg.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ccbeg.ini2

.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.

2007-11-04 07:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-04 07:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-01 19:56 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-01 19:56 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-01 19:56 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-01 19:56 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-01 19:56 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-01 19:56 3,650 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-01 19:18 <DIR> d-------- C:\Working Folder
2007-10-31 22:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-31 22:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 22:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-31 22:16 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-31 22:16 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-31 22:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-31 22:15 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-31 02:15 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-30 20:13 <DIR> d-------- C:\Documents and Settings\CEA\Application Data\TrojanHunter
2007-10-30 19:34 <DIR> d-------- C:\Program Files\TrojanHunter 5.0
2007-10-30 19:29 <DIR> d-------- C:\Documents and Settings\CEA\.housecall6.6
2007-10-30 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-10-30 14:38 <DIR> d-------- C:\HijackLog
2007-10-30 14:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-18 15:25 <DIR> d-------- C:\Documents and Settings\CEA\Application Data\Kensington
2007-10-18 15:23 188,416 --a------ C:\WINDOWS\system32\kmw_show.exe
2007-10-18 15:23 122,880 --a------ C:\WINDOWS\system32\kmw_dll.dll
2007-10-18 15:23 118,784 --a------ C:\WINDOWS\system32\kmw_run.exe
2007-10-18 15:23 92,032 --a------ C:\WINDOWS\system32\drivers\KMW_SYS.sys
2007-10-18 15:23 10,496 --a------ C:\WINDOWS\system32\drivers\kmw_usb.sys
2007-10-18 15:23 5,760 --a------ C:\WINDOWS\system32\drivers\KMW_KBD.sys
2007-10-18 15:23 4,992 --a------ C:\WINDOWS\system32\drivers\KMW_LIB.sys
2007-10-18 15:22 <DIR> d-------- C:\Program Files\Kensington
2007-10-11 18:33 <DIR> d-------- C:\Program Files\Windows Sidebar
2007-10-11 18:32 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-10-11 18:30 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-11 18:30 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-09 20:25 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-04 16:01 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-10-04 15:58 26,496 --a------ C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 17:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-04 13:21 --------- d-----w C:\Program Files\Lavasoft
2007-11-04 13:21 --------- d-----w C:\Documents and Settings\CEA\Application Data\Lavasoft
2007-11-04 11:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-04 11:04 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-04 11:04 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-04 11:04 --------- d-----w C:\Program Files\Symantec
2007-11-02 23:26 --------- d-----w C:\Program Files\NoAdware4
2007-10-18 21:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 00:36 --------- d-----w C:\Documents and Settings\CEA\Application Data\Symantec
2007-10-10 07:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-09-18 19:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-09-18 19:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-09-18 19:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-09-18 19:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-09-18 19:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-09-18 19:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-09-18 19:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-09-18 19:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-09-15 07:22 --------- d-----w C:\Documents and Settings\CEA\Application Data\Movie Outline
2007-09-10 22:53 --------- d-----w C:\Program Files\EarthLink TotalAccess
2007-08-29 19:18 577,928 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-08-23 23:57 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-08-22 12:55 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2006-08-02 21:59 1,156,608 ----a-w C:\Program Files\RenameMaster.exe
2006-02-09 01:41 1,203,471 ----a-w C:\Program Files\PlotCraftSetup.exe
2005-09-18 15:27 4,077,184 ----a-w C:\Program Files\winzip90.exe
2005-09-14 03:11 3,319,041 ----a-w C:\Program Files\swp-pro-v3.5.exe
2005-07-30 02:21 767,245 ----a-w C:\Program Files\FreeMind-Windows-Installer-0_7_1.exe
2005-07-10 16:31 18,044,753 ----a-w C:\Program Files\Dell_English_PSPA_521_Deluxe_ESD.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-02_17.12.48.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-30 00:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\11-3-2007\ERDNT.EXE
+ 2007-11-03 13:03:26 5,767,168 ----a-w C:\WINDOWS\ERDNT\AutoBackup\11-3-2007\Users\00000001\NTUSER.DAT
+ 2007-11-03 13:03:27 8,192 ----a-w C:\WINDOWS\ERDNT\AutoBackup\11-3-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\11-4-2007\ERDNT.EXE
+ 2007-11-04 11:10:00 5,767,168 ----a-w C:\WINDOWS\ERDNT\AutoBackup\11-4-2007\Users\00000001\NTUSER.DAT
+ 2007-11-04 11:10:00 8,192 ----a-w C:\WINDOWS\ERDNT\AutoBackup\11-4-2007\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2007-11-02\ERDNT.EXE
+ 2007-11-02 22:12:16 5,775,360 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2007-11-02\Users\00000001\NTUSER.DAT
+ 2007-11-02 22:12:17 8,192 ----a-w C:\WINDOWS\ERDNT\AutoBackup\2007-11-02\Users\00000002\UsrClass.dat
+ 2007-11-04 13:16:53 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2007-11-04 13:16:54 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2007-11-04 13:16:53 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2007-11-04 13:16:53 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
- 2007-06-17 05:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
+ 2007-06-17 06:11:58 51,200 ----a-w C:\WINDOWS\nircmd.exe
+ 2007-07-11 20:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 19:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 19:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2007-04-13 21:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2007-11-01 04:17:43 54,280 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-04 11:13:58 54,280 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-01 04:17:44 384,596 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-04 11:13:58 384,596 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-23 00:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-11-04 13:25:26 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_ec8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-24 21:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-11 18:32 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-24 21:51 316784]

[HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 16:48]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"StartupDelayer"="C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe" [2007-03-15 19:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-29 15:36]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-10-23 16:18]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 22:53]
"MSWheel"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2005-09-01 15:24]

C:\Documents and Settings\CEA\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 11:04:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-05-29 15:28:23]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

R2 EarthLinkMonitor;EarthLink Monitor Service;"C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe"
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon
R3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys
R3 KMW_SYS;Kensington MouseWorks Mouse filter driver;C:\WINDOWS\system32\DRIVERS\KMW_SYS.sys
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys
S3 COH_Mon;COH_Mon;\??\C:\WINDOWS\system32\Drivers\COH_Mon.sys
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys

*Newly Created Service* - AAWSERVICE
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 17:11:44 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - CEA.job"
"2007-11-04 17:26:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 11:27:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-04 11:28:11
C:\ComboFix-quarantined-files.txt ... 2007-04-27 03:50
C:\ComboFix2.txt ... 2007-11-02 16:23
C:\ComboFix3.txt ... 2007-04-27 03:50
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:30 AM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.city-data.com/forum/tennessee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3630100406
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9348 bytes
User avatar
alleycat
Regular Member
 
Posts: 123
Joined: October 30th, 2007, 8:12 pm
Location: Nashville, Tennessee USA

Unread postby ndmmxiaomayi » November 4th, 2007, 2:17 pm

Hi alleycat. :)

Step 1

  1. Please download AVG Anti-Spyware and save it to your desktop.
  2. Double click on avgas-setup-7.5.0.50.exe to install AVG Anti-Spyware. Install it in the default location.
  3. Once installed, start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  4. In the main screen, you should see Your Computer's Security.
    • Next to Resident Shield, click on Change state. It should now be Inactive.
    • Next to Automatic Updates, click on Change state. It should now be Inactive.
    • Next to Last Update, click on Update now. If your firewall prompts you, tell your firewall to allow it. Should you be unable to update it, download the updates from here. Save it to your desktop. Double click to run the installation and the updates will be installed. Make sure AVG Anti-Spyware is closed during the installation.
    • Right-click the AVG Anti-Spyware icon near the clock and uncheck (untick) Start with Windows. Confirm by clicking Yes.
  5. Now click on the Scanner button at the top.
  6. Select the Settings tab.
  7. Under How to act?, click on Recommended actions and select Quarantine.
  8. Under How to scan?, check (tick) all the boxes.
  9. Under Possibly unwanted software:, check (tick) all the boxes.
  10. Under Reports:, uncheck (untick) the Only if threats were found box and select Do not automatically generate report.
  11. Under What to scan?, select Scan every file.
Do not run a scan yet. You will run a scan later.

Step 2

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All.
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Please print out or save this set of instructions as you will not have internet access during the fix.

Step 3

Reboot into Safe Mode by following the instructions below:

  • When you see BIOS screen, start pressing F8.
  • A boot menu will appear shortly.
  • Using the up down arrows, select Safe Mode and press the Enter key.
  • Windows will now load.
  • Log in to your usual account.

Step 4

  1. Start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  2. Click on the Scanner button at the top.
  3. Select the Scan tab.
  4. Click on Complete System Scan to start the scan.
  5. When the scan has finished, follow the instructions below.
    IMPORTANT: Don't click on the Save Scan Report button before you did hit the Apply all Actions button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  6. When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  7. Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Restart your computer in Normal Mode.

In your next reply, please post:

  1. A new HijackThis log
  2. AVG Antispyware scan report
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby alleycat » November 4th, 2007, 4:05 pm

I followed all the steps you listed. Since AVG found nothing it didn't give me a "Apply all action" option.

This is the report and a new HiJack log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:54:03 PM 11/4/2007

+ Scan result:



Nothing found.



::Report end



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:27 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.city-data.com/forum/tennessee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3630100406
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9588 bytes
User avatar
alleycat
Regular Member
 
Posts: 123
Joined: October 30th, 2007, 8:12 pm
Location: Nashville, Tennessee USA

Unread postby alleycat » November 4th, 2007, 4:41 pm

After doing the above I ran SpyBot (I've been running SpyBot quite often now). It found something called LSA and Miscrosoft.WindowsSecurityCenter_Diabled.

I had run SpyBot this morning and at that time it found nothing.
User avatar
alleycat
Regular Member
 
Posts: 123
Joined: October 30th, 2007, 8:12 pm
Location: Nashville, Tennessee USA

Unread postby ndmmxiaomayi » November 4th, 2007, 10:52 pm

Hi alleycat. :)

Miscrosoft.WindowsSecurityCenter_Diabled


Is that mispelt?

Anyway, AVG Antispyware doesn't deactivate Windows Security Centre.

Some questions:

1. Did you set Windows Security Centre not to monitor your antivirus program?

2. Is Windows Firewall turned on?

3. Is Automatic Updates turned on and set to Automatic (Recommended) option?

  1. Please download WinPFind3u from Bleeping Computer by OldTimer and save it to your desktop.
  2. Double click on winpfind3u.exe to run it.
  3. Click on Extract. Once done, you will be prompted. Click OK and click Close.
  4. Double click on the WinPFind3u folder. Double click on WinPFind3U.exe to run it.
  5. Under Driver Services section, select Non-Microsoft.
  6. On your right, under Additional Scans, check (tick) this box: Reg - BotCheck.
  7. Click on the Run Scan button at the top left hand corner.
  8. WinPFind will start running. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.

In your next reply, please post:

  1. Your security settings
  2. WinPFind3U log (In WinPFind's folder)
  3. A new HijackThis log
Note: You will need several replies to prevent the logs from being cut off.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby alleycat » November 5th, 2007, 12:10 am

Hi, Mayi. Thanks for your patience.

Yes, that was a typo. It should have been "disabled".

I've gotten that error before during the week; even before I ran the AVG scan. Later I was on the Internet and afterwards ran another SpyBot scan and it found nothing that time.

1. I have not changed any of the Windows Security Center settings.

2. My Norton firewall is on.

3. Automatic updates is turned on.

A couple of questions before I post again:
-How do I post my security setting? Do you mean Windows, or Explorer?
-Should I rename HiJack This? I keep seeing this recommended.
User avatar
alleycat
Regular Member
 
Posts: 123
Joined: October 30th, 2007, 8:12 pm
Location: Nashville, Tennessee USA

Unread postby alleycat » November 5th, 2007, 12:22 am

The WinPFind report:

WinPFind3 logfile created on: 11/4/2007 10:17:50 PM
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\CEA\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

509.98 Mb Total Physical Memory | 185.49 Mb Available Physical Memory | 36.37% Memory free
1.22 Gb Paging File | 0.82 Gb Available in Paging File | 67.58% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.56 Gb Total Space | 55.89 Gb Free Space | 79.21% Space Free
Drive D: | 7.72 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: D35H0M71
Current User Name: CEA
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 9/25/2007 9:00:46 AM | Attr = ]
aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\AluSchedulerSvc.exe -> Symantec Corporation [Ver = 3.4.0.164 | Size = 243064 bytes | Modified Date = 8/31/2007 10:49:50 AM | Attr = ]
ccsvchst.exe -> %CommonProgramFiles%\Symantec Shared\CCSVCHST.EXE -> Symantec Corporation [Ver = 107.0.2.2 | Size = 149864 bytes | Modified Date = 10/23/2007 4:18:22 PM | Attr = ]
ccsvchst.exe -> %CommonProgramFiles%\Symantec Shared\CCSVCHST.EXE -> Symantec Corporation [Ver = 107.0.2.2 | Size = 149864 bytes | Modified Date = 10/23/2007 4:18:22 PM | Attr = ]
dlg.exe -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 10/29/2003 1:06:00 AM | Attr = R ]
dsagnt.exe -> %ProgramFiles%\DellSupport\DSAgnt.exe -> Gteko Ltd. [Ver = 3, 0, 0, 197 | Size = 460784 bytes | Modified Date = 3/15/2007 10:09:36 AM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 6:31:10 AM | Attr = ]
hkcmd.exe -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4396 | Size = 77824 bytes | Modified Date = 9/20/2005 9:32:24 AM | Attr = ]
igfxpers.exe -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4396 | Size = 114688 bytes | Modified Date = 9/20/2005 9:36:20 AM | Attr = ]
issch.exe -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> InstallShield Software Corporation [Ver = 3, 20, 100, 1123 | Size = 81920 bytes | Modified Date = 8/9/2004 6:03:38 AM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe -> [Ver = | Size = 32881 bytes | Modified Date = 11/19/2003 4:48:14 PM | Attr = ]
symlcsvc.exe -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> [Ver = | Size = 1245064 bytes | Modified Date = 10/11/2007 6:32:00 PM | Attr = ]
taskpanl.exe -> %ProgramFiles%\EarthLink TotalAccess\TaskPanl.exe -> EarthLink, Inc. [Ver = 2005.2.118.0 | Size = 942080 bytes | Modified Date = 9/1/2005 3:24:56 PM | Attr = ]
tfswctrl.exe -> %System32%\dla\tfswctrl.exe -> Sonic Solutions [Ver = 1.04.08a | Size = 127035 bytes | Modified Date = 12/6/2004 12:05:00 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 9/4/2007 10:47:26 AM | Attr = ]
wmonitor.exe -> %ProgramFiles%\EarthLink TotalAccess\WENGINE\wmonitor.exe -> Boingo Wireless, Inc. [Ver = 1, 4, 1220, 0 | Size = 65604 bytes | Modified Date = 1/26/2005 11:47:42 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft AB [Ver = 7, 0, 2, 3 | Size = 574808 bytes | Modified Date = 9/25/2007 9:00:46 AM | Attr = ]
(Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\AluSchedulerSvc.exe -> Symantec Corporation [Ver = 3.4.0.164 | Size = 243064 bytes | Modified Date = 8/31/2007 10:49:50 AM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 5/30/2007 6:31:10 AM | Attr = ]
(CCALib8) Canon Camera Access Library 8 [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Canon\CAL\CALMAIN.exe -> Canon Inc. [Ver = 8, 0, 0, 21 | Size = 86606 bytes | Modified Date = 6/2/2005 3:54:34 PM | Attr = ]
(ccEvtMgr) Symantec Event Manager [Win32_Shared | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCSVCHST.EXE -> Symantec Corporation [Ver = 107.0.2.2 | Size = 149864 bytes | Modified Date = 10/23/2007 4:18:22 PM | Attr = ]
(ccSetMgr) Symantec Settings Manager [Win32_Shared | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCSVCHST.EXE -> Symantec Corporation [Ver = 107.0.2.2 | Size = 149864 bytes | Modified Date = 10/23/2007 4:18:22 PM | Attr = ]
(CLTNetCnService) Symantec Lic NetConnect service [Win32_Shared | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCSVCHST.EXE -> Symantec Corporation [Ver = 107.0.2.2 | Size = 149864 bytes | Modified Date = 10/23/2007 4:18:22 PM | Attr = ]
(comHost) COM Host [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\VAScanner\comHost.exe -> Symantec Corporation [Ver = 3.0.0.71 | Size = 55640 bytes | Modified Date = 8/22/2007 1:21:30 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 4:00:00 AM | Attr = ]
(DSBrokerService) DSBrokerService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\DellSupport\brkrsvc.exe -> [Ver = 1, 0, 0, 8 | Size = 76848 bytes | Modified Date = 3/7/2007 2:47:46 PM | Attr = ]
(EarthLinkMonitor) EarthLink Monitor Service [Win32_Own | Auto | Running] -> %ProgramFiles%\EarthLink TotalAccess\WENGINE\wmonitor.exe -> Boingo Wireless, Inc. [Ver = 1, 4, 1220, 0 | Size = 65604 bytes | Modified Date = 1/26/2005 11:47:42 AM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2/6/2007 8:22:40 PM | Attr = ]
(LiveUpdate) LiveUpdate [Win32_Shared | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_4.EXE -> Symantec Corporation [Ver = 3.4.0.162 | Size = 3192184 bytes | Modified Date = 8/23/2007 2:35:22 PM | Attr = ]
(LiveUpdate Notice) LiveUpdate Notice [Win32_Shared | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\CCSVCHST.EXE -> Symantec Corporation [Ver = 107.0.2.2 | Size = 149864 bytes | Modified Date = 10/23/2007 4:18:22 PM | Attr = ]
(NetSvc) Intel NCS NetService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Intel\PROSetWired\NCS\Sync\NetSvc.exe -> Intel(R) Corporation [Ver = 1.6.3.0 | Size = 143360 bytes | Modified Date = 12/17/2003 12:59:48 PM | Attr = ]
(sdAuxService) PC Tools Auxiliary Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\svcntaux.exe -> PC Tools [Ver = 5.0.5.2 | Size = 742216 bytes | Modified Date = 10/2/2007 3:27:06 PM | Attr = ]
(sdCoreService) PC Tools Security Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\swdsvc.exe -> PC Tools [Ver = 5.0.5.23 | Size = 1415496 bytes | Modified Date = 10/2/2007 3:27:12 PM | Attr = ]
(Symantec Core LC) Symantec Core LC [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> [Ver = | Size = 1245064 bytes | Modified Date = 10/11/2007 6:32:00 PM | Attr = ]

[Driver Services - Non-Microsoft Only]
(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped] -> -> File not found
(AliIde) AliIde [Kernel | Disabled | Stopped] -> %System32%\drivers\aliide.sys -> Acer Laboratories Inc. [Ver = 1.20 | Size = 5248 bytes | Modified Date = 8/17/2001 12:51:56 PM | Attr = ]
(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped] -> %System32%\drivers\AMDAGP.SYS -> Advanced Micro Devices, Inc. [Ver = 5.00 (xpsp_sp2_rtm.040803-2158) | Size = 43008 bytes | Modified Date = 8/3/2004 10:07:44 PM | Attr = ]
(asc) asc [Kernel | Disabled | Stopped] -> %System32%\drivers\asc.sys -> Advanced System Products, Inc. [Ver = 2.9I-MS (XPClient.010817-1148) | Size = 26496 bytes | Modified Date = 8/17/2001 12:52:00 PM | Attr = ]
(asc3550) asc3550 [Kernel | Disabled | Stopped] -> %System32%\drivers\asc3550.sys -> Advanced System Products, Inc. [Ver = 3.1E-MS (XPClient.010817-1148) | Size = 14848 bytes | Modified Date = 8/17/2001 12:51:58 PM | Attr = ]
(ASCTRM) ASCTRM [Kernel | Auto | Running] -> %System32%\drivers\asctrm.sys -> Windows (R) 2000 DDK provider [Ver = 5.00.2195.1 | Size = 8552 bytes | Modified Date = 5/29/2005 3:36:38 PM | Attr = ]
(Atdisk) Atdisk [Kernel | Disabled | Stopped] -> -> File not found
(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.sys -> [Ver = | Size = 11000 bytes | Modified Date = 5/30/2007 6:10:42 AM | Attr = ]
(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running] -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Modified Date = 5/30/2007 6:10:42 AM | Attr = ]
(bvrp_pci) bvrp_pci [Kernel | On_Demand | Stopped] -> -> File not found
(BW2NDIS5) BW2NDIS5 [Kernel | On_Demand | Stopped] -> %System32%\drivers\BW2NDIS5.SYS -> Printing Communications Assoc., Inc. (PCAUSA) [Ver = 5.5.17.00 | Size = 17536 bytes | Modified Date = 11/1/2004 2:16:34 PM | Attr = R ]
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\CEA\LOCALS~1\Temp\catchme.sys -> File not found
(Changer) Changer [Kernel | System | Stopped] -> -> File not found
(CmdIde) CmdIde [Kernel | Disabled | Stopped] -> %System32%\drivers\cmdide.sys -> CMD Technology, Inc. [Ver = 2.0.7 (XPClient.010817-1148) | Size = 6656 bytes | Modified Date = 8/17/2001 12:51:54 PM | Attr = ]
(COH_Mon) COH_Mon [Kernel | On_Demand | Stopped] -> %System32%\drivers\COH_Mon.sys -> Symantec Corporation [Ver = 6,1,2,3 | Size = 22112 bytes | Modified Date = 5/29/2007 2:55:36 PM | Attr = ]
(CO_Mon) CO_Mon [Kernel | Auto | Running] -> %System32%\drivers\CO_Mon.sys -> Symantec Corporation [Ver = 2007.1.1.99 | Size = 36056 bytes | Modified Date = 8/8/2007 5:39:56 PM | Attr = ]
(dac2w2k) dac2w2k [Kernel | Disabled | Stopped] -> %System32%\drivers\dac2w2k.sys -> Mylex Corporation [Ver = 6.00-21 (XPClient.010817-1148) | Size = 179584 bytes | Modified Date = 8/17/2001 12:52:16 PM | Attr = ]
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %System32%\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 799744 bytes | Modified Date = 8/4/2004 4:00:00 AM | Attr = ]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %System32%\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 153344 bytes | Modified Date = 8/4/2004 4:00:00 AM | Attr = ]
(dmload) dmload [Kernel | Boot | Running] -> %System32%\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/4/2004 4:00:00 AM | Attr = ]
(drvmcdb) drvmcdb [Kernel | Boot | Running] -> %System32%\drivers\drvmcdb.sys -> Sonic Solutions [Ver = 3.22.03a | Size = 87488 bytes | Modified Date = 12/1/2004 2:22:00 AM | Attr = ]
(drvnddm) drvnddm [File_System | Auto | Running] -> %System32%\drivers\drvnddm.sys -> Sonic Solutions [Ver = 2.56.43a | Size = 40480 bytes | Modified Date = 11/23/2004 1:56:00 AM | Attr = ]
(DSproct) DSproct [Kernel | On_Demand | Running] -> %ProgramFiles%\DellSupport\GTAction\triggers\DSproct.sys -> Gteko Ltd. [Ver = 2, 0, 0, 30 | Size = 4736 bytes | Modified Date = 10/5/2006 3:07:28 PM | Attr = ]
(dsunidrv) DellSupport UniDriver [Kernel | Auto | Running] -> %System32%\drivers\dsunidrv.sys -> Gteko Ltd. [Ver = 1, 0, 0, 12 | Size = 5376 bytes | Modified Date = 2/25/2007 11:10:48 AM | Attr = S]
(E100B) Intel(R) PRO Adapter Driver [Kernel | On_Demand | Running] -> %System32%\drivers\e100b325.sys -> Intel Corporation [Ver = 7.1.12.0 built by: WinDDK | Size = 154112 bytes | Modified Date = 2/10/2004 8:49:14 PM | Attr = ]
(eeCtrl) Symantec Eraser Control driver [Kernel | System | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\eeCtrl.sys -> Symantec Corporation [Ver = 107.3.3.4 | Size = 395312 bytes | Modified Date = 8/30/2007 2:00:00 AM | Attr = ]
(EraserUtilRebootDrv) EraserUtilRebootDrv [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -> Symantec Corporation [Ver = 107.3.3.4 | Size = 112688 bytes | Modified Date = 8/30/2007 2:00:00 AM | Attr = ]
(HSFHWBS2) HSFHWBS2 [Kernel | On_Demand | Running] -> %System32%\drivers\HSFHWBS2.sys -> Conexant Systems, Inc. [Ver = 7.06.00 | Size = 212224 bytes | Modified Date = 11/17/2003 8:59:20 PM | Attr = ]
(HSF_DP) HSF_DP [Kernel | On_Demand | Running] -> %System32%\drivers\HSF_DP.sys -> Conexant Systems, Inc. [Ver = 7.06.00 | Size = 1042432 bytes | Modified Date = 11/17/2003 8:56:26 PM | Attr = ]
(ialm) ialm [Kernel | On_Demand | Running] -> %System32%\drivers\ialmnt5.sys -> Intel Corporation [Ver = 6.14.10.4396 | Size = 1302332 bytes | Modified Date = 9/20/2005 10:00:54 AM | Attr = ]
(IKFileSec) File Security Driver [File_System | On_Demand | Stopped] -> %System32%\drivers\ikfilesec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1036 built by: WinDDK | Size = 41288 bytes | Modified Date = 10/4/2007 4:10:52 PM | Attr = ]
(IKSysFlt) System Filter Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\iksysflt.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1024 | Size = 62280 bytes | Modified Date = 10/4/2007 4:10:54 PM | Attr = ]
(IKSysSec) System Security Driver [Kernel | On_Demand | Stopped] -> %System32%\drivers\iksyssec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1024 | Size = 79688 bytes | Modified Date = 10/4/2007 4:10:58 PM | Attr = ]
(KMW_KBD) Kensington Input Devices Class filter driver [Kernel | On_Demand | Running] -> %System32%\drivers\KMW_KBD.sys -> Kensington Technology Group [Ver = 6.20.4.1 | Size = 5760 bytes | Modified Date = 9/1/2005 9:41:36 AM | Attr = ]
(KMW_SYS) Kensington MouseWorks Mouse filter driver [Kernel | On_Demand | Running] -> %System32%\drivers\KMW_SYS.sys -> Kensington Technology Group [Ver = 6.20.4.1 | Size = 92032 bytes | Modified Date = 9/1/2005 9:41:56 AM | Attr = ]
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> -> File not found
(mdmxsdk) mdmxsdk [Kernel | Auto | Running] -> %System32%\drivers\mdmxsdk.sys -> Conexant [Ver = 1.0.2.002 | Size = 11043 bytes | Modified Date = 4/9/2003 5:48:08 PM | Attr = ]
(mraid35x) mraid35x [Kernel | Disabled | Stopped] -> %System32%\drivers\mraid35x.sys -> American Megatrends Inc. [Ver = 6.19 (XPClient.010817-1148) | Size = 17280 bytes | Modified Date = 8/17/2001 12:52:12 PM | Attr = ]
(NAVENG) NAVENG [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20071104.009\NAVENG.SYS -> Symantec Corporation [Ver = 20071.3.0.24 | Size = 81232 bytes | Modified Date = 7/17/2007 2:00:00 AM | Attr = ]
(NAVEX15) NAVEX15 [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\VirusDefs\20071104.009\NAVEX15.SYS -> Symantec Corporation [Ver = 20071.3.0.24 | Size = 865904 bytes | Modified Date = 7/17/2007 2:00:00 AM | Attr = ]
(nv) nv [Kernel | On_Demand | Stopped] -> %System32%\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.10.5673 | Size = 1897408 bytes | Modified Date = 8/3/2004 9:29:56 PM | Attr = ]
(PCIDump) PCIDump [Kernel | System | Stopped] -> -> File not found
(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped] -> -> File not found
(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(PDRELI) PDRELI [Kernel | On_Demand | Stopped] -> -> File not found
(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped] -> -> File not found
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %System32%\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/4/2004 4:00:00 AM | Attr = ]
(PxHelp20) PxHelp20 [Kernel | Boot | Running] -> %System32%\drivers\pxhelp20.sys -> Sonic Solutions [Ver = 2.03.27a | Size = 20576 bytes | Modified Date = 1/26/2005 1:03:00 AM | Attr = ]
(ql1080) ql1080 [Kernel | Disabled | Stopped] -> %System32%\drivers\ql1080.sys -> QLogic Corporation [Ver = 3.04 | Size = 40320 bytes | Modified Date = 8/17/2001 12:52:20 PM | Attr = ]
(ql12160) ql12160 [Kernel | Disabled | Stopped] -> %System32%\drivers\ql12160.sys -> QLogic Corporation [Ver = 7.13.02 (W64) | Size = 45312 bytes | Modified Date = 8/17/2001 12:52:20 PM | Attr = ]
(ql1280) ql1280 [Kernel | Disabled | Stopped] -> %System32%\drivers\ql1280.sys -> QLogic Corporation [Ver = 7.13.01 (W2K) | Size = 49024 bytes | Modified Date = 8/17/2001 12:52:18 PM | Attr = ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %System32%\drivers\secdrv.sys -> [Ver = | Size = 27440 bytes | Modified Date = 8/4/2004 4:00:00 AM | Attr = ]
(senfilt) senfilt [Kernel | On_Demand | Running] -> %System32%\drivers\senfilt.sys -> Creative Technology Ltd. [Ver = 5.10.00.3614 | Size = 732928 bytes | Modified Date = 9/17/2004 1:02:54 PM | Attr = ]
(Simbad) Simbad [Kernel | Disabled | Stopped] -> -> File not found
(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped] -> %System32%\drivers\SISAGP.SYS -> Silicon Integrated Systems Corporation [Ver = 5.12.01.2010 (xpsp_sp2_rtm.040803-2158) | Size = 41088 bytes | Modified Date = 8/3/2004 10:07:44 PM | Attr = ]
(smwdm) smwdm [Kernel | On_Demand | Running] -> %System32%\drivers\smwdm.sys -> Analog Devices, Inc. [Ver = 5.12.01.5246 | Size = 260352 bytes | Modified Date = 1/27/2005 8:31:06 PM | Attr = ]
(Sparrow) Sparrow [Kernel | Disabled | Stopped] -> %System32%\drivers\sparrow.sys -> Adaptec, Inc. [Ver = v2.0a (ReleaseBinaries.001205-1804) | Size = 19072 bytes | Modified Date = 8/17/2001 1:07:44 PM | Attr = ]
(SPBBCDrv) SPBBCDrv [Kernel | System | Running] -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCDrv.sys -> Symantec Corporation [Ver = 4.0.0.132 | Size = 446512 bytes | Modified Date = 8/17/2007 3:23:28 PM | Attr = ]
(SRTSP) SRTSP [File_System | System | Running] -> %System32%\drivers\srtsp.sys -> Symantec Corporation [Ver = 10.2.1.5 | Size = 278576 bytes | Modified Date = 9/18/2007 1:43:36 PM | Attr = ]
(SRTSPL) SRTSPL [Kernel | On_Demand | Stopped] -> %System32%\drivers\srtspl.sys -> Symantec Corporation [Ver = 10.2.1.5 | Size = 317616 bytes | Modified Date = 9/18/2007 1:43:36 PM | Attr = ]
(SRTSPX) SRTSPX [Kernel | System | Running] -> %System32%\drivers\srtspx.sys -> Symantec Corporation [Ver = 10.2.1.5 | Size = 43696 bytes | Modified Date = 9/18/2007 1:43:36 PM | Attr = ]
(sscdbhk5) sscdbhk5 [File_System | System | Running] -> %System32%\drivers\sscdbhk5.sys -> Sonic Solutions [Ver = 1.10.87a | Size = 5627 bytes | Modified Date = 7/14/2004 10:29:04 AM | Attr = ]
(ssrtln) ssrtln [File_System | System | Running] -> %System32%\drivers\ssrtln.sys -> Sonic Solutions [Ver = 1.10.87a | Size = 23545 bytes | Modified Date = 7/14/2004 10:28:50 AM | Attr = ]
(symc810) symc810 [Kernel | Disabled | Stopped] -> %System32%\drivers\symc810.sys -> Symbios Logic Inc. [Ver = 5.1.2409.1 (ReleaseBinaries.001205-1804) | Size = 16256 bytes | Modified Date = 8/17/2001 1:07:34 PM | Attr = ]
(symc8xx) symc8xx [Kernel | Disabled | Stopped] -> %System32%\drivers\symc8xx.sys -> LSI Logic [Ver = 5.1.2409.1 (ReleaseBinaries.001205-1804) | Size = 32640 bytes | Modified Date = 8/17/2001 1:07:36 PM | Attr = ]
(SYMDNS) SYMDNS [Kernel | On_Demand | Running] -> %System32%\drivers\symdns.sys -> Symantec Corporation [Ver = 8.0.0.124 | Size = 13616 bytes | Modified Date = 8/13/2007 2:50:34 PM | Attr = ]
(SymEvent) SymEvent [Kernel | On_Demand | Running] -> %System32%\drivers\SYMEVENT.SYS -> Symantec Corporation [Ver = 12.5.2.1 | Size = 123952 bytes | Modified Date = 11/4/2007 5:04:14 AM | Attr = ]
(SYMFW) SYMFW [Kernel | On_Demand | Running] -> %System32%\drivers\symfw.sys -> Symantec Corporation [Ver = 8.0.0.124 | Size = 96432 bytes | Modified Date = 8/13/2007 2:50:34 PM | Attr = ]
(SYMIDS) SYMIDS [Kernel | On_Demand | Running] -> %System32%\drivers\symids.sys -> Symantec Corporation [Ver = 8.0.0.124 | Size = 38576 bytes | Modified Date = 8/13/2007 2:50:34 PM | Attr = ]
(SYMIDSCO) SYMIDSCO [Kernel | On_Demand | Running] -> %CommonProgramFiles%\Symantec Shared\SymcData\ipsdefs\20071101.002\SymIDSCo.sys -> Symantec Corporation [Ver = 8.1.0.4 | Size = 158064 bytes | Modified Date = 9/14/2007 3:15:12 PM | Attr = ]
(SymIM) Symantec Network Security Intermediate Filter Service [Kernel | On_Demand | Stopped] -> %System32%\drivers\SymIM.sys -> Symantec Corporation [Ver = 8.0.0.119 | Size = 31280 bytes | Modified Date = 8/9/2007 6:27:54 PM | Attr = ]
(SymIMMP) SymIMMP [Kernel | On_Demand | Running] -> %System32%\drivers\SymIM.sys -> Symantec Corporation [Ver = 8.0.0.119 | Size = 31280 bytes | Modified Date = 8/9/2007 6:27:54 PM | Attr = ]
(SYMNDIS) SYMNDIS [Kernel | On_Demand | Running] -> %System32%\drivers\symndis.sys -> Symantec Corporation [Ver = 8.0.0.124 | Size = 37424 bytes | Modified Date = 8/13/2007 2:50:34 PM | Attr = ]
(SYMREDRV) SYMREDRV [Kernel | On_Demand | Running] -> %System32%\drivers\symredrv.sys -> Symantec Corporation [Ver = 8.0.0.124 | Size = 22320 bytes | Modified Date = 8/13/2007 2:50:34 PM | Attr = ]
(SYMTDI) SYMTDI [Kernel | System | Running] -> %System32%\drivers\symtdi.sys -> Symantec Corporation [Ver = 8.0.0.124 | Size = 188464 bytes | Modified Date = 8/13/2007 2:50:34 PM | Attr = ]
(sym_hi) sym_hi [Kernel | Disabled | Stopped] -> %System32%\drivers\sym_hi.sys -> LSI Logic [Ver = 5.1.2462.0 (Lab01_N.010309-0027) | Size = 28384 bytes | Modified Date = 8/17/2001 1:07:40 PM | Attr = ]
(sym_u3) sym_u3 [Kernel | Disabled | Stopped] -> %System32%\drivers\sym_u3.sys -> LSI Logic [Ver = 5.1.2462.0 (Lab01_N.010309-0027) | Size = 30688 bytes | Modified Date = 8/17/2001 1:07:42 PM | Attr = ]
(tfsnboio) tfsnboio [File_System | Auto | Running] -> %System32%\dla\tfsnboio.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 25883 bytes | Modified Date = 12/6/2004 12:05:00 AM | Attr = ]
(tfsncofs) tfsncofs [File_System | Auto | Running] -> %System32%\dla\tfsncofs.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 34843 bytes | Modified Date = 12/6/2004 12:05:00 AM | Attr = ]
(tfsndrct) tfsndrct [File_System | Auto | Running] -> %System32%\dla\tfsndrct.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 4123 bytes | Modified Date = 12/6/2004 12:05:00 AM | Attr = ]
(tfsndres) tfsndres [File_System | Auto | Running] -> %System32%\dla\tfsndres.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 2239 bytes | Modified Date = 12/6/2004 12:05:00 AM | Attr = ]
(tfsnifs) tfsnifs [File_System | Auto | Running] -> %System32%\dla\tfsnifs.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 86586 bytes | Modified Date = 12/6/2004 12:05:00 AM | Attr = ]
(tfsnopio) tfsnopio [File_System | Auto | Running] -> %System32%\dla\tfsnopio.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 15227 bytes | Modified Date = 12/6/2004 12:05:00 AM | Attr = ]
(tfsnpool) tfsnpool [File_System | Auto | Running] -> %System32%\dla\tfsnpool.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 6363 bytes | Modified Date = 12/6/2004 12:05:00 AM | Attr = ]
(tfsnudf) tfsnudf [File_System | Auto | Running] -> %System32%\dla\tfsnudf.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 98714 bytes | Modified Date = 12/6/2004 12:05:00 AM | Attr = ]
(tfsnudfa) tfsnudfa [File_System | Auto | Running] -> %System32%\dla\tfsnudfa.sys -> Sonic Solutions [Ver = 1.04.08a | Size = 100603 bytes | Modified Date = 12/6/2004 12:05:00 AM | Attr = ]
(ultra) ultra [Kernel | Disabled | Stopped] -> %System32%\drivers\ultra.sys -> Promise Technology, Inc. [Ver = 1.43 (Build 0603) | Size = 36736 bytes | Modified Date = 8/17/2001 12:52:22 PM | Attr = ]
(wanatw) WAN Miniport (ATW) [Kernel | On_Demand | Stopped] -> system32\DRIVERS\wanatw4.sys -> File not found
(WDICA) WDICA [Kernel | On_Demand | Stopped] -> -> File not found
(winachsf) winachsf [Kernel | On_Demand | Running] -> %System32%\drivers\HSF_CNXT.sys -> Conexant Systems, Inc. [Ver = 7.06.00 built by: WinDDK | Size = 680704 bytes | Modified Date = 11/17/2003 8:58:02 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Adobe Reader Speed Launcher -> %ProgramFiles%\Adobe\Reader 8.0\Reader\Reader_sl.exe -> Adobe Systems Incorporated [Ver = 8.0.0.0 | Size = 40048 bytes | Modified Date = 5/11/2007 2:06:32 AM | Attr = ]
ccApp -> %CommonProgramFiles%\Symantec Shared\CCAPP.EXE -> Symantec Corporation [Ver = 107.0.2.2 | Size = 51048 bytes | Modified Date = 10/23/2007 4:18:20 PM | Attr = ]
dla -> %System32%\dla\tfswctrl.exe -> Sonic Solutions [Ver = 1.04.08a | Size = 127035 bytes | Modified Date = 12/6/2004 12:05:00 AM | Attr = ]
igfxhkcmd -> %System32%\hkcmd.exe -> Intel Corporation [Ver = 3.0.0.4396 | Size = 77824 bytes | Modified Date = 9/20/2005 9:32:24 AM | Attr = ]
igfxpers -> %System32%\igfxpers.exe -> Intel Corporation [Ver = 3.0.0.4396 | Size = 114688 bytes | Modified Date = 9/20/2005 9:36:20 AM | Attr = ]
igfxtray -> %System32%\igfxtray.exe -> Intel Corporation [Ver = 3.0.0.4396 | Size = 94208 bytes | Modified Date = 9/20/2005 9:35:40 AM | Attr = ]
ISUSPM Startup -> %CommonProgramFiles%\InstallShield\UpdateService\ISUSPM.exe -> InstallShield Software Corporation [Ver = 3, 10, 100, 1155 | Size = 221184 bytes | Modified Date = 7/27/2004 3:50:42 PM | Attr = ]
MSWheel -> -> File not found
osCheck -> %ProgramFiles%\Norton Internet Security\osCheck.exe -> Symantec Corporation [Ver = 15.0.0.178 | Size = 714608 bytes | Modified Date = 8/24/2007 10:53:28 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.5 | Size = 98304 bytes | Modified Date = 5/29/2005 3:36:50 PM | Attr = ]
StartupDelayer -> %ProgramFiles%\r2 Studios\Startup Delayer\Startup Launcher GUI.exe -> r2 studios [Ver = 2.03.0115 | Size = 31744 bytes | Modified Date = 3/15/2007 7:16:58 PM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe -> [Ver = | Size = 32881 bytes | Modified Date = 11/19/2003 4:48:14 PM | Attr = ]
UserFaultCheck -> -> File not found
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
E6TaskPanel -> %ProgramFiles%\EarthLink TotalAccess\TaskPanl.exe -> EarthLink, Inc. [Ver = 2005.2.118.0 | Size = 942080 bytes | Modified Date = 9/1/2005 3:24:56 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Digital Line Detect.lnk -> %ProgramFiles%\Digital Line Detect\DLG.exe -> BVRP Software [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 10/29/2003 1:06:00 AM | Attr = R ]
< User Startup > -> C:\Documents and Settings\CEA\Start Menu\Programs\Startup ->
%UserStartup%\ERUNT AutoBackup.lnk -> %ProgramFiles%\ERUNT\AUTOBACK.EXE -> [Ver = | Size = 38912 bytes | Modified Date = 10/20/2005 11:04:08 AM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 5/30/2007 6:29:58 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
igfxcui -> %System32%\igfxdev.dll -> Intel Corporation [Ver = 3.0.0.4396 | Size = 135168 bytes | Modified Date = 9/20/2005 9:31:28 AM | Attr = ]
WgaLogon -> Reg Data - Value does not exist -> File not found
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoCDBurning -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.dell4me.com/myway ->
HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Bar -> http://search.msn.com/spbasic.htm ->
HKLM: Search Page -> http://www.google.com ->
HKLM: Start Page -> http://www.google.com ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Default_Search_URL -> http://www.earthlink.net/partner/more/m ... earch.html ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dl ... r=iesearch ->
HKCU: Start Page -> http://www.city-data.com/forum/tennessee/ ->
HKCU: URLSearchHooks\\{4D25F926-B9FE-4682-BF72-8AB8210D6D75} [HKLM] -> %ProgramFiles%\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll [] -> MyWay.com [Ver = 1, 0, 1, 7 | Size = 90112 bytes | Modified Date = 9/27/2004 6:57:06 PM | Attr = ]
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{00000000-0000-0000-0000-000000000002} [HKLM] -> %ProgramFiles%\EarthLink TotalAccess\Toolbar\EScamBlk.dll [ElnkBhoGuard Class] -> EarthLink, Inc. [Ver = 3.1.142.0 | Size = 198424 bytes | Modified Date = 1/3/2007 7:11:28 PM | Attr = ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %CommonProgramFiles%\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 8.0.0.2006102200 | Size = 62080 bytes | Modified Date = 10/22/2006 10:08:42 PM | Attr = ]
{15F4D456-5BAA-4076-8486-EECB38CD3E57} [HKLM] -> %ProgramFiles%\EarthLink TotalAccess\Toolbar\EScamBlk.dll [ElnkScamBHO Class] -> EarthLink, Inc. [Ver = 3.1.142.0 | Size = 198424 bytes | Modified Date = 1/3/2007 7:11:28 PM | Attr = ]
{4D25F921-B9FE-4682-BF72-8AB8210D6D75} [HKLM] -> %ProgramFiles%\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll [] -> MyWay.com [Ver = 1, 0, 1, 7 | Size = 90112 bytes | Modified Date = 9/27/2004 6:57:06 PM | Attr = ]
{512ACF1B-64D9-4928-B382-A80556F28DB4} [HKLM] -> %ProgramFiles%\EarthLink TotalAccess\Toolbar\ElnkPuB.dll [ElnkPubBHO Class] -> EarthLink, Inc. [Ver = 3.2.54.0 | Size = 206616 bytes | Modified Date = 1/3/2007 7:11:26 PM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 12:04:00 AM | Attr = ]
{5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> %System32%\dla\tfswshx.dll [DriveLetterAccess] -> Sonic Solutions [Ver = 1.04.08a | Size = 118842 bytes | Modified Date = 12/6/2004 12:05:00 AM | Attr = ]
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} [HKLM] -> %CommonProgramFiles%\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [Reg Data - Value does not exist] -> Symantec Corporation [Ver = 2008.2.0.84 | Size = 316784 bytes | Modified Date = 8/24/2007 9:51:56 PM | Attr = ]
{656EC4B7-072B-4698-B504-2A414C1F0037} [HKLM] -> %ProgramFiles%\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll [IE_PopupBlocker Class] -> Propel Software Corporation [Ver = 5.0.1.1054 | Size = 49152 bytes | Modified Date = 2/2/2005 7:33:24 PM | Attr = R ]
{6D53EC84-6AAE-4787-AEEE-F4628F01010C} [HKLM] -> %CommonProgramFiles%\Symantec Shared\IDS\IPSBHO.dll [Symantec Intrusion Prevention] -> Symantec Corporation [Ver = 8.0.0.142 | Size = 116088 bytes | Modified Date = 10/11/2007 6:32:56 PM | Attr = ]
{9579D574-D4D8-4335-9560-FE8641A013BD} [HKLM] -> %ProgramFiles%\EarthLink TotalAccess\Toolbar\ProtctIE.dll [ElnkProtectionBHO Class] -> EarthLink, Inc. [Ver = 3.2.54.0 | Size = 247576 bytes | Modified Date = 1/3/2007 7:11:32 PM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
{E713904C-DF05-4C79-BBAD-02DB923253BE} [HKLM] -> %ProgramFiles%\EarthLink TotalAccess\Toolbar\uninsttb.dll [ElnkLegacyUninstBHO Class] -> EarthLink, Inc. [Ver = 3.2.54.0 | Size = 96024 bytes | Modified Date = 1/3/2007 7:11:36 PM | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} [HKLM] -> %CommonProgramFiles%\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [Show Norton Toolbar] -> Symantec Corporation [Ver = 2008.2.0.84 | Size = 316784 bytes | Modified Date = 8/24/2007 9:51:56 PM | Attr = ]
{C7768536-96F8-4001-B1A2-90EE21279187} [HKLM] -> %ProgramFiles%\EarthLink TotalAccess\Toolbar\Toolbar.dll [EarthLink Toolbar] -> EarthLink, Inc. [Ver = 3.2.54.0 | Size = 243480 bytes | Modified Date = 1/3/2007 7:11:36 PM | Attr = ]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Modified Date = 8/4/2005 8:54:42 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/19/2007 11:55:32 PM | Attr = R ]
WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} [HKLM] -> %CommonProgramFiles%\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [Show Norton Toolbar] -> Symantec Corporation [Ver = 2008.2.0.84 | Size = 316784 bytes | Modified Date = 8/24/2007 9:51:56 PM | Attr = ]
WebBrowser\\{C7768536-96F8-4001-B1A2-90EE21279187} [HKLM] -> %ProgramFiles%\EarthLink TotalAccess\Toolbar\Toolbar.dll [EarthLink Toolbar] -> EarthLink, Inc. [Ver = 3.2.54.0 | Size = 243480 bytes | Modified Date = 1/3/2007 7:11:36 PM | Attr = ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2005, 8, 4, 2 | Size = 343112 bytes | Modified Date = 8/4/2005 8:54:42 PM | Attr = ]
WebBrowser\\{F5735C15-1FB2-41FE-BA12-242757E69DDE} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> Reg Data - Key not found [MenuText: Sun Java Console] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -> Reg Data - Value does not exist [ButtonText: Research] -> File not found
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -> Reg Data - Value does not exist [ButtonText: Real.com] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
E&xport to Microsoft Excel -> -> File not found
EarthLink Google Search -> %ProgramFiles%\EarthLink TotalAccess\Toolbar\SearchUI.dll\search.htm -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{35320331-468F-480A-91DC-AF19B169BBB8} -> (Intel(R) PRO/100 VE Network Connection) ->
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ ->
Protocol_Catalog9\Catalog_Entries\000000000001 -> %ProgramFiles%\EarthLink TotalAccess\Accelerator\prplsf.dll -> [Ver = | Size = 73728 bytes | Modified Date = 2/2/2005 7:33:24 PM | Attr = R ]
Protocol_Catalog9\Catalog_Entries\000000000002 -> %ProgramFiles%\EarthLink TotalAccess\Accelerator\prplsf.dll -> [Ver = | Size = 73728 bytes | Modified Date = 2/2/2005 7:33:24 PM | Attr = R ]
Protocol_Catalog9\Catalog_Entries\000000000003 -> %ProgramFiles%\EarthLink TotalAccess\Accelerator\prplsf.dll -> [Ver = | Size = 73728 bytes | Modified Date = 2/2/2005 7:33:24 PM | Attr = R ]
Protocol_Catalog9\Catalog_Entries\000000000019 -> %ProgramFiles%\EarthLink TotalAccess\Accelerator\prplsf.dll -> [Ver = | Size = 73728 bytes | Modified Date = 2/2/2005 7:33:24 PM | Attr = R ]
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{04E214E5-63AF-4236-83C6-A7ADCBF9BD02} -> HouseCall Control - CodeBase = http://housecall60.trendmicro.com/housecall/xscan60.cab ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 ->
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -> YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftup ... 3630100406 ->
{8AD9C840-044E-11D1-B3E9-00805F499D93} -> Java Plug-in 1.4.2_03 - CodeBase = http://java.sun.com/products/plugin/aut ... s-i586.cab ->
{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -> Java Plug-in 1.4.2_03 - CodeBase = http://java.sun.com/products/plugin/aut ... s-i586.cab ->
{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} -> ActiveDataInfo Class - CodeBase = http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab ->


[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST\\System.EnterpriseServices.Thunk.dll -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\\DisableMonitoring -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\\DisableMonitoring -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\\DisableMonitoring -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate not found. -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> msv1_0; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> kerberos;msv1_0;schannel;wdigest; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 992 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages -> scecli; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\enabledcom -> y ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder -> Windows NT Access Provider; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> %SystemRoot%\system32\ntmarta.dll ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> ¢6Ÿ½¤­€mâÅ.ˆ?S7039099d
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> 0ÅÌÇq+y ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> Ã
User avatar
alleycat
Regular Member
 
Posts: 123
Joined: October 30th, 2007, 8:12 pm
Location: Nashville, Tennessee USA

Unread postby alleycat » November 5th, 2007, 12:26 am

Last part of report:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Start -> 4 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ImagePath -> C:\WINDOWS\system32\tlntsvr.exe ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DisplayName -> Telnet ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnService -> RPCSS;TCPIP;NTLMSSP; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\\Description -> Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Security\\Security -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\ProxyEnable -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\\EnableAutodial -> 0 ->

[Files/Folders - Created Within 30 days]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Created Date = 11/4/2007 11:23:27 AM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 534827008 bytes | Created Date = 1/1/1601 6:00:00 AM | Attr = HS]
HijackLog -> %SystemDrive%\HijackLog -> [Folder | Created Date = 10/30/2007 2:38:17 PM | Attr = ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Created Date = 10/31/2007 2:09:14 AM | Attr = ]
Working Folder -> %SystemDrive%\Working Folder -> [Folder | Created Date = 11/1/2007 7:18:17 PM | Attr = ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Created Date = 10/10/2007 1:38:00 AM | Attr = H ]
$NtUninstallKB939653$ -> %SystemRoot%\$NtUninstallKB939653$ -> [Folder | Created Date = 10/10/2007 1:37:44 AM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Created Date = 10/10/2007 1:36:22 AM | Attr = H ]
ERDNT -> %SystemRoot%\ERDNT -> [Folder | Created Date = 11/1/2007 8:11:04 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Created Date = 10/31/2007 2:15:15 AM | Attr = ]
TMP0001.TMP -> %SystemRoot%\TMP0001.TMP -> [Ver = | Size = 7304 bytes | Created Date = 11/4/2007 5:07:02 AM | Attr = ]
Norton Internet Security - Run Full System Scan - CEA.job -> %SystemRoot%\tasks\Norton Internet Security - Run Full System Scan - CEA.job -> [Ver = | Size = 618 bytes | Created Date = 10/11/2007 6:37:59 PM | Attr = ]
dumphive.exe -> %System32%\dumphive.exe -> [Ver = | Size = 51200 bytes | Created Date = 11/1/2007 7:56:25 PM | Attr = ]
kmw_dll.dll -> %System32%\kmw_dll.dll -> Kensington Technology Group [Ver = 6.20.4.1 | Size = 122880 bytes | Created Date = 10/18/2007 3:23:01 PM | Attr = ]
kmw_run.exe -> %System32%\kmw_run.exe -> Kensington Technology Group [Ver = 6.20.4.1 | Size = 118784 bytes | Created Date = 10/18/2007 3:23:01 PM | Attr = ]
kmw_show.exe -> %System32%\kmw_show.exe -> [Ver = | Size = 188416 bytes | Created Date = 10/18/2007 3:23:01 PM | Attr = ]
Process.exe -> %System32%\Process.exe -> http://www.beyondlogic.org [Ver = 2, 0, 0, 0 | Size = 53248 bytes | Created Date = 11/1/2007 7:56:25 PM | Attr = ]
S32EVNT1.DLL -> %System32%\S32EVNT1.DLL -> Symantec Corporation [Ver = 12.5.2.2 | Size = 60800 bytes | Created Date = 10/11/2007 6:30:49 PM | Attr = ]
SrchSTS.exe -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Created Date = 11/1/2007 7:56:25 PM | Attr = ]
streamhlp.dll -> %System32%\streamhlp.dll -> [Ver = | Size = 59392 bytes | Created Date = 10/30/2007 7:34:26 PM | Attr = R ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 3650 bytes | Created Date = 11/1/2007 7:56:52 PM | Attr = ]
VCCLSID.exe -> %System32%\VCCLSID.exe -> S!Ri [Ver = | Size = 289144 bytes | Created Date = 11/1/2007 7:56:25 PM | Attr = ]
WS2Fix.exe -> %System32%\WS2Fix.exe -> [Ver = | Size = 25600 bytes | Created Date = 11/1/2007 7:56:26 PM | Attr = ]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 11/4/2007 12:25:36 PM | Attr = ]
ikfilesec.sys -> %System32%\drivers\ikfilesec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1036 built by: WinDDK | Size = 41288 bytes | Created Date = 10/31/2007 10:16:11 PM | Attr = ]
iksysflt.sys -> %System32%\drivers\iksysflt.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1024 | Size = 62280 bytes | Created Date = 10/31/2007 10:16:11 PM | Attr = ]
iksyssec.sys -> %System32%\drivers\iksyssec.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1024 | Size = 79688 bytes | Created Date = 10/31/2007 10:16:11 PM | Attr = ]
kcom.sys -> %System32%\drivers\kcom.sys -> PCTools Research Pty Ltd. [Ver = 5.0.2.1008 | Size = 29000 bytes | Created Date = 10/31/2007 10:16:11 PM | Attr = ]
KMW_KBD.sys -> %System32%\drivers\KMW_KBD.sys -> Kensington Technology Group [Ver = 6.20.4.1 | Size = 5760 bytes | Created Date = 10/18/2007 3:23:01 PM | Attr = ]
KMW_LIB.sys -> %System32%\drivers\KMW_LIB.sys -> Kensington Technology Group [Ver = 6.20.4.1 | Size = 4992 bytes | Created Date = 10/18/2007 3:23:02 PM | Attr = ]
KMW_SYS.sys -> %System32%\drivers\KMW_SYS.sys -> Kensington Technology Group [Ver = 6.20.4.1 | Size = 92032 bytes | Created Date = 10/18/2007 3:23:01 PM | Attr = ]
kmw_usb.sys -> %System32%\drivers\kmw_usb.sys -> Kensington Technology Group [Ver = 6.20.4.1 | Size = 10496 bytes | Created Date = 10/18/2007 3:23:02 PM | Attr = ]
SYMEVENT.CAT -> %System32%\drivers\SYMEVENT.CAT -> [Ver = | Size = 10740 bytes | Created Date = 10/11/2007 6:30:49 PM | Attr = ]
SYMEVENT.INF -> %System32%\drivers\SYMEVENT.INF -> [Ver = | Size = 805 bytes | Created Date = 10/11/2007 6:30:49 PM | Attr = ]
SYMEVENT.SYS -> %System32%\drivers\SYMEVENT.SYS -> Symantec Corporation [Ver = 12.5.2.1 | Size = 123952 bytes | Created Date = 10/11/2007 6:30:49 PM | Attr = ]
hosts.20071030-135356.backup -> %System32%\drivers\etc\hosts.20071030-135356.backup -> [Ver = | Size = 3541 bytes | Created Date = 10/30/2007 12:53:56 PM | Attr = R ]
hosts.20071030-135357.backup -> %System32%\drivers\etc\hosts.20071030-135357.backup -> [Ver = | Size = 2990 bytes | Created Date = 10/30/2007 12:53:57 PM | Attr = R ]
hosts.20071030-135358.backup -> %System32%\drivers\etc\hosts.20071030-135358.backup -> [Ver = | Size = 1314 bytes | Created Date = 10/30/2007 12:53:58 PM | Attr = R ]
hosts.20071030-151814.backup -> %System32%\drivers\etc\hosts.20071030-151814.backup -> [Ver = | Size = 659 bytes | Created Date = 10/30/2007 2:18:14 PM | Attr = R ]
hosts.20071031-034436.backup -> %System32%\drivers\etc\hosts.20071031-034436.backup -> [Ver = | Size = 3136 bytes | Created Date = 10/31/2007 2:44:36 AM | Attr = R ]
hosts.20071031-034437.backup -> %System32%\drivers\etc\hosts.20071031-034437.backup -> [Ver = | Size = 2843 bytes | Created Date = 10/31/2007 2:44:37 AM | Attr = R ]
hosts.20071031-034438.backup -> %System32%\drivers\etc\hosts.20071031-034438.backup -> [Ver = | Size = 2634 bytes | Created Date = 10/31/2007 2:44:38 AM | Attr = R ]
hosts.20071031-034439.backup -> %System32%\drivers\etc\hosts.20071031-034439.backup -> [Ver = | Size = 2422 bytes | Created Date = 10/31/2007 2:44:39 AM | Attr = R ]
hosts.20071031-034441.backup -> %System32%\drivers\etc\hosts.20071031-034441.backup -> [Ver = | Size = 2361 bytes | Created Date = 10/31/2007 2:44:41 AM | Attr = R ]
hosts.20071031-034442.backup -> %System32%\drivers\etc\hosts.20071031-034442.backup -> [Ver = | Size = 2327 bytes | Created Date = 10/31/2007 2:44:42 AM | Attr = R ]
hosts.20071031-034443.backup -> %System32%\drivers\etc\hosts.20071031-034443.backup -> [Ver = | Size = 2140 bytes | Created Date = 10/31/2007 2:44:43 AM | Attr = R ]
hosts.20071031-034444.backup -> %System32%\drivers\etc\hosts.20071031-034444.backup -> [Ver = | Size = 1942 bytes | Created Date = 10/31/2007 2:44:44 AM | Attr = R ]
hosts.20071031-034445.backup -> %System32%\drivers\etc\hosts.20071031-034445.backup -> [Ver = | Size = 1745 bytes | Created Date = 10/31/2007 2:44:45 AM | Attr = R ]
hosts.20071031-034446.backup -> %System32%\drivers\etc\hosts.20071031-034446.backup -> [Ver = | Size = 1503 bytes | Created Date = 10/31/2007 2:44:46 AM | Attr = R ]
hosts.20071031-034447.backup -> %System32%\drivers\etc\hosts.20071031-034447.backup -> [Ver = | Size = 1283 bytes | Created Date = 10/31/2007 2:44:47 AM | Attr = R ]
hosts.20071031-034448.backup -> %System32%\drivers\etc\hosts.20071031-034448.backup -> [Ver = | Size = 1034 bytes | Created Date = 10/31/2007 2:44:48 AM | Attr = R ]
hosts.20071031-034449.backup -> %System32%\drivers\etc\hosts.20071031-034449.backup -> [Ver = | Size = 689 bytes | Created Date = 10/31/2007 2:44:49 AM | Attr = R ]
hosts.20071031-034451.backup -> %System32%\drivers\etc\hosts.20071031-034451.backup -> [Ver = | Size = 641 bytes | Created Date = 10/31/2007 2:44:51 AM | Attr = R ]

[Files/Folders - Modified Within 30 days]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Modified Date = 11/4/2007 11:28:50 AM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 534827008 bytes | Modified Date = 11/4/2007 1:56:36 PM | Attr = HS]
HijackLog -> %SystemDrive%\HijackLog -> [Folder | Modified Date = 10/31/2007 3:47:48 AM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 11/4/2007 12:25:30 PM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 11/4/2007 11:28:16 AM | Attr = ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Modified Date = 10/31/2007 2:24:00 AM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 11/4/2007 1:56:24 PM | Attr = ]
Working Folder -> %SystemDrive%\Working Folder -> [Folder | Modified Date = 11/4/2007 1:54:54 PM | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 10/10/2007 1:38:00 AM | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Modified Date = 10/10/2007 1:38:02 AM | Attr = H ]
$NtUninstallKB939653$ -> %SystemRoot%\$NtUninstallKB939653$ -> [Folder | Modified Date = 10/10/2007 1:37:48 AM | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Modified Date = 10/10/2007 1:36:24 AM | Attr = H ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 11/4/2007 1:56:44 PM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136192 bytes | Modified Date = 10/29/2007 6:56:20 PM | Attr = ]
ERDNT -> %SystemRoot%\ERDNT -> [Folder | Modified Date = 11/2/2007 4:09:22 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Modified Date = 10/31/2007 2:15:28 AM | Attr = ]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 10/28/2007 1:10:42 AM | Attr = R S]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1393 bytes | Modified Date = 10/10/2007 1:38:06 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 10/28/2007 12:51:46 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 11/4/2007 7:18:08 AM | Attr = HS]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 11/4/2007 10:13:02 PM | Attr = ]
Scwriter.ini -> %SystemRoot%\Scwriter.ini -> [Ver = | Size = 4462 bytes | Modified Date = 10/15/2007 5:00:30 PM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 254 bytes | Modified Date = 10/18/2007 3:23:04 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 11/4/2007 11:27:26 AM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 10/11/2007 6:38:00 PM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 11/4/2007 9:56:18 PM | Attr = ]
TMP0001.TMP -> %SystemRoot%\TMP0001.TMP -> [Ver = | Size = 7304 bytes | Modified Date = 11/4/2007 1:56:24 PM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 613 bytes | Modified Date = 10/18/2007 3:23:04 PM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 10/11/2007 5:50:44 PM | Attr = ]
Norton Internet Security - Run Full System Scan - CEA.job -> %SystemRoot%\tasks\Norton Internet Security - Run Full System Scan - CEA.job -> [Ver = | Size = 618 bytes | Modified Date = 11/4/2007 11:11:46 AM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 11/4/2007 1:57:20 PM | Attr = H ]
Symantec NetDetect.job -> %SystemRoot%\tasks\Symantec NetDetect.job -> [Ver = | Size = 366 bytes | Modified Date = 11/4/2007 10:16:00 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 11/4/2007 1:57:52 PM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 11/2/2007 8:19:48 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 10/18/2007 3:24:00 PM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 11/4/2007 12:25:38 PM | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 235168 bytes | Modified Date = 10/28/2007 1:27:22 AM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 54280 bytes | Modified Date = 11/4/2007 5:14:00 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 384596 bytes | Modified Date = 11/4/2007 5:14:00 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 445630 bytes | Modified Date = 11/4/2007 5:13:58 AM | Attr = ]
ReinstallBackups -> %System32%\ReinstallBackups -> [Folder | Modified Date = 10/18/2007 3:23:54 PM | Attr = ]
S32EVNT1.DLL -> %System32%\S32EVNT1.DLL -> Symantec Corporation [Ver = 12.5.2.2 | Size = 60800 bytes | Modified Date = 11/4/2007 5:04:14 AM | Attr = ]
streamhlp.dll -> %System32%\streamhlp.dll -> [Ver = | Size = 59392 bytes | Modified Date = 10/30/2007 7:34:36 PM | Attr = R ]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 3650 bytes | Modified Date = 11/1/2007 7:56:54 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 11/4/2007 6:25:14 AM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 11/2/2007 4:11:34 PM | Attr = ]
SYMEVENT.CAT -> %System32%\drivers\SYMEVENT.CAT -> [Ver = | Size = 10740 bytes | Modified Date = 11/4/2007 5:04:14 AM | Attr = ]
SYMEVENT.INF -> %System32%\drivers\SYMEVENT.INF -> [Ver = | Size = 805 bytes | Modified Date = 11/4/2007 5:04:14 AM | Attr = ]
SYMEVENT.SYS -> %System32%\drivers\SYMEVENT.SYS -> Symantec Corporation [Ver = 12.5.2.1 | Size = 123952 bytes | Modified Date = 11/4/2007 5:04:14 AM | Attr = ]
hosts.20071030-135356.backup -> %System32%\drivers\etc\hosts.20071030-135356.backup -> [Ver = | Size = 3541 bytes | Modified Date = 10/30/2007 12:53:58 PM | Attr = R ]
hosts.20071030-135357.backup -> %System32%\drivers\etc\hosts.20071030-135357.backup -> [Ver = | Size = 2990 bytes | Modified Date = 10/30/2007 12:53:58 PM | Attr = R ]
hosts.20071030-135358.backup -> %System32%\drivers\etc\hosts.20071030-135358.backup -> [Ver = | Size = 1314 bytes | Modified Date = 10/30/2007 12:53:58 PM | Attr = R ]
hosts.20071030-151814.backup -> %System32%\drivers\etc\hosts.20071030-151814.backup -> [Ver = | Size = 659 bytes | Modified Date = 10/30/2007 12:54:00 PM | Attr = R ]
hosts.20071031-034436.backup -> %System32%\drivers\etc\hosts.20071031-034436.backup -> [Ver = | Size = 3136 bytes | Modified Date = 10/31/2007 2:44:38 AM | Attr = R ]
hosts.20071031-034437.backup -> %System32%\drivers\etc\hosts.20071031-034437.backup -> [Ver = | Size = 2843 bytes | Modified Date = 10/31/2007 2:44:38 AM | Attr = R ]
hosts.20071031-034438.backup -> %System32%\drivers\etc\hosts.20071031-034438.backup -> [Ver = | Size = 2634 bytes | Modified Date = 10/31/2007 2:44:38 AM | Attr = R ]
hosts.20071031-034439.backup -> %System32%\drivers\etc\hosts.20071031-034439.backup -> [Ver = | Size = 2422 bytes | Modified Date = 10/31/2007 2:44:40 AM | Attr = R ]
hosts.20071031-034441.backup -> %System32%\drivers\etc\hosts.20071031-034441.backup -> [Ver = | Size = 2361 bytes | Modified Date = 10/31/2007 2:44:40 AM | Attr = R ]
hosts.20071031-034442.backup -> %System32%\drivers\etc\hosts.20071031-034442.backup -> [Ver = | Size = 2327 bytes | Modified Date = 10/31/2007 2:44:42 AM | Attr = R ]
hosts.20071031-034443.backup -> %System32%\drivers\etc\hosts.20071031-034443.backup -> [Ver = | Size = 2140 bytes | Modified Date = 10/31/2007 2:44:44 AM | Attr = R ]
hosts.20071031-034444.backup -> %System32%\drivers\etc\hosts.20071031-034444.backup -> [Ver = | Size = 1942 bytes | Modified Date = 10/31/2007 2:44:44 AM | Attr = R ]
hosts.20071031-034445.backup -> %System32%\drivers\etc\hosts.20071031-034445.backup -> [Ver = | Size = 1745 bytes | Modified Date = 10/31/2007 2:44:46 AM | Attr = R ]
hosts.20071031-034446.backup -> %System32%\drivers\etc\hosts.20071031-034446.backup -> [Ver = | Size = 1503 bytes | Modified Date = 10/31/2007 2:44:46 AM | Attr = R ]
hosts.20071031-034447.backup -> %System32%\drivers\etc\hosts.20071031-034447.backup -> [Ver = | Size = 1283 bytes | Modified Date = 10/31/2007 2:44:48 AM | Attr = R ]
hosts.20071031-034448.backup -> %System32%\drivers\etc\hosts.20071031-034448.backup -> [Ver = | Size = 1034 bytes | Modified Date = 10/31/2007 2:44:48 AM | Attr = R ]
hosts.20071031-034449.backup -> %System32%\drivers\etc\hosts.20071031-034449.backup -> [Ver = | Size = 689 bytes | Modified Date = 10/31/2007 2:44:50 AM | Attr = R ]
hosts.20071031-034451.backup -> %System32%\drivers\etc\hosts.20071031-034451.backup -> [Ver = | Size = 641 bytes | Modified Date = 10/31/2007 2:44:50 AM | Attr = R ]

[File String Scan - Non-Microsoft Only]
@Alternate Data Stream - 26 bytes -> %SystemDrive%\HijackThis.zip:Zone.Identifier ->
PECompact2 , qoologic , SAHAgent , -> %SystemRoot%\lpt$vpn.905 -> [Ver = | Size = 16129279 bytes | Modified Date = 10/20/2005 12:58:44 PM | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\RMAgentOutput.dll -> [Ver = | Size = 25157 bytes | Modified Date = 5/3/2005 10:44:44 AM | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\tsc.exe -> Trend Micro Inc. [Ver = 3.9.0.1020 | Size = 170053 bytes | Modified Date = 1/10/2005 3:17:24 PM | Attr = ]
PECompact2 , qoologic , SAHAgent , -> %SystemRoot%\VPTNFILE.905 -> [Ver = | Size = 16129279 bytes | Modified Date = 10/20/2005 12:58:44 PM | Attr = ]
UPX! , aspack , -> %SystemRoot%\vsapi32.dll -> Trend Micro Inc. [Ver = 7.510-1002 | Size = 1044560 bytes | Modified Date = 2/18/2005 5:40:14 PM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/4/2004 4:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Modified Date = 4/27/2006 3:49:30 PM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 7/22/2007 6:39:28 PM | Attr = ]
UPX! , UPX0 , -> %System32%\VCCLSID.exe -> S!Ri [Ver = | Size = 289144 bytes | Modified Date = 9/5/2007 10:22:24 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/4/2004 4:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\WS2Fix.exe -> [Ver = | Size = 25600 bytes | Modified Date = 10/3/2007 10:36:46 PM | Attr = ]
Thawte Consulting , -> %System32%\XceedFtp.dll -> Xceed Software Inc (450) 442-2626 support@xceedsoft.com http://www.xceedsoft.com [Ver = 1.0.42.0 | Size = 236576 bytes | Modified Date = 11/19/2004 9:07:44 AM | Attr = ]

< End of report >
User avatar
alleycat
Regular Member
 
Posts: 123
Joined: October 30th, 2007, 8:12 pm
Location: Nashville, Tennessee USA

Unread postby alleycat » November 5th, 2007, 12:27 am

HiJack report (I did rename HiJack before running it):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:42 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.city-data.com/forum/tennessee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3630100406
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9516 bytes
User avatar
alleycat
Regular Member
 
Posts: 123
Joined: October 30th, 2007, 8:12 pm
Location: Nashville, Tennessee USA

Unread postby alleycat » November 5th, 2007, 12:51 am

Gee, that's some report, Mayi. I sure hope you don't have to go through that line-by-line.

;-)
User avatar
alleycat
Regular Member
 
Posts: 123
Joined: October 30th, 2007, 8:12 pm
Location: Nashville, Tennessee USA

If it helps . . .

Unread postby alleycat » November 5th, 2007, 7:05 pm

This is part of the SpyBot report when it finds that Security Center Disabled problem:

--- Search result list ---
Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2


This is before I told it to fix the problem. It was clean last night, then I ran another scan after logging on this evening and I got that message.
User avatar
alleycat
Regular Member
 
Posts: 123
Joined: October 30th, 2007, 8:12 pm
Location: Nashville, Tennessee USA

Unread postby ndmmxiaomayi » November 5th, 2007, 11:56 pm

Hi alleycat. :)

Please double check your security settings here:

  1. Click on Start > Control Panel and double click on Security Center.
  2. On the left side, click on Change the way Security Center alerts me.
  3. A new window will open. Make sure that all the boxes are checked. If they are not, please check the boxes and click OK to apply the settings.
  4. Restart your computer for the changes to take effect.

Next, please open Notepad and copy and paste the following in the Code box into Notepad:

Code: Select all
regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
start notepad C:\look.txt


Click on File > Save As....

In the File Name box, copy and paste in look.bat

In the Save As Type box, select All Files.

Click Save.

Double click on look.bat to run it. Command Prompt will open and close quickly; this is normal. Notepad will open shortly afterwards. Please post the contents of this Notepad file in your next reply.

Lastly, delete this file: C:\Windows\RMAgentOutput.dll

Before deleting it, show hidden files in case it's hidden from view:

  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.
  10. Close My Computer.

In your next reply, please post back:

  1. Contents of the Notepad file (C:\look.txt)
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby alleycat » November 6th, 2007, 1:09 am

Mayi,

I can't make the changes to Security Center you listed (I can't highlight "Change the way Security Center alerts me"). It also tell me Security Center is currently disabled; however, I can change my other settings. If I run Spybot, it finds the "Security Center disabled" problem. If I have it fix the problem and then restart my computer and run another scan, SpyBot will find the same problem.

This is what I see at the top of Security Center when I go to Control Panel:

"The Security Center is currently unavailble because the Security Center service has not start or was stopped. Please close this window, restart the computer (or start the Security Center service), and then open the Security Center again."


My Windows firewall is off because my Norton firewall is running.

Should I do the other steps you listed, or wait?
User avatar
alleycat
Regular Member
 
Posts: 123
Joined: October 30th, 2007, 8:12 pm
Location: Nashville, Tennessee USA

Unread postby alleycat » November 6th, 2007, 7:13 am

Okay, I've got Security Center where it automatically runs at startup. I had to go to Run > services.msc to do it.

Here's the look log:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled"=dword:00000001
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
User avatar
alleycat
Regular Member
 
Posts: 123
Joined: October 30th, 2007, 8:12 pm
Location: Nashville, Tennessee USA
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 263 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware