# Notepad Virus, Upx.exe Trojan



## Raz_Man (Oct 17, 2010)

This Trojan is giving me a major headache. I have never had so many problems with a virus WITHOUT being infected with the virus.
Something to do with this virus was downloaded to my system (windows XP). I'm pretty sure I've figured out what that program was by now & have deleted it of course. It was never executed or used.
Norton Internet Security has been blocking this Trojan from running for months now, so technically I'm NOT infected with it. I would like however to get rid of all that remains of it. I already deleted the duplicate Notepad files but the Notepad*.pf that I delete keeps coming back. The Trojan usually runs 2 times a day at 5 & 6pm.

Now the other thing I found in the services that didn't look right was "B's Recorder GOLD Library General Service". The "bgsvcgen.exe is from that & I have tried to delete this from the reg also unsuccessfully. I deleted the service & have been trying to delete what remains in the registry but can't. This could be one possibility.

Any help would be greatly appreciated as I am running out of things to do.
I have created logs as requested & pasted plus attached.

Thanx,
Robert

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:10:57 PM, on 10/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\AGI\core\4.2.0.10753\AGCoreService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\PROGRA~1\NORTON~4\NORTON~1\NPROTECT.EXE
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\PROGRA~1\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions\[email protected]\plugins\LMIGuardian.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://specials.msn.com/alphabet.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: agihelper.AGUtils - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - mscoree.dll (file missing)
O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\IPSBHO.DLL
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coIEPlg.dll
O3 - Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKCU\..\Run: [SpeedBitVideoAccelerator] C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_wi...&exversion=2.0&pass=2F90DJVA&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_wi...&exversion=2.0&pass=2F90DJVA&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_wi...e&exversion=2.0&pass=2F90DJVA&id=menu_ie_link
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_wi...xversion=2.0&pass=2F90DJVA&id=menu_ie_exclude
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_wi...exversion=2.0&pass=2F90DJVA&id=menu_ie_report
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~1\sblsp.dll
O16 - DPF: vzTCPConfig - http://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1276337893640
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\4.2.0.10753\AGCoreService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NAUpdate - Unknown owner - C:\Program Files\Nero\Update\NASvc.exe (file missing)
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Norton Save and Restore - Symantec Corporation - C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~4\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe

--
End of file - 14496 bytes

DDS (Ver_09-09-29.01) - NTFSx86 
Run by Admin at 23:22:57.34 on Thu 10/21/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2113 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\AGI\core\4.2.0.10753\AGCoreService.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
C:\PROGRA~1\NORTON~4\NORTON~1\NPROTECT.EXE
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\PROGRA~1\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
svchost.exe
C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions\[email protected]\plugins\LMIGuardian.exe
C:\Documents and Settings\Admin\Desktop\dds.com

============== Pseudo HJT Report ===============

============= SERVICES / DRIVERS ===============

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [2010-6-24 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [2010-6-24 20616]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1108000.005\symds.sys [2010-9-23 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1108000.005\symefa.sys [2010-9-23 173104]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-5-12 59280]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20101001.001\BHDrvx86.sys [2010-10-5 692272]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1108000.005\cchpx86.sys [2010-9-23 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1108000.005\ironx86.sys [2010-9-23 116784]
R2 AGCoreService;AG Core Services;c:\program files\agi\core\4.2.0.10753\AGCoreService.exe [2010-6-13 20480]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.8.0.5\ccsvchst.exe [2010-9-23 126392]
R2 Norton Save and Restore;Norton Save and Restore;c:\program files\norton save and restore\agent\VProSvc.exe [2008-9-29 3425632]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\norton~4\norton~1\NPROTECT.EXE [2008-9-25 95600]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [2010-10-18 44432]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-8-12 102448]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [2010-6-24 122504]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20101020.001\IDSXpx86.sys [2010-10-19 341880]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101021.002\NAVENG.SYS [2010-10-21 86064]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20101021.002\NAVEX15.SYS [2010-10-21 1371184]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NAUpdate;NAUpdate;"c:\program files\nero\update\nasvc.exe" --> c:\program files\nero\update\NASvc.exe [?]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [2010-6-24 14216]
S3 RkHit;RkHit;c:\windows\system32\drivers\RKHit.sys [2010-10-19 29312]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-10-21 23:22 144 a------- c:\windows\system32\drivers\kgpfr2.cfg
2010-10-21 23:07 --d----- c:\program files\Trend Micro
2010-10-21 22:28 744 a------- c:\windows\system32\drivers\kgpcpy.cfg
2010-10-19 13:11 29,312 a------- c:\windows\system32\drivers\RKHit.sys
2010-10-19 13:11 --d----- c:\program files\SpyDig
2010-10-19 12:36 132,560 a----r-- c:\windows\system32\IS3HTUI5.dll
2010-10-19 12:36 546,256 a----r-- c:\windows\system32\SZComp5.dll
2010-10-19 12:36 452,048 a----r-- c:\windows\system32\SZBase5.dll
2010-10-19 12:36 398,800 a----r-- c:\windows\system32\IS3DBA5.dll
2010-10-19 12:36 28,624 a----r-- c:\windows\system32\IS3XDat5.dll
2010-10-19 12:36 22,992 a----r-- c:\windows\system32\SZIO5.dll
2010-10-19 12:36 390,608 a----r-- c:\windows\system32\IS3UI5.dll
2010-10-19 12:36 99,792 a----r-- c:\windows\system32\IS3Svc5.dll
2010-10-19 12:36 99,792 a----r-- c:\windows\system32\IS3Inet5.dll
2010-10-19 12:36 67,024 a----r-- c:\windows\system32\IS3Hks5.dll
2010-10-19 12:36 738,768 a----r-- c:\windows\system32\IS3Base5.dll
2010-10-19 12:36 230,864 a----r-- c:\windows\system32\IS3Win325.dll
2010-10-19 06:17 22 a------- c:\windows\tpcsd
2010-10-18 02:53 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_point32_01009.Wdf
2010-10-18 02:51 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_dc3d_01009.Wdf
2010-10-18 02:51 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-10-18 02:51 16,928 -------- c:\windows\system32\spmsgXP_2k3.dll
2010-10-18 02:51 1,461,992 a------- c:\windows\system32\wdfcoinstaller01009.dll
2010-10-18 02:51 44,432 a------- c:\windows\system32\drivers\dc3d.sys
2010-10-18 02:51 --d----- c:\program files\Microsoft IntelliType Pro
2010-10-15 21:24 --d----- c:\docume~1\admin\applic~1\Malwarebytes
2010-10-15 21:23 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-15 21:22 --d----- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 18:09 --d----- c:\program files\VideoSpirit Pro
2010-10-11 22:42 --d----- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP
2010-10-11 22:38 --d----- C:\sh4ldr
2010-10-11 21:44 1,101,824 a------- c:\windows\system32\UniBox210.ocx
2010-10-11 21:44 880,640 a------- c:\windows\system32\UniBox10.ocx
2010-10-11 21:44 212,992 a------- c:\windows\system32\UniBoxVB12.ocx
2010-10-11 21:42 1,081,616 a------- c:\windows\system32\MSCOMCTL.OCX
2010-10-05 04:09 --d----- c:\program files\common files\Akamai
2010-09-26 21:39 --d----- c:\docume~1\admin\applic~1\GARMIN

==================== Find3M ====================

2010-09-18 17:00 1,744,896 a---h--- C:\SZKGFS.dat
2010-09-18 12:23 974,848 a------- c:\windows\system32\mfc42u.dll
2010-09-18 01:53 974,848 a------- c:\windows\system32\mfc42.dll
2010-09-18 01:53 954,368 a------- c:\windows\system32\mfc40.dll
2010-09-18 01:53 953,856 a------- c:\windows\system32\mfc40u.dll
2010-09-15 04:50 472,808 a------- c:\windows\system32\deployJava1.dll
2010-09-10 00:58 916,480 a------- c:\windows\system32\wininet.dll
2010-09-10 00:58 43,520 a------- c:\windows\system32\licmgr10.dll
2010-09-08 06:41 103,720 a------- c:\documents and settings\admin\GoToAssistDownloadHelper.exe
2010-09-08 02:48 232,968 a------- c:\windows\system32\nvdrsdb0.bin
2010-09-08 02:48 232,968 a------- c:\windows\system32\nvdrsdb1.bin
2010-09-01 06:51 285,824 a------- c:\windows\system32\atmfd.dll
2010-08-31 08:42 1,852,800 a------- c:\windows\system32\win32k.sys
2010-08-27 03:02 119,808 a------- c:\windows\system32\t2embed.dll
2010-08-27 00:57 99,840 a------- c:\windows\system32\srvsvc.dll
2010-08-26 08:39 357,248 a------- c:\windows\system32\drivers\srv.sys
2010-08-26 07:52 5,120 a------- c:\windows\system32\xpsp4res.dll
2010-08-23 11:12 617,472 a------- c:\windows\system32\comctl32.dll
2010-08-17 08:17 58,880 a------- c:\windows\system32\spoolsv.exe
2010-08-16 03:45 590,848 a------- c:\windows\system32\rpcrt4.dll
2010-06-14 09:24 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-06-14 09:23 8 ---shr-- c:\docume~1\alluse~1\applic~1\49D5D4E04C.sys
2006-06-23 01:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe
2010-06-12 21:36 16,384 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 23:23:16.35 ===============


----------



## Raz_Man (Oct 17, 2010)

Here is the gmer log. I am not sure if it is the same as file as the ark.txt:

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-22 21:36:12
Windows 5.1.2600 Service Pack 3
Running: dp5l27rt.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\uxloakoc.sys

---- System - GMER 1.0.15 ----

SSDT 89FBC8A0 ZwAlertResumeThread
SSDT 89FB1A10 ZwAlertThread
SSDT 8A074C40 ZwAllocateVirtualMemory
SSDT 8A07D7F8 ZwAssignProcessToJobObject
SSDT 8A2D2690 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA80CF210]
SSDT 8A074358 ZwCreateMutant
SSDT 89B64C00 ZwCreateSymbolicLinkObject
SSDT 8A0C5070 ZwCreateThread
SSDT 8A05E440 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA80CF490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA80CF9F0]
SSDT 8A074D98 ZwDuplicateObject
SSDT 8A074AA0 ZwFreeVirtualMemory
SSDT 89F9BB10 ZwImpersonateAnonymousToken
SSDT 89F6D0B8 ZwImpersonateThread
SSDT 8A280500 ZwLoadDriver
SSDT 8A0749C0 ZwMapViewOfSection
SSDT 8A0858A0 ZwOpenEvent
SSDT  8A074F38 ZwOpenProcess
SSDT 8A1DC9A8 ZwOpenProcessToken
SSDT 8A036780 ZwOpenSection
SSDT 8A074E68 ZwOpenThread
SSDT 89B64CD0 ZwProtectVirtualMemory
SSDT 89FFA978 ZwResumeThread
SSDT 89FBA978 ZwSetContextThread
SSDT 8A074868 ZwSetInformationProcess
SSDT 8A1DB8E0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA80CFC40]
SSDT 8A07F490 ZwSuspendProcess
SSDT 8A288070 ZwSuspendThread
SSDT 8A0BF878 ZwTerminateProcess
SSDT 89FFDB10 ZwTerminateThread
SSDT 89FDE3A0 ZwUnmapViewOfSection
SSDT 8A074B70 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys  section is writeable [0xB5B6E3A0, 0x59FFE5, 0xE8000020]
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB0C34A00]

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\bgsvcgen.exe (*** hidden *** ) [AUTO] bgsvcgen <-- ROOTKIT !!!
Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [AUTO] ERSvc <-- ROOTKIT !!!
Service C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101012.001\IDSxpx86.sys (*** hidden *** ) [MANUAL] IDSxpx86 <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] LmHosts <-- ROOTKIT !!!
Service C:\Program Files\Nero\Update\NASvc.exe (*** hidden *** ) [AUTO] NAUpdate <-- ROOTKIT !!!
Service C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101015.007\NAVENG.SYS (*** hidden *** ) [MANUAL] NAVENG <-- ROOTKIT !!!
Service C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101015.007\NAVEX15.SYS (*** hidden *** ) [MANUAL] NAVEX15 <-- ROOTKIT !!!
Service C:\WINDOWS\System32\svchost.exe (*** hidden *** ) [AUTO] seclogon <-- ROOTKIT !!!
Service C:\WINDOWS\system32\spoolsv.exe (*** hidden *** ) [AUTO] Spooler <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] TrkWks <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] WebClient <-- ROOTKIT !!!

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0  sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0  sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0  sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----


----------



## Raz_Man (Oct 17, 2010)

When you can help please do. Still in need of it.


----------



## Raz_Man (Oct 17, 2010)

This may or may not be right & may or may not make sense but I figured it was worth mentioning. I just happened to notice that the Trojan was just now blocked again by Norton while StopZilla was running a scan. Normally StopZilla also runs a scheduled scan during the time of the other detections of 5 & 6 PM. Obviously I know there is nothing wrong with the program StopZilla itself but I'm not sure how a virus scan is making an infected file try to run a Trojan if that is the case. If that even makes sense to anyone. Just another possibility I guess. Still no clue on where or what it is though that needs to be removed other then what I have & the Notepad*.pf does return still too.


----------



## Raz_Man (Oct 17, 2010)

I think the Notepad file information is incorrect. It now looks more like this is happening when StopZilla runs a virus scan of my files. It's as though a file or 2 on my PC has something that is triggered while it's being scanned that makes Norton see it as a Trojan & then in turn block it. I saw this happen while my downloads (mostly trusted) were being scanned & I happen to have a second drive with a backup copy of these files so that must be why this happens twice a day also. I believe it may be one of the WinZip files. I have gone through these files now along with other normal downloads & started deleting everything that is old & looks like I don't need it. I will see if that works.


----------



## CatByte (Feb 24, 2009)

Hi,

Please do the following:

Download *ComboFix *from one of the following locations:
*Link 1* 
*Link 2 *

VERY IMPORTANT !!! Save ComboFix.exe to your *Desktop *

* IMPORTANT - *Disable your AntiVirus and AntiSpyware applications*, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here 

Double click on *ComboFix.exe* & follow the prompts.
As part of it's process, *ComboFix will check to see if the Microsoft Windows Recovery Console* is installed. With malware infections being as they are today, it's *strongly recommended *to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.











Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:











*Click on Yes*, to continue scanning for malware.
When finished, it shall produce a log for you.* Please include the C:\ComboFix.txt in your next reply.*
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


----------



## Raz_Man (Oct 17, 2010)

How many of these different programs need to be keep being installed & run? If this is a Microsoft program then can't it just be installed from Microsoft if it's needed? What else is Combofix going to do? Sorry but I don't like programs I don't know from sites I don't know.


----------



## CatByte (Feb 24, 2009)

Then I suggest you take your machine to a repair shop.

thank-you


----------



## Raz_Man (Oct 17, 2010)

Thank you for that kind suggestion but my computer doesn't need repaired.

If you read what I posted you would see what my problem is.
All I did was ask a question.
If you can't answer the question or you don't know the answer to my problem that's OK I understand. 

I guess this means everything in the logs are OK so far then. Or were they even looked at?
Recovery Console is already installed on my computer.


----------



## CatByte (Feb 24, 2009)

Your computer appears to be infected with a rootkit

I read the logs you posted.

You took a blind leap of faith to join an online computer help forum where the volunteers that assist infected users are unknown to you.

I would hope that in doing so, you would have read a few posts from others in a similar situation and recognized how an on-line tech help forum operates,

You expressed concern about following the directions of an unknown volunteer, I put in many hours to clean machines of strangers, only because I find the actions of malware writers criminal and despicable and I want to do what I can to help eradicate it.

This form of assistance is obviously not for you as you are uncomfortable trusting the help provided to you.



> Sorry but I don't like programs I don't know from sites I don't know.


If you had read any other posts, you would have recognized that the tools we use are specialized malware removal tools.

Therefore, I suggest that you take your machine to a reputable repair shop for assistance in removing the infection from your machine.

Thank-you


----------



## Raz_Man (Oct 17, 2010)

I'm afraid you misunderstood me. I was talking about not trusting programs from sites I wasn't familiar with sorry. It wasn't meant personally, sorry.
I did already install & run everything your site has asked me to so far.
My original post asked for help with the Trojan "Upx.exe".
None of the virus scan programs I have ran have said anything about "rootkit". Is that is related to this somehow?



CatByte said:


> This form of assistance is obviously not for you as you are uncomfortable trusting the help provided to you.


So if I ask a question or want to know what something is you assume that means I don't trust you? I'm sorry but I didn't mean to make you feel that way. I do trust you.

I guess you were you saying that "Combofix" runs another malware scan & repair, creating an additional log, in addition to installing the Recovery Console? I thought I just needed to install the Recovery Console.
I will run that also then if that is the case & paste that log file too as soon as I can. Sorry for the mix up.

Thank you


----------



## Raz_Man (Oct 17, 2010)

You said my computer also appeared to be infected with the rootkit virus but when I scanned running AVG's Rootkit scan nothing was detected. Just thought I would mention that for you.

This is the Combofix log that was created. The program had a few errors while attempting to run & running it but it finally completed.

ComboFix 10-10-26.03 - Admin 10/27/2010 3:33:25.1.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2424 [GMT -5:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Admin\GoToAssistDownloadHelper.exe
C:\WINDOWS\system32\drivers\RKHit.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT

((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
.

2010-10-27 07:36:45 . 2010-10-27 07:36:45 -------- d-----w- C:\$AVG
2010-10-27 05:51:52 . 2010-10-27 05:51:52 -------- d-----w- C:\Documents and Settings\Admin\Application Data\KeePass
2010-10-27 05:48:55 . 2010-10-27 05:48:56 -------- d-----w- C:\Program Files\KeePass Password Safe 2
2010-10-27 03:54:16 . 2010-10-27 03:54:17 -------- d-----w- C:\Documents and Settings\Admin\Application Data\AVG10
2010-10-27 03:50:25 . 2010-10-27 03:50:25 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Common Files
2010-10-27 03:32:54 . 2010-10-27 03:55:15 -------- d-----w- C:\WINDOWS\system32\drivers\AVG
2010-10-27 03:32:54 . 2010-10-27 03:51:12 -------- d-----w- C:\Documents and Settings\All Users\Application Data\AVG10
2010-10-27 03:31:39 . 2010-10-27 03:31:39 -------- d-----w- C:\Program Files\AVG
2010-10-27 03:09:06 . 2010-10-27 03:32:09 -------- d-----w- C:\Documents and Settings\All Users\Application Data\MFAData
2010-10-27 00:03:08 . 2010-10-18 14:41:54 6146896 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{1A3B052F-B73D-49A7-AEF0-F2AA77569C6A}\mpengine.dll
2010-10-26 00:56:12 . 2010-04-29 20:39:38 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-10-26 00:56:10 . 2010-04-29 20:39:26 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-10-24 11:25:53 . 2010-10-18 14:41:54 6146896 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-10-24 11:25:51 . 2010-10-19 16:41:44 222080 ------w- C:\WINDOWS\system32\MpSigStub.exe
2010-10-24 11:25:23 . 2010-10-24 11:25:24 -------- d-----w- C:\Program Files\Windows Defender
2010-10-24 11:06:21 . 2010-10-24 11:09:03 -------- d-----w- C:\Program Files\RegSeeker
2010-10-24 10:50:54 . 2010-10-24 10:50:56 -------- d-----w- C:\Program Files\CCleaner
2010-10-23 13:37:52 . 2010-10-23 13:59:08 -------- d-----w- C:\Documents and Settings\Admin\Local Settings\Application Data\NOS
2010-10-23 04:11:59 . 2010-10-23 05:00:31 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PCPitstop
2010-10-23 04:11:58 . 2010-10-23 04:11:59 -------- d-----w- C:\Program Files\PCPitstop
2010-10-19 18:11:49 . 2010-10-22 03:24:22 -------- d-----w- C:\Program Files\SpyDig
2010-10-19 17:36:24 . 2010-10-19 17:36:24 132560 ----a-r- C:\WINDOWS\system32\IS3HTUI5.dll
2010-10-19 17:36:22 . 2010-10-19 17:36:22 546256 ----a-r- C:\WINDOWS\system32\SZComp5.dll
2010-10-19 17:36:22 . 2010-10-19 17:36:22 452048 ----a-r- C:\WINDOWS\system32\SZBase5.dll
2010-10-19 17:36:22 . 2010-10-19 17:36:22 398800 ----a-r- C:\WINDOWS\system32\IS3DBA5.dll
2010-10-19 17:36:22 . 2010-10-19 17:36:22 28624 ----a-r- C:\WINDOWS\system32\IS3XDat5.dll
2010-10-19 17:36:22 . 2010-10-19 17:36:22 22992 ----a-r- C:\WINDOWS\system32\SZIO5.dll
2010-10-19 17:36:20 . 2010-10-19 17:36:20 99792 ----a-r- C:\WINDOWS\system32\IS3Svc5.dll
2010-10-19 17:36:20 . 2010-10-19 17:36:20 99792 ----a-r- C:\WINDOWS\system32\IS3Inet5.dll
2010-10-19 17:36:20 . 2010-10-19 17:36:20 67024 ----a-r- C:\WINDOWS\system32\IS3Hks5.dll
2010-10-19 17:36:20 . 2010-10-19 17:36:20 390608 ----a-r- C:\WINDOWS\system32\IS3UI5.dll
2010-10-19 17:36:18 . 2010-10-19 17:36:18 738768 ----a-r- C:\WINDOWS\system32\IS3Base5.dll
2010-10-19 17:36:18 . 2010-10-19 17:36:18 230864 ----a-r- C:\WINDOWS\system32\IS3Win325.dll
2010-10-18 07:51:34 . 2008-11-07 23:55:30 16928 ------w- C:\WINDOWS\system32\spmsgXP_2k3.dll
2010-10-18 07:51:16 . 2010-07-21 22:07:36 44432 ----a-w- C:\WINDOWS\system32\drivers\dc3d.sys
2010-10-18 07:51:16 . 2010-07-21 21:52:14 1461992 ----a-w- C:\WINDOWS\system32\wdfcoinstaller01009.dll
2010-10-18 07:51:13 . 2010-10-18 07:51:14 -------- d-----w- C:\Program Files\Microsoft IntelliType Pro
2010-10-18 04:09:31 . 2010-10-18 04:09:31 -------- d-----w- C:\Program Files\Common Files\Java
2010-10-16 02:24:23 . 2010-10-16 02:24:23 -------- d-----w- C:\Documents and Settings\Admin\Application Data\Malwarebytes
2010-10-16 02:23:05 . 2010-10-16 02:23:05 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-10-16 02:22:43 . 2010-10-26 00:56:19 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-10-12 23:09:14 . 2010-10-12 23:13:46 -------- d-----w- C:\Program Files\VideoSpirit Pro
2010-10-12 03:42:31 . 2010-10-12 06:14:38 -------- d-----w- C:\WINDOWS\9EFA732347A048E28F7735DB5EED500A.TMP
2010-10-12 03:38:59 . 2010-10-12 03:38:59 -------- d-----w- C:\sh4ldr
2010-10-12 02:44:02 . 2008-04-02 20:54:20 1101824 ----a-w- C:\WINDOWS\system32\UniBox210.ocx
2010-10-12 02:44:02 . 2008-04-02 20:53:50 212992 ----a-w- C:\WINDOWS\system32\UniBoxVB12.ocx
2010-10-12 02:44:02 . 2008-04-02 20:53:36 880640 ----a-w- C:\WINDOWS\system32\UniBox10.ocx
2010-10-12 02:42:43 . 2004-03-09 06:00:00 1081616 ----a-w- C:\WINDOWS\system32\MSCOMCTL.OCX
2010-10-05 09:09:57 . 2010-10-27 08:44:41 -------- d-----w- C:\Program Files\Common Files\Akamai
2010-10-05 07:05:17 . 2010-10-20 03:07:09 -------- d-----w- C:\Program Files\Common Files\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-12 02:57:33 . 2010-06-14 05:08:15 40960 ----a-r- C:\Documents and Settings\Admin\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe1_A31838F18E0D4CA3A40A20825B92F125.exe
2010-10-12 02:57:33 . 2010-06-14 05:08:15 40960 ----a-r- C:\Documents and Settings\Admin\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe_A31838F18E0D4CA3A40A20825B92F125.exe
2010-09-18 17:23:26 . 2004-08-04 10:00:00 974848 ----a-w- C:\WINDOWS\system32\mfc42u.dll
2010-09-18 06:53:25 . 2004-08-04 10:00:00 974848 ----a-w- C:\WINDOWS\system32\mfc42.dll
2010-09-18 06:53:25 . 2004-08-04 10:00:00 954368 ----a-w- C:\WINDOWS\system32\mfc40.dll
2010-09-18 06:53:25 . 2004-08-04 10:00:00 953856 ----a-w- C:\WINDOWS\system32\mfc40u.dll
2010-09-15 09:50:37 . 2010-06-12 09:00:13 472808 ----a-w- C:\WINDOWS\system32\deployJava1.dll
2010-09-15 07:29:49 . 2010-08-18 12:52:42 73728 ----a-w- C:\WINDOWS\system32\javacpl.cpl
2010-09-13 21:27:24 . 2010-09-13 21:27:24 25680 ----a-w- C:\WINDOWS\system32\drivers\AVGIDSEH.sys
2010-09-10 05:58:08 . 2006-03-04 03:33:46 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
2010-09-10 05:58:06 . 2004-08-04 10:00:00 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
2010-09-10 05:58:06 . 2004-08-04 10:00:00 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
2010-09-07 08:49:00 . 2010-09-07 08:49:00 298448 ----a-w- C:\WINDOWS\system32\drivers\avgtdix.sys
2010-09-07 08:48:56 . 2010-09-07 08:48:56 34384 ----a-w- C:\WINDOWS\system32\drivers\avgmfx86.sys
2010-09-07 08:48:54 . 2010-09-07 08:48:54 249424 ----a-w- C:\WINDOWS\system32\drivers\avgldx86.sys
2010-09-07 08:48:50 . 2010-09-07 08:48:50 26064 ----a-w- C:\WINDOWS\system32\drivers\avgrkx86.sys
2010-09-01 11:51:14 . 2004-08-04 10:00:00 285824 ----a-w- C:\WINDOWS\system32\atmfd.dll
2010-08-31 13:42:52 . 2004-08-04 10:00:00 1852800 ----a-w- C:\WINDOWS\system32\win32k.sys
2010-08-27 08:02:29 . 2004-08-04 10:00:00 119808 ----a-w- C:\WINDOWS\system32\t2embed.dll
2010-08-27 05:57:43 . 2004-08-04 10:00:00 99840 ----a-w- C:\WINDOWS\system32\srvsvc.dll
2010-08-26 13:39:50 . 2004-08-04 10:00:00 357248 ----a-w- C:\WINDOWS\system32\drivers\srv.sys
2010-08-26 12:52:45 . 2010-06-12 05:48:48 5120 ----a-w- C:\WINDOWS\system32\xpsp4res.dll
2010-08-23 16:12:04 . 2004-08-04 10:00:00 617472 ----a-w- C:\WINDOWS\system32\comctl32.dll
2010-08-17 13:17:06 . 2004-08-04 10:00:00 58880 ----a-w- C:\WINDOWS\system32\spoolsv.exe
2010-08-16 08:45:00 . 2004-08-04 10:00:00 590848 ----a-w- C:\WINDOWS\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

I guess the RKHIT.sys driver was at least one problem. I already deleted the entry previously from the registry after running MB.

Now what?


----------



## CatByte (Feb 24, 2009)

Hi,

It appears the bottom of the log has been cut off.

Can you check and see if there is more?

It should be located at C:\combofix.txt


----------



## Raz_Man (Oct 17, 2010)

More from the Combofix file? 

This is the ending of the file:

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4


Like I said I did get a couple of "End Program" type errors, asking if I wanted to send reports, that I canceled. So maybe there should have been more I never tried to run it again.

I ran Gmer again & saw that I have 14 services in red that are listed. Are all of these effected?

thank you again


----------



## CatByte (Feb 24, 2009)

Hi,

The GMER scan may be referring to your antivirus, not everything it finds is a problem.

Please re-run combofix, it appears something may have interfered with it the first time it was run, allow it to update if it requests to do so.

Please run it in safe mode if you are still getting errors while running it.

To Enter Safemode 

Go to *Start> Shut off your Computer> Restart*
As the computer starts to boot-up, Tap the *F8 KEY* repeatedly,
this will bring up a *menu.*
Use the *Up and Down Arrow Keys* to scroll up to *Safemode *
Then press the *Enter Key* on your Keyboard 
go into your usual account

Your log is showing that you have both AVG and Norton installed...

Having more than one security program can cause system slow downs, conflicts and crashes. I recomment you remove one of them.


----------



## Raz_Man (Oct 17, 2010)

I'm running Norton Internet Security but only AVG's Anti-Virus. I did not install AVG's Internet Security. Which do you think is better?
I've always used all Norton products but just installed AVG's Anti-Virus because of the Anti-Rootkit. Just to let you know I am also running StopZilla but all I have on is the Pop-Up Protection.

As far as Combofix goes I already did run the update. I tried to run this again & then in safe mode too. I still get errors in both. When doing it normally the errors I get are for "PEV.exe" & "MBR.cfxxe". In safe mode I still got the "MBR.cfxxe" error. I didn't have any programs open.

Also somehow my default browser keeps getting changed from Firefox & an IE icon keeps reappearing on my desktop after I delete it. Is this related to running Combofix?

Here is the log without the "PEV.exe" error:

ComboFix 10-10-26.03 - Admin 10/27/2010 22:55:20.3.4 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2932 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: AVG Internet Security 2011 *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.

2010-10-27 07:36 . 2010-10-27 07:36 -------- d-----w- C:\$AVG
2010-10-27 05:51 . 2010-10-27 05:51 -------- d-----w- c:\documents and settings\Admin\Application Data\KeePass
2010-10-27 05:48 . 2010-10-27 05:48 -------- d-----w- c:\program files\KeePass Password Safe 2
2010-10-27 03:54 . 2010-10-27 03:54 -------- d-----w- c:\documents and settings\Admin\Application Data\AVG10
2010-10-27 03:50 . 2010-10-27 03:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-27 03:32 . 2010-10-28 01:03 -------- d-----w- c:\windows\system32\drivers\AVG
2010-10-27 03:32 . 2010-10-27 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-27 03:31 . 2010-10-27 03:31 -------- d-----w- c:\program files\AVG
2010-10-27 03:09 . 2010-10-27 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-27 00:03 . 2010-10-18 14:41 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{1A3B052F-B73D-49A7-AEF0-F2AA77569C6A}\mpengine.dll
2010-10-26 00:56 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 00:56 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-24 11:25 . 2010-10-18 14:41 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-10-24 11:25 . 2010-10-19 16:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-24 11:25 . 2010-10-24 11:25 -------- d-----w- c:\program files\Windows Defender
2010-10-24 11:06 . 2010-10-24 11:09 -------- d-----w- c:\program files\RegSeeker
2010-10-24 10:50 . 2010-10-24 10:50 -------- d-----w- c:\program files\CCleaner
2010-10-23 13:37 . 2010-10-23 13:59 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\NOS
2010-10-23 04:11 . 2010-10-23 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-10-23 04:11 . 2010-10-23 04:11 -------- d-----w- c:\program files\PCPitstop
2010-10-19 18:11 . 2010-10-22 03:24 -------- d-----w- c:\program files\SpyDig
2010-10-19 17:36 . 2010-10-19 17:36 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-10-19 17:36 . 2010-10-19 17:36 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-10-19 17:36 . 2010-10-19 17:36 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-10-19 17:36 . 2010-10-19 17:36 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-10-19 17:36 . 2010-10-19 17:36 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-10-19 17:36 . 2010-10-19 17:36 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-10-19 17:36 . 2010-10-19 17:36 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-10-19 17:36 . 2010-10-19 17:36 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-10-19 17:36 . 2010-10-19 17:36 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-10-19 17:36 . 2010-10-19 17:36 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-10-19 17:36 . 2010-10-19 17:36 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-10-19 17:36 . 2010-10-19 17:36 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-10-18 07:51 . 2008-11-07 23:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-10-18 07:51 . 2010-07-21 22:07 44432 ----a-w- c:\windows\system32\drivers\dc3d.sys
2010-10-18 07:51 . 2010-07-21 21:52 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-10-18 07:51 . 2010-10-18 07:51 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-10-18 04:09 . 2010-10-18 04:09 -------- d-----w- c:\program files\Common Files\Java
2010-10-16 02:24 . 2010-10-16 02:24 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-10-16 02:23 . 2010-10-16 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-16 02:22 . 2010-10-26 00:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 23:09 . 2010-10-12 23:13 -------- d-----w- c:\program files\VideoSpirit Pro
2010-10-12 03:42 . 2010-10-12 06:14 -------- d-----w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP
2010-10-12 03:38 . 2010-10-12 03:38 -------- d-----w- C:\sh4ldr
2010-10-12 02:44 . 2008-04-02 20:54 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-10-12 02:44 . 2008-04-02 20:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-10-12 02:44 . 2008-04-02 20:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-10-12 02:42 . 2004-03-09 06:00 1081616 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-10-05 09:09 . 2010-10-28 03:27 -------- d-----w- c:\program files\Common Files\Akamai
2010-10-05 07:05 . 2010-10-20 03:07 -------- d-----w- c:\program files\Common Files\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-12 02:57 . 2010-06-14 05:08 40960 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe1_A31838F18E0D4CA3A40A20825B92F125.exe
2010-10-12 02:57 . 2010-06-14 05:08 40960 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe_A31838F18E0D4CA3A40A20825B92F125.exe
2010-09-18 17:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 09:50 . 2010-06-12 09:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 07:29 . 2010-08-18 12:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-13 21:27 . 2010-09-13 21:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-10 05:58 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-07 08:49 . 2010-09-07 08:49 298448 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-07 08:48 . 2010-09-07 08:48 34384 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-09-07 08:48 . 2010-09-07 08:48 249424 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-07 08:48 . 2010-09-07 08:48 26064 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-09-01 11:51 . 2004-08-04 10:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 10:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 10:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 10:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-06-12 05:48 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 10:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 10:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2010-03-18 297808]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2010-03-18 15:09 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2010-06-12 1607272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 1797008]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2010-06-25 867328]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2010-09-15 2745696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
2010-08-26 06:48 2835968 ----a-w- c:\program files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2008-11-04 06:44 435096 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-03-21 18:00 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 06:36 36864 ------r- c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeePass 2 PreLoad]
2010-09-05 15:30 1655296 ----a-w- c:\program files\KeePass Password Safe 2\KeePass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-06-17 17:13 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Download Manager{NAV_Production_94_136}]
2009-10-10 15:07 403320 ----a-w- c:\documents and settings\All Users\Documents\Norton\{NAV_Production_94_136}\NAVDownloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Save and Restore 2.0]
2008-09-29 17:07 2037088 ----a-w- c:\program files\Norton Save and Restore\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonUtilities]
2010-10-12 03:01 4093288 ----a-w- c:\program files\Norton Utilities 14\nu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSWosCheck]
2008-09-25 19:52 160112 ----a-w- c:\program files\Norton SystemWorks Premier Edition\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NswUiTray]
2008-09-25 19:52 85360 ----a-w- c:\program files\Norton SystemWorks Premier Edition\NswUiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 21:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 21:24 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
2006-05-16 22:51 57344 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop PC Matic Reminder]
2010-10-13 16:18 324848 ----a-w- c:\program files\PCPitstop\PC Matic\Reminder-PCMatic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerPanel Personal Edition User Interaction]
2007-12-07 19:39 315392 ----a-w- c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 12:12 729088 ------w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-12-18 13:34 868352 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spydig.exe]
2010-10-14 21:35 1999360 ----a-w- c:\program files\SpyDig\spydig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
2009-07-21 18:02 2707526 ----a-w- c:\program files\Zinio\ZinioReader.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management 
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 26064]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [6/24/2010 1:33 AM 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [6/24/2010 1:33 AM 20616]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [9/23/2010 6:00 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [9/23/2010 6:00 PM 173104]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [5/12/2010 6:01 PM 59280]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [10/18/2010 2:51 AM 44432]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [6/24/2010 1:33 AM 122504]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 249424]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 3:49 AM 298448]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [10/5/2010 11:49 PM 692272]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [9/23/2010 6:00 PM 501888]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [9/23/2010 6:00 PM 116784]
S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10753\AGCoreService.exe [6/13/2010 12:29 AM 20480]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [9/10/2010 1:45 AM 265400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 NAUpdate;NAUpdate; [x]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [9/23/2010 5:59 PM 126392]
S2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [9/29/2008 12:07 PM 3425632]
S2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~4\NORTON~1\NPROTECT.EXE [9/25/2008 2:53 PM 95600]
S2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/23/2010 5:58 AM 102448]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [6/24/2010 1:33 AM 14216]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101027.001\IDSXpx86.sys [10/19/2010 3:36 PM 341880]
S3 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/22/2010 11:11 PM 90864]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 17:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-10-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2010-07-21 21:52]

2010-10-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2010-07-21 22:07]

2010-10-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2010-10-25 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks Premier Edition\OBC.exe [2008-09-25 19:52]
.
.
------- Supplementary Scan -------
.
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_wi...&exversion=2.0&pass=2F90DJVA&id=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_wi...&exversion=2.0&pass=2F90DJVA&id=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_wi...e&exversion=2.0&pass=2F90DJVA&id=menu_ie_link
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_wi...xversion=2.0&pass=2F90DJVA&id=menu_ie_exclude
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_wi...exversion=2.0&pass=2F90DJVA&id=menu_ie_report
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Search Using Copernic Agent - c:\program files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
LSP: c:\progra~1\SPEEDB~1\sblsp.dll
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\
FF - prefs.js: browser.startup.homepage - hxxp://specials.msn.com/alphabet.aspx
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\AVG\AVG10\Firefox\components\avgssff.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 22:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_062a651.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_062a651.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2012)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-10-27 22:58:33
ComboFix-quarantined-files.txt 2010-10-28 03:58
ComboFix2.txt 2010-10-28 03:47

Pre-Run: 806,414,807,040 bytes free
Post-Run: 806,605,512,704 bytes free

- - End Of File - - 5CE3580DCC8004CB1F1E03D1D98CD29E


----------



## CatByte (Feb 24, 2009)

Hi,

I am sorry, but I haven't used Norton, AVG or Stopzilla, so cannot comment on their usefulness, however, it does seem to me as though you have some conflicts between your security programs that may be causing issues, you also have Spybot's teatimer and Windows Defender as well.

Personally I use Microsoft Security Essentials and the pro version of MalwareBytes.

Usually the errors that you are seeing with comboFix are caused by AntiVirus Interference.

I would consider removing the security programs one by one and see if your system behaves better, generally all you need is one antivirus and one or two antispyware programs, more than that, then you can cause conflicts and instability.

Please do the following;


*Very Important!* Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. 
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
*Copy/paste the text inside the Codebox below into notepad:*

Here's how to do that:
Click *Start > Run* type *Notepad* click *OK.*
This will open an empty notepad file:

*Copy* all the text *inside of the code box - Press Ctrl+C* (or right click on the highlighted section and choose 'copy')


```
DirLook::
C:\sh4ldr
c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP
```
Now *paste* the copied text into the open notepad - press *CTRL+V* (or right click and choose 'paste')

*Save this file to your desktop, Save this as "CFScript"*

Here's how to do that:

1.Click *File;*
2.Click *Save As...* Change the directory to your *desktop;*
3.Change the *Save as type* to *"All Files";*
4.Type in the file name: *CFScript*
5.Click *Save* ...











 Referring to the *screenshot* above, *drag CFScript.txt* into *ComboFix.exe.*
 ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
 When finished, it shall produce a log for you. 
 *Copy and paste the contents of the log in your next reply.*

*CAUTION:** Do not* mouse-click ComboFix's window while it is running. That may cause it to stall.

*NEXT*


Open your *Malwarebytes' Anti-Malware* program and select the *update tab*, select *update now*
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so.*

*NEXT*

Using Internet Explorer or Firefox, visit *Kaspersky Online Scanner*: 
*1.* Click *Accept*, when prompted to download and install the program files and database of malware definitions. 
*2. * To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan
*3. * Click *Run* at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. 
Once the update is complete, click on *My Computer* under the green *Scan* bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do *NOT* be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click *View scan report* at the bottom. 








 Click the *Save as Text* button to save the file to your desktop so that you may post it in your next reply


----------



## Raz_Man (Oct 17, 2010)

I am only running Norton Internet Security as far as Internet Security goes. I do however have both Norton & AVG actively running Anti-Virus. Like I said I just started to use AVG though & haven't had any problems. Malwarebytes or others I just run manually when I want to. I haven't used Spybot in a while so I can remove that any ways since it's outdated I think. Windows Defender is off also.

I shouldn't need to use more then Malwarebytes, Norton & AVG, I would think, right?

You want me to try to run Combofix again also after I remove some of these programs I installed to try to fix this infection?

I will do the above A.S.A.P.


----------



## Raz_Man (Oct 17, 2010)

I uninstalled Spydig, Spybot, Windows Defender & PC Matic.

I ran the CFscript but I still got the "MBR.cfxxe" error when Combofix ran in Safe mode.

I ran Malwarebytes & nothing was found.

I ran Kaspersky not too long ago & nothing was found but I will run it again. I tried to run it a little while ago but it locked up during the download. (everything else was closed)

Now after I rebooted & started Firefox back up it took a very long time for Firefox to open & load the tabs again. I'm not sure why.

Here are the Cfscript & MB logs:

ComboFix 10-10-26.03 - Admin 10/28/2010 13:03:25.7.4 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.3022 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.

2010-10-27 07:36 . 2010-10-27 07:36 -------- d-----w- C:\$AVG
2010-10-27 05:51 . 2010-10-27 05:51 -------- d-----w- c:\documents and settings\Admin\Application Data\KeePass
2010-10-27 05:48 . 2010-10-27 05:48 -------- d-----w- c:\program files\KeePass Password Safe 2
2010-10-27 03:54 . 2010-10-27 03:54 -------- d-----w- c:\documents and settings\Admin\Application Data\AVG10
2010-10-27 03:50 . 2010-10-27 03:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-27 03:32 . 2010-10-28 13:03 -------- d-----w- c:\windows\system32\drivers\AVG
2010-10-27 03:32 . 2010-10-27 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-27 03:31 . 2010-10-27 03:31 -------- d-----w- c:\program files\AVG
2010-10-27 03:09 . 2010-10-27 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-27 00:03 . 2010-10-18 14:41 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{1A3B052F-B73D-49A7-AEF0-F2AA77569C6A}\mpengine.dll
2010-10-26 00:56 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 00:56 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-24 11:25 . 2010-10-18 14:41 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2010-10-24 11:25 . 2010-10-19 16:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-24 11:06 . 2010-10-24 11:09 -------- d-----w- c:\program files\RegSeeker
2010-10-24 10:50 . 2010-10-24 10:50 -------- d-----w- c:\program files\CCleaner
2010-10-23 13:37 . 2010-10-23 13:59 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\NOS
2010-10-23 04:11 . 2010-10-28 15:46 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2010-10-19 17:36 . 2010-10-19 17:36 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-10-19 17:36 . 2010-10-19 17:36 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-10-19 17:36 . 2010-10-19 17:36 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-10-19 17:36 . 2010-10-19 17:36 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-10-19 17:36 . 2010-10-19 17:36 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-10-19 17:36 . 2010-10-19 17:36 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-10-19 17:36 . 2010-10-19 17:36 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-10-19 17:36 . 2010-10-19 17:36 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-10-19 17:36 . 2010-10-19 17:36 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-10-19 17:36 . 2010-10-19 17:36 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-10-19 17:36 . 2010-10-19 17:36 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-10-19 17:36 . 2010-10-19 17:36 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-10-18 07:51 . 2008-11-07 23:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-10-18 07:51 . 2010-07-21 22:07 44432 ----a-w- c:\windows\system32\drivers\dc3d.sys
2010-10-18 07:51 . 2010-07-21 21:52 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-10-18 07:51 . 2010-10-18 07:51 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-10-18 04:09 . 2010-10-18 04:09 -------- d-----w- c:\program files\Common Files\Java
2010-10-16 02:24 . 2010-10-16 02:24 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-10-16 02:23 . 2010-10-16 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-16 02:22 . 2010-10-26 00:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 23:09 . 2010-10-12 23:13 -------- d-----w- c:\program files\VideoSpirit Pro
2010-10-12 03:42 . 2010-10-12 06:14 -------- d-----w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP
2010-10-12 03:38 . 2010-10-12 03:38 -------- d-----w- C:\sh4ldr
2010-10-12 02:44 . 2008-04-02 20:54 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-10-12 02:44 . 2008-04-02 20:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-10-12 02:44 . 2008-04-02 20:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-10-12 02:42 . 2004-03-09 06:00 1081616 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-10-05 09:09 . 2010-10-28 17:50 -------- d-----w- c:\program files\Common Files\Akamai
2010-10-05 07:05 . 2010-10-20 03:07 -------- d-----w- c:\program files\Common Files\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-12 02:57 . 2010-06-14 05:08 40960 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe1_A31838F18E0D4CA3A40A20825B92F125.exe
2010-10-12 02:57 . 2010-06-14 05:08 40960 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe_A31838F18E0D4CA3A40A20825B92F125.exe
2010-09-18 17:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 09:50 . 2010-06-12 09:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 07:29 . 2010-08-18 12:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-13 21:27 . 2010-09-13 21:27 25680 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2010-09-10 05:58 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-07 08:49 . 2010-09-07 08:49 298448 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-09-07 08:48 . 2010-09-07 08:48 34384 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-09-07 08:48 . 2010-09-07 08:48 249424 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-09-07 08:48 . 2010-09-07 08:48 26064 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-09-01 11:51 . 2004-08-04 10:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 10:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 10:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 10:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-06-12 05:48 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 10:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 10:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\sh4ldr ----

2010-04-30 22:52 . 2010-04-30 22:52 6125131 ----a-w- c:\sh4ldr\initrd.gz
2010-03-29 22:37 . 2010-03-29 22:37 1738256 ----a-w- c:\sh4ldr\vmlinuz
2010-03-11 20:17 . 2010-03-11 20:17 185835 ----a-w- c:\sh4ldr\shldr

---- Directory of c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP ----

2010-10-12 06:14 . 2010-10-12 06:14 133775 ----a-w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP\WiseCustomCalla21.dll
2010-10-12 06:14 . 2010-10-12 06:14 7081 ----a-w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP\WiseData.ini
2010-10-12 06:13 . 2010-10-12 06:14 133000 ----a-w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP\WiseCustomCalla18.dll
2010-10-12 03:42 . 2010-10-12 06:13 133775 ----a-w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP\WiseCustomCalla21.exe
2010-10-12 03:42 . 2010-10-12 06:14 130254 ----a-w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP\WiseCustomCalla20.dll
2010-10-12 03:42 . 2010-10-12 03:42 133000 ----a-w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP\WiseCustomCalla18.exe
2010-10-12 03:42 . 2010-10-12 06:14 130283 ----a-w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP\WiseCustomCalla19.dll
2010-10-12 03:42 . 2010-10-12 06:14 133000 ----a-w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP\WiseCustomCalla.dll
2010-10-12 03:42 . 2010-10-12 06:14 130283 ----a-w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP\WiseCustomCalla2.dll
2010-10-12 03:42 . 2010-10-12 06:14 27499 ----a-w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP\WiseCustomCall.dll
2010-10-12 03:42 . 2010-10-12 06:14 130808 ----a-w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP\WiseCustomCalla17.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2010-03-18 297808]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2010-03-18 15:09 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2010-06-12 1607272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 1797008]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2010-06-25 867328]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2010-09-15 2745696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
TPSvc.dll [BU]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop PC Matic Reminder
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
2010-08-26 06:48 2835968 ----a-w- c:\program files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2008-11-04 06:44 435096 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-03-21 18:00 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 06:36 36864 ------r- c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeePass 2 PreLoad]
2010-09-05 15:30 1655296 ----a-w- c:\program files\KeePass Password Safe 2\KeePass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-06-17 17:13 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Download Manager{NAV_Production_94_136}]
2009-10-10 15:07 403320 ----a-w- c:\documents and settings\All Users\Documents\Norton\{NAV_Production_94_136}\NAVDownloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Save and Restore 2.0]
2008-09-29 17:07 2037088 ----a-w- c:\program files\Norton Save and Restore\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonUtilities]
2010-10-12 03:01 4093288 ----a-w- c:\program files\Norton Utilities 14\nu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSWosCheck]
2008-09-25 19:52 160112 ----a-w- c:\program files\Norton SystemWorks Premier Edition\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NswUiTray]
2008-09-25 19:52 85360 ----a-w- c:\program files\Norton SystemWorks Premier Edition\NswUiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 21:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 21:24 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
2006-05-16 22:51 57344 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerPanel Personal Edition User Interaction]
2007-12-07 19:39 315392 ----a-w- c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 12:12 729088 ------w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-12-18 13:34 868352 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
2009-07-21 18:02 2707526 ----a-w- c:\program files\Zinio\ZinioReader.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management 
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 26064]
R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [6/24/2010 1:33 AM 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [6/24/2010 1:33 AM 20616]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [9/23/2010 6:00 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [9/23/2010 6:00 PM 173104]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [5/12/2010 6:01 PM 59280]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [10/18/2010 2:51 AM 44432]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [6/24/2010 1:33 AM 122504]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 249424]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [9/7/2010 3:49 AM 298448]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [10/5/2010 11:49 PM 692272]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [9/23/2010 6:00 PM 501888]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [9/23/2010 6:00 PM 116784]
S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10753\AGCoreService.exe [6/13/2010 12:29 AM 20480]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [9/10/2010 1:45 AM 265400]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 NAUpdate;NAUpdate; [x]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [9/23/2010 5:59 PM 126392]
S2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [9/29/2008 12:07 PM 3425632]
S2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~4\NORTON~1\NPROTECT.EXE [9/25/2008 2:53 PM 95600]
S2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/23/2010 5:58 AM 102448]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [6/24/2010 1:33 AM 14216]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101027.001\IDSXpx86.sys [10/19/2010 3:36 PM 341880]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 17:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-10-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2010-07-21 21:52]

2010-10-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2010-07-21 22:07]

2010-10-25 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks Premier Edition\OBC.exe [2008-09-25 19:52]
.
.
------- Supplementary Scan -------
.
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_wi...&exversion=2.0&pass=2F90DJVA&id=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_wi...&exversion=2.0&pass=2F90DJVA&id=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_wi...e&exversion=2.0&pass=2F90DJVA&id=menu_ie_link
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_wi...xversion=2.0&pass=2F90DJVA&id=menu_ie_exclude
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_wi...exversion=2.0&pass=2F90DJVA&id=menu_ie_report
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Search Using Copernic Agent - c:\program files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
LSP: c:\progra~1\SPEEDB~1\sblsp.dll
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\
FF - prefs.js: browser.startup.homepage - hxxp://specials.msn.com/alphabet.aspx
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\AVG\AVG10\Firefox\components\avgssff.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions\[email protected]\plugins\npRACtrl.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-spydig - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-28 13:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_062a651.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_062a651.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1916)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
Completion time: 2010-10-28 13:06:53
ComboFix-quarantined-files.txt 2010-10-28 18:06
ComboFix2.txt 2010-10-28 04:52
ComboFix3.txt 2010-10-28 03:58
ComboFix4.txt 2010-10-28 03:47

Pre-Run: 805,730,820,096 bytes free
Post-Run: 806,153,621,504 bytes free

- - End Of File - - 244297A136A2A0EF3291F9410B1AB0E7

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4978

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/28/2010 1:25:39 PM
mbam-log-2010-10-28 (13-25-39).txt

Scan type: Quick scan
Objects scanned: 135169
Time elapsed: 8 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## CatByte (Feb 24, 2009)

Hi

Please run the following after the kaspersky scan is complete:

Download *TFC* to your *desktop*
*Mirror*

Close any open windows.
Double click the *TFC* icon to run the program
TFC *will close all open programs itself* in order to run, 
Click the *Start* button to begin the process. 
Allow *TFC* to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically *reboot your machine,*
if it doesn't, manually reboot to ensure a complete clean
*It's normal after running TFC cleaner that the PC will be slower to boot the first time. *

*
NEXT*


Click *Start*, click *Run*, type *cmd.exe*, and then click *OK*.
At the command prompt, type *sfc /scannow*, and then press *ENTER.*
Note This command may take several minutes to finish. You may be prompted to provide Windows installation source files when you run the *sfc /scannow* command.
At the command prompt, type *exit*, and then press *ENTER* to close the command prompt.

Please let me know if it finds any issues and how the computer is running now:


----------



## Raz_Man (Oct 17, 2010)

Kaspersky did not find any errors again after running last most of the night. It took much longer then last time to run.

Ran TFC. Should that be used ever again?

The Windows File Protection did fix files "again". I have ran this previously two times within this past month also. In case that makes a difference as to why something would be changing if it is.

I removed KeePass since I never had used it & I use RoboForm which seems to do the same thing except better.

Firefox default changed again.
Will see how the rest is.
Still have the original problem with the "UPX.exe" Trojan trying to run when StopZilla is doing a scan.

Should I do this Firefox Add-On, HTTPS Everywhere? They say it's suppose to help with this new hack FireSheep.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 29, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, October 28, 2010 16:23:46
Records in database: 4187924
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 195660
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 06:02:24

No threats found. Scanned area is clean.

Selected area has been scanned.

Please let me know what to do next.


----------



## CatByte (Feb 24, 2009)

There must be some left over remnants in the registry that aren't showing up in the logs, so lets see if we can find them

Please do the following:

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


```
:filefind
*UPX*
*notepad*

:regfind
notepad.exe
UPX.exe
```

Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## Raz_Man (Oct 17, 2010)

First of all Thank you again for helping me.

Not to change the subject but should I add this Firefox Add-On, HTTPS Everywhere? They say it's suppose to help with this new hack FireSheep.

Is it normal for Windows File Protection to keep finding errors every time I run it?

I've already searched the Registry for any UPX reference previously & I think there was only the 1 that mattered I deleted.

SystemLook 04.09.10 by jpshortstuff
Log created at 19:07 on 29/10/2010 by Admin
Administrator - Elevation successful

========== filefind ==========

Searching for "*UPX*"
C:\Documents and Settings\All Users\Application Data\AVG10\SetupBackup\TuneUpx.cab --a---- 5571974 bytes [17:53 29/10/2010] [18:31 29/10/2010] CA4D48B671B4A25BBBBB6D9D34ACDA84
C:\Documents and Settings\All Users\Application Data\AVG10\SetupBackup\TuneUpx.cab.old --a---- 5571974 bytes [16:53 29/10/2010] [04:26 27/10/2010] E62341865A8C9F9F7051C83A757BECAC
C:\Documents and Settings\All Users\Application Data\MFAData\pack\bins\w10tuneupx1152um.bin --a---- 2146594 bytes [05:44 21/10/2010] [03:13 27/10/2010] EE3AB18C7C5E2F9E8F1758019148C725

Searching for "*notepad*"
C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Notepad.lnk --a---- 1519 bytes [05:03 12/06/2010] [17:33 28/10/2010] 187AD52D5DB56D34DBF2C18748B30C31
C:\Documents and Settings\Default User\Start Menu\Programs\Accessories\Notepad.lnk --a---- 1519 bytes [05:00 12/06/2010] [05:00 12/06/2010] 4F0FA021F539476F48C34CDD92AA2361
C:\WINDOWS\notepad.exe --a---- 69120 bytes [20:26 19/03/2010] [00:12 14/04/2008] 5E28284F9B5F9097640D58A73D38AD4C
C:\WINDOWS\$NtServicePackUninstall$\notepad.exe -----c- 69120 bytes [02:17 13/06/2010] [10:00 04/08/2004] 388B8FBC36A8558587AFC90FB23A3B99
C:\WINDOWS\Help\notepad.chm --a---- 25236 bytes [10:00 04/08/2004] [10:00 04/08/2004] CC28209EAE1F1C3012ACD5FE3E2BF9B9
C:\WINDOWS\Help\notepad.hlp --a---- 12521 bytes [10:00 04/08/2004] [10:00 04/08/2004] EB9D47ECA3C4621620C37170E70AE647
C:\WINDOWS\ServicePackFiles\i386\notepad.exe --a---- 69120 bytes [20:26 19/03/2010] [00:12 14/04/2008] 5E28284F9B5F9097640D58A73D38AD4C
C:\WINDOWS\system32\notepad.exe --a---- 69120 bytes [20:26 19/03/2010] [00:12 14/04/2008] 5E28284F9B5F9097640D58A73D38AD4C
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Notepad.lnk --a---- 1519 bytes [05:01 12/06/2010] [05:00 12/06/2010] 4F0FA021F539476F48C34CDD92AA2361
C:\WINDOWS\system32\dllcache\notepad.exe --a--c- 69120 bytes [20:26 19/03/2010] [00:12 14/04/2008] 5E28284F9B5F9097640D58A73D38AD4C

========== regfind ==========

Searching for "notepad.exe"
[HKEY_CURRENT_USER\Software\Microsoft\IntelliPoint\AppSpecific\notepad.exe]
[HKEY_CURRENT_USER\Software\Microsoft\IntelliPoint\AppSpecific\notepad.exe]
"Path"="C:\WINDOWS\system32\notepad.exe"
[HKEY_CURRENT_USER\Software\Microsoft\IntelliType Pro\AppSpecific\notepad.exe]
[HKEY_CURRENT_USER\Software\Microsoft\IntelliType Pro\AppSpecific\notepad.exe]
"Path"="C:\WINDOWS\system32\notepad.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"014"="notepad.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.csv\OpenWithList]
"c"="NOTEPAD.EXE"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dmp\OpenWithList]
"a"="NOTEPAD.EXE"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ini\OpenWithList]
"a"="NOTEPAD.EXE"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.key\OpenWithList]
"a"="NOTEPAD.EXE"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.LOG\OpenWithList]
"a"="NOTEPAD.EXE"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList]
"a"="NOTEPAD.EXE"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList]
"b"="NOTEPAD.EXE"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@C:\WINDOWS\system32\notepad.exe,-469"="Text Document"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\WINDOWS\system32\NOTEPAD.EXE"="Notepad"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"ini"="notepad.exe ^.ini"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"txt"="notepad.exe ^.txt"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"wtx"="notepad.exe ^.wtx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\OpenWithList\Notepad.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithList\notepad.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepad.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepad.exe\shell\edit\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\notepad.exe\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\edit\command]
@="%SystemRoot%\System32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\print\command]
@="%SystemRoot%\System32\NOTEPAD.EXE /p %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\edit\command]
@="%SystemRoot%\System32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\print\command]
@="%SystemRoot%\System32\NOTEPAD.EXE /p %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dmp_auto_file\shell\edit\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dmp_auto_file\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dqyfile\Shell\Edit_Query_in_Notepad\command]
@="notepad.exe "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\command]
@="%SystemRoot%\System32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\print\command]
@="%SystemRoot%\System32\NOTEPAD.EXE /p %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command]
@="%SystemRoot%\System32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\print\command]
@="%SystemRoot%\System32\NOTEPAD.EXE /p %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\iqyfile\Shell\Edit_Query_in_Notepad\command]
@="notepad.exe "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSEFile\Shell\Edit\Command]
@="%SystemRoot%\System32\Notepad.exe %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSEFile\Shell\Print\Command]
@="%SystemRoot%\System32\Notepad.exe /p %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\Shell\Edit\Command]
@="%SystemRoot%\System32\Notepad.exe %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\Shell\Print\Command]
@="%SystemRoot%\System32\Notepad.exe /p %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\key_auto_file\shell\edit\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\key_auto_file\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiveUpdate_auto_file\shell\edit\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LiveUpdate_auto_file\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellData.1\shell\Open\command]
@=""C:\WINDOWS\system32\notepad.exe" "%1" "
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellModule.1\shell\Open\command]
@=""C:\WINDOWS\system32\notepad.exe" "%1" "
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellScript.1\shell\Open\command]
@=""C:\WINDOWS\system32\notepad.exe" "%1" "
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\odcfile\shell\EditText\command]
@="NOTEPAD.EXE "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oqyfile\Shell\Edit_Query_in_Notepad\command]
@="notepad.exe "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\edit\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\print\command]
@="%SystemRoot%\system32\NOTEPAD.EXE /p %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\rqyfile\Shell\Edit_Query_in_Notepad\command]
@="notepad.exe "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.application\shell\edit\command]
@="C:\WINDOWS\system32\notepad.exe %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xaml\shell\edit\command]
@="C:\WINDOWS\system32\notepad.exe %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xbap\shell\edit\command]
@="C:\WINDOWS\system32\notepad.exe %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xps\shell\edit\command]
@="C:\WINDOWS\system32\notepad.exe %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\text\OpenWithList\Notepad.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\text\shell\edit\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\text\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile]
"FriendlyTypeName"="@%SystemRoot%\system32\notepad.exe,-469"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\print\command]
@="%SystemRoot%\system32\NOTEPAD.EXE /p %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\printto\command]
@="%SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBEFile\Shell\Edit\Command]
@="%SystemRoot%\System32\Notepad.exe %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBEFile\Shell\Print\Command]
@="%SystemRoot%\System32\Notepad.exe /p %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command]
@="%SystemRoot%\System32\Notepad.exe %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Print\Command]
@="%SystemRoot%\System32\Notepad.exe /p %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.CompositeFont\shell\open\command]
@=""%WinDir%\System32\notepad.exe" "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.XamlDocument\shell\edit\command]
@=""%WinDir%\System32\notepad.exe" "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Xbap\shell\edit\command]
@=""%WinDir%\System32\notepad.exe" "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WSFFile\Shell\Edit\Command]
@="%SystemRoot%\System32\Notepad.exe %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WSFFile\Shell\Print\Command]
@="%SystemRoot%\System32\Notepad.exe /p %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XEV.FailSafeApp\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\zapfile\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\zapfile\shell\print\command]
@="%SystemRoot%\system32\NOTEPAD.EXE /p %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\zapfile\shell\printto\command]
@="%SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions]
".ini"="notepad.exe ^.ini"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions]
".txt"="notepad.exe ^.txt"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions]
".wtx"="notepad.exe ^.wtx"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\notepad.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Nls\MUILanguages\RCV2\notepad.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\notepad.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"ini"="notepad.exe ^.ini"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"txt"="notepad.exe ^.txt"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"wtx"="notepad.exe ^.wtx"
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"ini"="notepad.exe ^.ini"
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"txt"="notepad.exe ^.txt"
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"wtx"="notepad.exe ^.wtx"
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"ini"="notepad.exe ^.ini"
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"txt"="notepad.exe ^.txt"
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"wtx"="notepad.exe ^.wtx"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\IntelliPoint\AppSpecific\notepad.exe]
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\IntelliPoint\AppSpecific\notepad.exe]
"Path"="C:\WINDOWS\system32\notepad.exe"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\IntelliType Pro\AppSpecific\notepad.exe]
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\IntelliType Pro\AppSpecific\notepad.exe]
"Path"="C:\WINDOWS\system32\notepad.exe"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"014"="notepad.exe"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.csv\OpenWithList]
"c"="NOTEPAD.EXE"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dmp\OpenWithList]
"a"="NOTEPAD.EXE"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ini\OpenWithList]
"a"="NOTEPAD.EXE"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.key\OpenWithList]
"a"="NOTEPAD.EXE"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.LOG\OpenWithList]
"a"="NOTEPAD.EXE"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList]
"a"="NOTEPAD.EXE"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList]
"b"="NOTEPAD.EXE"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@C:\WINDOWS\system32\notepad.exe,-469"="Text Document"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\WINDOWS\system32\NOTEPAD.EXE"="Notepad"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"ini"="notepad.exe ^.ini"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"txt"="notepad.exe ^.txt"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"wtx"="notepad.exe ^.wtx"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"ini"="notepad.exe ^.ini"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"txt"="notepad.exe ^.txt"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\Extensions]
"wtx"="notepad.exe ^.wtx"

Searching for "UPX.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"009"="*upx.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"011"="upx.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"020"="setupx.exe"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"009"="*upx.exe"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"011"="upx.exe"
[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"020"="setupx.exe"

-= EOF =-


----------



## Raz_Man (Oct 17, 2010)

More info:
Both my C: drive & my F: drive are bootable drives. My F: is my old drive & now a backup drive. I was trying to explain that when StopZilla is actually scanning the C: drive that is when the 1st "UPX.exe Trojan" is blocked by Norton. The scheduled scan I run daily at 5PM. Today it was blocked at 5:44PM & 7:00PM. The 2nd block occurs when the F: drive is scanned since whatever it is, is there also.

What seems to also happen when this occurs is that a file, "NOTEPAD.EXE-189578DA.pf", dated Today, October 29, 2010, 7:09:19 PM, is created. I think the numbers vary, not sure. This example is for today as far as exact times.

Every time I delete this file it returns otherwise the date & times change.


----------



## CatByte (Feb 24, 2009)

Hi

I really think you are experiencing some serious conflicts with your security programs, the notepad file is in prefetch and doesn't need deleting.

Please try completely removing Stopzilla and Norton or AVG...either one.

there are removal tools to remove traces of them:

AVG remover
http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe

Norton remover
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

then re-run the TFC (temp file cleaner program - yes keep that, it's good to run every month or so)

then re-run ComboFix (allow it to update if it asks to do so)

some times system components are such that certain programs just don't run well together,
I think there was an infection there, there aren't any remnants showing up in the logs any more,

I'm not sure what it's coming up with when it is reporting UPX.exe...perhaps just the reference to it in your search assistant?

Please run OTL as well and see if anything else surfaces:


Download *OTL* and save it to your desktop.
Double click on the







icon to run it.
Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath *Output* at the top, make sure *Standard output* is selected.
Under the *Extra Registry* section, check *Use SafeList*
Download the following file *scan.txt* to your *Desktop*. *Click here to download it*. You may need to right click on it and select "Save"
Double click inside the Custom Scan box at the bottom
A window will appear saying *"Click Ok to load a custom scan from a file or Cancel to cancel"*
Click the Ok button and navigate to the file *scan.txt* which we just saved to your desktop
Select scan.txt and click Open. Writing will now appear under the Custom Scan box
Click the *Run Scan* button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (*Edit->Select All, Edit->Copy*) the contents of these files, one at a time and post them in your topic


as for the HTTPS add-on, it depends what you use the internet for, You need to trust the sites you visit to use it or you defeat the purpose of it. Try it if it is something that interests you, it can always be uninstalled if it doesn't work well with your system.


----------



## Raz_Man (Oct 17, 2010)

Right, There isn't anything left in the registry now except for search assistant but that wasn't there before the Trojan was blocked. I only searched for UPX because of it.

Norton has been blocking this UPX.exe Trojan from running for over 4 months. AVG I just installed so it has nothing to do with it. 

StopZilla is only running a scan which when this happens is when this occurs. StopZilla is NOT active now. Only the Pop-Up blocker is on & only the scanner is being ran. Spyware & Siteguard are off.

Malwarebytes wasn't installed at the time this was happening either. When this first started I only had StopZilla & Norton on my system, nothing else.

I'll take AVG back off though & run Combofix again along with OTL.


----------



## Raz_Man (Oct 17, 2010)

Here are the logs:

ComboFix 10-10-26.03 - Admin 10/31/2010 0:50.8.4 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3327.2929 [GMT -5:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-31 )))))))))))))))))))))))))))))))
.

2010-10-29 18:25 . 2010-10-29 18:25 -------- d-----w- c:\documents and settings\Admin\Application Data\AVG
2010-10-29 16:55 . 2010-10-29 16:55 388096 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-10-29 16:47 . 2010-08-26 06:48 251392 ----a-w- c:\program files\Mozilla Firefox\plugins\npdap.dll
2010-10-27 07:36 . 2010-10-27 07:36 -------- d-----w- C:\$AVG
2010-10-27 05:51 . 2010-10-29 16:51 -------- d-----w- c:\documents and settings\Admin\Application Data\KeePass
2010-10-27 03:50 . 2010-10-27 03:50 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-10-27 03:32 . 2010-10-27 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-10-27 03:31 . 2010-10-29 18:14 -------- d-----w- c:\program files\AVG
2010-10-27 03:09 . 2010-10-29 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2010-10-26 00:56 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-26 00:56 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-24 11:25 . 2010-10-19 16:41 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-24 11:06 . 2010-10-24 11:09 -------- d-----w- c:\program files\RegSeeker
2010-10-24 10:50 . 2010-10-24 10:50 -------- d-----w- c:\program files\CCleaner
2010-10-23 13:37 . 2010-10-23 13:59 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\NOS
2010-10-19 17:36 . 2010-10-19 17:36 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-10-19 17:36 . 2010-10-19 17:36 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-10-19 17:36 . 2010-10-19 17:36 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-10-19 17:36 . 2010-10-19 17:36 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-10-19 17:36 . 2010-10-19 17:36 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-10-19 17:36 . 2010-10-19 17:36 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-10-19 17:36 . 2010-10-19 17:36 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-10-19 17:36 . 2010-10-19 17:36 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-10-19 17:36 . 2010-10-19 17:36 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-10-19 17:36 . 2010-10-19 17:36 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-10-19 17:36 . 2010-10-19 17:36 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-10-19 17:36 . 2010-10-19 17:36 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-10-18 07:51 . 2008-11-07 23:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-10-18 07:51 . 2010-07-21 22:07 44432 ----a-w- c:\windows\system32\drivers\dc3d.sys
2010-10-18 07:51 . 2010-07-21 21:52 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
2010-10-18 07:51 . 2010-10-18 07:51 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-10-18 04:09 . 2010-10-18 04:09 -------- d-----w- c:\program files\Common Files\Java
2010-10-16 02:24 . 2010-10-16 02:24 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2010-10-16 02:23 . 2010-10-16 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-16 02:22 . 2010-10-26 00:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-12 23:09 . 2010-10-12 23:13 -------- d-----w- c:\program files\VideoSpirit Pro
2010-10-12 03:38 . 2010-10-12 03:38 -------- d-----w- C:\sh4ldr
2010-10-12 02:44 . 2008-04-02 20:54 1101824 ----a-w- c:\windows\system32\UniBox210.ocx
2010-10-12 02:44 . 2008-04-02 20:53 212992 ----a-w- c:\windows\system32\UniBoxVB12.ocx
2010-10-12 02:44 . 2008-04-02 20:53 880640 ----a-w- c:\windows\system32\UniBox10.ocx
2010-10-12 02:42 . 2004-03-09 06:00 1081616 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-10-05 09:09 . 2010-10-31 05:41 -------- d-----w- c:\program files\Common Files\Akamai
2010-10-05 07:05 . 2010-10-20 03:07 -------- d-----w- c:\program files\Common Files\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-12 02:57 . 2010-06-14 05:08 40960 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe1_A31838F18E0D4CA3A40A20825B92F125.exe
2010-10-12 02:57 . 2010-06-14 05:08 40960 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{A31838F1-8E0D-4CA3-A40A-20825B92F125}\Serials2005.exe_A31838F18E0D4CA3A40A20825B92F125.exe
2010-09-18 17:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 09:50 . 2010-06-12 09:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 07:29 . 2010-08-18 12:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-04 10:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 10:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 10:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 10:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-06-12 05:48 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 10:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 10:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2010-03-18 297808]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
[HKEY_CLASSES_ROOT\agihelper.AGUtils]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
2010-03-18 15:09 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2010-06-12 1607272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 1797008]
"Ad Muncher"="c:\program files\Ad Muncher\AdMunch.exe" [2010-06-25 867328]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
TPSvc.dll [BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KeePass 2 PreLoad

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
2010-08-26 06:48 2835968 ----a-w- c:\program files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2008-11-04 06:44 435096 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2007-03-21 18:00 174872 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 06:36 36864 ------r- c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-06-17 17:13 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2010-04-29 20:39 437584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Download Manager{NAV_Production_94_136}]
2009-10-10 15:07 403320 ----a-w- c:\documents and settings\All Users\Documents\Norton\{NAV_Production_94_136}\NAVDownloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Save and Restore 2.0]
2008-09-29 17:07 2037088 ----a-w- c:\program files\Norton Save and Restore\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NortonUtilities]
2010-10-12 03:01 4093288 ----a-w- c:\program files\Norton Utilities 14\nu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSWosCheck]
2008-09-25 19:52 160112 ----a-w- c:\program files\Norton SystemWorks Premier Edition\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NswUiTray]
2008-09-25 19:52 85360 ----a-w- c:\program files\Norton SystemWorks Premier Edition\NswUiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 21:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 21:24 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OM_Monitor]
2006-05-16 22:51 57344 ----a-w- c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerPanel Personal Edition User Interaction]
2007-12-07 19:39 315392 ----a-w- c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 12:12 729088 ------w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2006-12-18 13:34 868352 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
2009-07-21 18:02 2707526 ----a-w- c:\program files\Zinio\ZinioReader.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management 
"1033:TCP"= 1033:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 EUBAKUP;EUBAKUP;c:\windows\system32\drivers\eubakup.sys [6/24/2010 1:33 AM 26248]
R0 EUFS;EUFS;c:\windows\system32\drivers\eufs.sys [6/24/2010 1:33 AM 20616]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1108000.005\symds.sys [9/23/2010 6:00 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1108000.005\symefa.sys [9/23/2010 6:00 PM 173104]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [12/7/2009 5:59 PM 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [5/12/2010 6:01 PM 59280]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [10/18/2010 2:51 AM 44432]
R3 EuDisk;EASEUS Disk Enumerator;c:\windows\system32\drivers\EuDisk.sys [6/24/2010 1:33 AM 122504]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [12/7/2009 5:59 PM 61328]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys [10/5/2010 11:49 PM 692272]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1108000.005\cchpx86.sys [9/23/2010 6:00 PM 501888]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1108000.005\ironx86.sys [9/23/2010 6:00 PM 116784]
S2 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10753\AGCoreService.exe [6/13/2010 12:29 AM 20480]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/25/2010 7:56 PM 304464]
S2 NAUpdate;NAUpdate; [x]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe [9/23/2010 5:59 PM 126392]
S2 Norton Save and Restore;Norton Save and Restore;c:\program files\Norton Save and Restore\Agent\VProSvc.exe [9/29/2008 12:07 PM 3425632]
S2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~4\NORTON~1\NPROTECT.EXE [9/25/2008 2:53 PM 95600]
S2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/23/2010 5:58 AM 102448]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 EUDSKACS;EUDSKACS;c:\windows\system32\drivers\eudskacs.sys [6/24/2010 1:33 AM 14216]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101028.001\IDSXpx86.sys [10/19/2010 3:36 PM 341880]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/25/2010 7:56 PM 20952]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 17:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-10-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-10-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2010-07-21 21:52]

2010-10-19 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2010-07-21 22:07]

2010-10-25 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks Premier Edition\OBC.exe [2008-09-25 19:52]
.
.
------- Supplementary Scan -------
.
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_wi...&exversion=2.0&pass=2F90DJVA&id=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_wi...&exversion=2.0&pass=2F90DJVA&id=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_wi...e&exversion=2.0&pass=2F90DJVA&id=menu_ie_link
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_wi...xversion=2.0&pass=2F90DJVA&id=menu_ie_exclude
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_wi...exversion=2.0&pass=2F90DJVA&id=menu_ie_report
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Search Using Copernic Agent - c:\program files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
LSP: c:\progra~1\SPEEDB~1\sblsp.dll
Handler: copernicagent - {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - c:\progra~1\COPERN~1\COPERN~1.DLL
Handler: copernicagentcache - {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - c:\progra~1\COPERN~1\COPERN~1.DLL
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\
FF - prefs.js: browser.startup.homepage - hxxp://specials.msn.com/alphabet.aspx
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\AVG\AVG10\Firefox\components\avgssff.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll
FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions\[email protected]\plugins\npRACtrl.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdap.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-WinDefend

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-31 00:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_062a651.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.8.0.5\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="C:/Program Files/Common Files/Akamai/netsession_win_062a651.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-299502267-2147188803-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(504)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-10-31 00:53:35
ComboFix-quarantined-files.txt 2010-10-31 05:53
ComboFix2.txt 2010-10-28 18:06
ComboFix3.txt 2010-10-28 04:52
ComboFix4.txt 2010-10-28 03:58
ComboFix5.txt 2010-10-31 05:49

Pre-Run: 802,519,683,072 bytes free
Post-Run: 802,739,302,400 bytes free

- - End Of File - - AAB9AFBB3C82212477ECFD1B818BC0B5

OTL logfile created on: 10/31/2010 1:02:50 AM - Run 1
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Admin\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
12.00 Gb Paging File | 12.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.50 Gb Total Space | 744.38 Gb Free Space | 79.91% Space Free | Partition Type: NTFS
Drive F: | 698.64 Gb Total Space | 57.13 Gb Free Space | 8.18% Space Free | Partition Type: NTFS
Drive G: | 698.64 Gb Total Space | 695.12 Gb Free Space | 99.50% Space Free | Partition Type: NTFS

Computer Name: ADMINISTRATOR | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/10/31 00:01:37 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
PRC - [2010/10/19 12:36:34 | 000,177,616 | R--- | M] (iS3, Inc.) -- C:\Program Files\STOPzilla!\STOPzilla.exe
PRC - [2010/10/19 12:36:28 | 000,062,928 | R--- | M] (iS3, Inc.) -- C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
PRC - [2010/06/25 07:30:59 | 000,867,328 | ---- | M] (Murray Hurps Corp Pty Ltd) -- C:\Program Files\Ad Muncher\AdMunch.exe
PRC - [2010/06/12 03:37:36 | 001,607,272 | ---- | M] (Speedbit Ltd.) -- C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
PRC - [2010/06/12 03:37:36 | 000,300,656 | ---- | M] (Speedbit Ltd.) -- C:\Program Files\SpeedBit Video Accelerator\VideoAcceleratorService.exe
PRC - [2010/06/12 03:37:36 | 000,140,920 | ---- | M] (Speedbit Ltd.) -- C:\Program Files\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/03/18 10:57:48 | 000,020,480 | ---- | M] (AG Interactive) -- C:\Program Files\AGI\core\4.2.0.10753\AGCoreService.exe
PRC - [2010/02/25 19:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccsvchst.exe
PRC - [2008/09/29 12:07:56 | 003,425,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe
PRC - [2008/09/25 14:53:32 | 000,181,680 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton SystemWorks Premier Edition\Norton Utilities\Speed Disk\NOPDB.exe
PRC - [2008/09/25 14:53:16 | 000,095,600 | ---- | M] (Symantec Corporation) -- C:\Program Files\Norton SystemWorks Premier Edition\Norton Utilities\NPROTECT.EXE
PRC - [2008/08/01 10:31:11 | 000,238,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
PRC - [2008/06/19 14:22:08 | 000,868,352 | ---- | M] () -- C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/03/21 13:00:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/03/21 13:00:00 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

========== Modules (SafeList) ==========

MOD - [2010/10/31 00:01:37 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
MOD - [2010/09/20 14:26:01 | 000,415,088 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.8.0.5\asoehook.dll
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2010/06/12 03:41:24 | 000,030,208 | ---- | M] (Murray Hurps Corp Pty Ltd) -- C:\Program Files\Ad Muncher\AM31376.dll
MOD - [2009/07/12 00:02:02 | 000,653,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
MOD - [2009/07/12 00:02:00 | 000,569,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
SRV - File not found [Auto | Stopped] -- -- (NAUpdate)
SRV - File not found [On_Demand | Stopped] -- C:\WINDOWS\System32\appmgmts.dll -- (AppMgmt)
SRV - [2010/10/19 12:36:28 | 000,062,928 | R--- | M] (iS3, Inc.) [Auto | Running] -- C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe -- (szserver)
SRV - [2010/10/05 04:10:00 | 002,950,744 | ---- | M] () [Auto | Running] -- C:/Program Files/Common Files/Akamai/netsession_win_062a651.dll -- (Akamai)
SRV - [2010/06/12 03:37:36 | 000,300,656 | ---- | M] (Speedbit Ltd.) [Auto | Running] -- C:\Program Files\SpeedBit Video Accelerator\VideoAcceleratorService.exe -- (VideoAcceleratorService)
SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2010/03/18 16:47:22 | 000,035,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe -- (aspnet_state)
SRV - [2010/03/18 13:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 13:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2010/03/18 10:57:48 | 000,020,480 | ---- | M] (AG Interactive) [Auto | Running] -- C:\Program Files\AGI\core\4.2.0.10753\AGCoreService.exe -- (AGCoreService)
SRV - [2010/02/25 19:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ccSvcHst.exe -- (NIS)
SRV - [2008/09/29 12:07:56 | 003,425,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton Save and Restore\Agent\VProSvc.exe -- (Norton Save and Restore)
SRV - [2008/09/25 14:53:32 | 000,181,680 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton SystemWorks Premier Edition\Norton Utilities\Speed Disk\NOPDB.exe -- (Speed Disk service)
SRV - [2008/09/25 14:53:16 | 000,095,600 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton SystemWorks Premier Edition\Norton Utilities\NPROTECT.EXE -- (NProtectService)
SRV - [2008/08/01 10:31:11 | 000,238,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2008/08/01 10:31:01 | 003,220,856 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate)
SRV - [2008/06/19 14:22:08 | 000,868,352 | ---- | M] () [Auto | Running] -- C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe -- (ppped)
SRV - [2007/03/21 13:00:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Admin\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/10/19 15:36:22 | 000,341,880 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20101028.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2010/09/30 02:36:34 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101030.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/09/30 02:36:34 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20101030.003\NAVENG.SYS -- (NAVENG)
DRV - [2010/08/31 17:57:04 | 000,692,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20101001.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/07/21 17:07:36 | 000,044,432 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (USB)
DRV - [2010/07/10 05:38:00 | 010,604,128 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2010/06/21 09:22:45 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/06/21 09:22:45 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/06/21 09:21:24 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/05/12 18:01:06 | 000,059,280 | R--- | M] (iS3, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\szkgfs.sys -- (szkgfs)
DRV - [2010/05/05 23:01:59 | 000,361,904 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NIS\1108000.005\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2010/04/29 00:03:51 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\Ironx86.SYS -- (SymIRON)
DRV - [2010/04/21 22:02:20 | 000,173,104 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\SYMEFA.SYS -- (SymEFA)
DRV - [2010/04/21 21:29:50 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NIS\1108000.005\SRTSP.SYS -- (SRTSP)
DRV - [2010/04/21 21:29:50 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/03/03 21:33:26 | 000,435,736 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iastor)
DRV - [2010/02/25 19:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\ccHPx86.sys -- (ccHP)
DRV - [2009/12/07 17:59:32 | 000,061,328 | R--- | M] (iS3 Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\szkg.sys -- (szkg5)
DRV - [2009/12/07 17:59:32 | 000,061,328 | R--- | M] (iS3 Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\is3srv.sys -- (is3srv)
DRV - [2009/12/02 12:21:00 | 000,020,616 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\eufs.sys -- (EUFS)
DRV - [2009/12/02 12:20:58 | 000,014,216 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\eudskacs.sys -- (EUDSKACS)
DRV - [2009/12/02 12:20:56 | 000,026,248 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\eubakup.sys -- (EUBAKUP)
DRV - [2009/12/02 12:20:54 | 000,122,504 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\EuDisk.sys -- (EuDisk)
DRV - [2009/08/29 19:17:18 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1108000.005\SYMDS.SYS -- (SymDS)
DRV - [2008/09/29 12:16:28 | 000,128,104 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WimFltr.sys -- (WimFltr)
DRV - [2008/09/29 11:55:00 | 000,138,080 | ---- | M] (StorageCraft) [File_System | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symsnap.sys -- (symsnap)
DRV - [2008/09/29 11:54:58 | 000,037,864 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\v2imount.sys -- (v2imount)
DRV - [2008/09/29 11:53:18 | 000,014,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\vproeventmonitor.sys -- (VProEventMonitor)
DRV - [2008/09/25 14:53:36 | 000,095,760 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SdDriver.SYS -- (SDdriver)
DRV - [2008/09/25 14:53:14 | 000,087,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NPDRIVER.SYS -- (NPDriver)
DRV - [2008/04/13 11:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/12/06 09:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/03/24 06:20:24 | 000,046,208 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\jraid.sys -- (jraid)
DRV - [2007/01/15 20:09:06 | 000,293,888 | R--- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2006/03/17 04:18:58 | 000,392,960 | R--- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2006/02/07 14:52:58 | 000,006,912 | ---- | M] (JMicron ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\Jgogo.sys -- (Jgogo)
DRV - [2005/05/11 00:33:12 | 000,032,256 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdrbsdrv.sys -- (cdrbsdrv)
DRV - [2004/08/13 05:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://specials.msn.com/alphabet.aspx
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = AE C2 2C 32 09 0A CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://specials.msn.com/alphabet.aspx"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.608
FF - prefs.js..extensions.enabledItems: {195A3098-0BD5-4e90-AE22-BA1C540AFD1E}:2.9.2
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6
FF - prefs.js..extensions.enabledItems: {3ED591BC-7CC7-495B-A526-B2431356EDC1}:2.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.10.1
FF - prefs.js..extensions.enabledItems: {F17C1572-C9EC-4e5c-A542-D05CBB5C5A08}:9.5.0.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: [email protected]:2.4
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1151
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: [email protected]:0.2.2

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\ [2010/06/23 07:25:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\ [2010/06/21 09:21:46 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3ED591BC-7CC7-495B-A526-B2431356EDC1}: C:\Program Files\Ad Muncher\FirefoxExtension_2.0 [2010/06/25 07:31:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2010/06/12 02:57:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/10/28 12:29:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/29 12:05:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey\Extensions\\{3ED591BC-7CC7-495B-A526-B2431356EDC1}: C:\Program Files\Ad Muncher\FirefoxExtension_2.0 [2010/06/25 07:31:00 | 000,000,000 | ---D | M]

[2010/06/12 00:59:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Mozilla\Extensions
[2010/10/31 00:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions
[2010/09/26 21:19:38 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}
[2010/06/14 21:13:44 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/10/29 20:34:19 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/10/25 08:36:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions\[email protected]
[2010/10/31 00:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions\[email protected]
[2010/06/13 22:58:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\fw3knc6h.default\extensions\[email protected]
[2010/10/30 11:13:08 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/12 04:00:16 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/18 07:53:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/17 23:09:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/08/26 01:48:48 | 000,251,392 | ---- | M] (SpeedBit Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\npdap.dll
[2010/09/15 04:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/10/27 03:44:32 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\ipsbho.dll (Symantec Corporation)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (STOPzilla Browser Helper Object) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll (iS3, Inc.)
O2 - BHO: (DAPIELoader Class) - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\DAP\dapieloader.dll (SpeedBit Ltd.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Copernic Agent) - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.8.0.5\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Copernic Agent) - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O4 - HKLM..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe (Murray Hurps Corp Pty Ltd)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKCU..\Run: [SpeedBitVideoAccelerator] C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe (Speedbit Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm ()
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm ()
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O9 - Extra 'Tools' menuitem : Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\Program Files\Copernic Agent\CopernicAgent.exe (Copernic Technologies Inc.)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier Edition\Norton Cleanup\WCQuick.lnk ()
O9 - Extra 'Tools' menuitem : Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Premier Edition\Norton Cleanup\WCQuick.lnk ()
O9 - Extra Button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\Program Files\Copernic Agent\CopernicAgent.exe (Copernic Technologies Inc.)
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\SpeedBit Video Accelerator\sblsp.dll (Speedbit Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\SpeedBit Video Accelerator\sblsp.dll (Speedbit Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\Program Files\SpeedBit Video Accelerator\sblsp.dll (Speedbit Ltd.)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab (PCPitstop Utility)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1276337893640 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)
O16 - DPF: vzTCPConfig http://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 68.238.96.12
O18 - Protocol\Handler\copernicagent {A979B6BD-E40B-4A07-ABDD-A62C64A4EBF6} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O18 - Protocol\Handler\copernicagentcache {AAC34CFD-274D-4A9D-B0DC-C74C05A67E1D} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll (Copernic Technologies Inc.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\TPSvc: DllName - TPSvc.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - Reg Error: Value error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/06/12 00:00:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/06/12 00:00:14 | 000,000,000 | ---- | M] () - F:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.MJPG - C:\WINDOWS\System32\Pvmjpg21.dll (Pegasus Imaging Corporation)

MsConfig - StartUpReg: *DownloadAccelerator* - hkey= - key= - C:\Program Files\DAP\DAP.EXE (SpeedBit Ltd.)
MsConfig - StartUpReg: *DWQueuedReporting* - hkey= - key= - C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
MsConfig - StartUpReg: *IAAnotif* - hkey= - key= - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
MsConfig - StartUpReg: *JMB36X IDE Setup* - hkey= - key= - C:\WINDOWS\RaidTool\xInsIDE.exe ()
MsConfig - StartUpReg: *LightScribe Control Panel* - hkey= - key= - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe (Hewlett-Packard Company)
MsConfig - StartUpReg: *Malwarebytes' Anti-Malware* - hkey= - key= - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
MsConfig - StartUpReg: *msnmsgr* - hkey= - key= - C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
MsConfig - StartUpReg: *Norton Download Manager{NAV_Production_94_136}* - hkey= - key= - C:\Documents and Settings\All Users\Documents\Norton\{NAV_Production_94_136}\NAVDownloader.exe (Symantec Corporation)
MsConfig - StartUpReg: *Norton Save and Restore 2.0* - hkey= - key= - C:\Program Files\Norton Save and Restore\Agent\VProTray.exe (Symantec Corporation)
MsConfig - StartUpReg: *NortonUtilities* - hkey= - key= - C:\Program Files\Norton Utilities 14\nu.exe (Symantec Corporation)
MsConfig - StartUpReg: *NSWosCheck* - hkey= - key= - C:\Program Files\Norton SystemWorks Premier Edition\osCheck.exe (Symantec Corporation)
MsConfig - StartUpReg: *NswUiTray* - hkey= - key= - C:\Program Files\Norton SystemWorks Premier Edition\NswUiTray.exe (Symantec Corporation)
MsConfig - StartUpReg: *NvCplDaemon* - hkey= - key= - File not found
MsConfig - StartUpReg: *NvMediaCenter* - hkey= - key= - File not found
MsConfig - StartUpReg: *OM_Monitor* - hkey= - key= - C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe (OLYMPUS IMAGING CORP.)
MsConfig - StartUpReg: *PowerPanel Personal Edition User Interaction* - hkey= - key= - C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe ()
MsConfig - StartUpReg: *QuickTime Task* - hkey= - key= - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
MsConfig - StartUpReg: *SoundMAX* - hkey= - key= - C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
MsConfig - StartUpReg: *SoundMAXPnP* - hkey= - key= - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
MsConfig - StartUpReg: *SunJavaUpdateSched* - hkey= - key= - C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: *Zinio DLM* - hkey= - key= - C:\Program Files\Zinio\ZinioReader.exe (Zinio, LLC)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2

SafeBootMin: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: RkHit.sys - Reg Error: Value error.
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - Microsoft NetShow Player
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2F6EFCE6-10DF-49F9-9E64-9AE3775B2588} - Microsoft .NET Framework 1.1 Security Update (KB2416447)
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {3C3901C5-3455-3E0A-A214-0B093A5070A6} - .NET Framework
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73fa19d0-2d75-11d2-995d-00c04f98bbc9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902053519425536)

========== Files/Folders - Created Within 30 Days ==========

[2010/10/31 00:58:32 | 000,000,000 | ---D | C] -- C:\RECYCLER
[2010/10/31 00:53:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/10/31 00:49:37 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/10/31 00:49:31 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/10/31 00:01:45 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2010/10/29 13:25:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Application Data\AVG
[2010/10/29 10:37:34 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\TFC.exe
[2010/10/27 03:31:51 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/10/27 03:31:05 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/10/27 03:31:05 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/10/27 03:31:05 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/10/27 03:30:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/10/27 03:30:04 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/10/27 02:36:45 | 000,000,000 | ---D | C] -- C:\$AVG
[2010/10/27 00:51:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Application Data\KeePass
[2010/10/26 22:54:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Application Data\AVG10
[2010/10/26 22:50:25 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\Common Files
[2010/10/26 22:32:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2010/10/26 22:31:39 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2010/10/26 22:09:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2010/10/25 19:56:12 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/10/25 19:56:10 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/10/25 14:55:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\setup.pss
[2010/10/25 14:54:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\setupupd
[2010/10/24 06:25:51 | 000,222,080 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/10/24 06:06:21 | 000,000,000 | ---D | C] -- C:\Program Files\RegSeeker
[2010/10/24 05:50:54 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/10/24 01:20:12 | 011,701,704 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Admin\Desktop\windows-kb890830-v3.12.exe
[2010/10/23 08:37:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Local Settings\Application Data\NOS
[2010/10/19 12:36:24 | 000,132,560 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3HTUI5.dll
[2010/10/19 12:36:22 | 000,546,256 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\SZComp5.dll
[2010/10/19 12:36:22 | 000,452,048 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\SZBase5.dll
[2010/10/19 12:36:22 | 000,398,800 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3DBA5.dll
[2010/10/19 12:36:22 | 000,028,624 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3XDat5.dll
[2010/10/19 12:36:22 | 000,022,992 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\SZIO5.dll
[2010/10/19 12:36:20 | 000,390,608 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3UI5.dll
[2010/10/19 12:36:20 | 000,099,792 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Svc5.dll
[2010/10/19 12:36:20 | 000,099,792 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Inet5.dll
[2010/10/19 12:36:20 | 000,067,024 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Hks5.dll
[2010/10/19 12:36:18 | 000,738,768 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Base5.dll
[2010/10/19 12:36:18 | 000,230,864 | R--- | C] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Win325.dll
[2010/10/18 02:51:34 | 000,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsgXP_2k3.dll
[2010/10/18 02:51:16 | 001,461,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfcoinstaller01009.dll
[2010/10/18 02:51:16 | 000,044,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\dc3d.sys
[2010/10/18 02:51:13 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft IntelliType Pro
[2010/10/17 23:09:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/10/17 23:08:59 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/10/17 23:08:59 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/10/17 23:08:59 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/10/15 21:24:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Application Data\Malwarebytes
[2010/10/15 21:23:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/10/15 21:22:43 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/10/12 18:09:14 | 000,000,000 | ---D | C] -- C:\Program Files\VideoSpirit Pro
[2010/10/11 22:38:59 | 000,000,000 | ---D | C] -- C:\sh4ldr
[2010/10/11 21:44:02 | 001,101,824 | ---- | C] (Woodbury Associates Limited) -- C:\WINDOWS\System32\UniBox210.ocx
[2010/10/11 21:44:02 | 000,880,640 | ---- | C] (Woodbury Associates Limited) -- C:\WINDOWS\System32\UniBox10.ocx
[2010/10/11 21:44:02 | 000,212,992 | ---- | C] (Woodbury Associates Limited) -- C:\WINDOWS\System32\UniBoxVB12.ocx
[2010/10/11 21:42:43 | 001,081,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSCOMCTL.OCX
[2010/10/05 04:09:57 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Akamai
[2010/10/05 02:05:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Ahead

========== Files - Modified Within 30 Days ==========

[2010/10/31 00:58:14 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/31 00:58:11 | 3488,698,368 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/31 00:35:16 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/10/31 00:06:05 | 000,016,262 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Please run OTL as well and see if anything else surfaces.docx
[2010/10/31 00:01:37 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2010/10/29 21:23:41 | 000,001,725 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Tiger 50.jpg
[2010/10/29 21:09:02 | 000,012,273 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Internet Explorer instructions.docx
[2010/10/29 20:17:21 | 000,002,439 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Serials2005.lnk
[2010/10/29 13:34:15 | 000,000,690 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
[2010/10/29 10:37:39 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\TFC.exe
[2010/10/28 15:09:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/27 03:44:32 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/10/27 03:31:55 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/10/27 03:30:32 | 003,887,256 | R--- | M] () -- C:\Documents and Settings\Admin\Desktop\ComboFix.exe
[2010/10/27 00:51:51 | 000,001,870 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\NewDatabase.kdbx
[2010/10/27 00:13:46 | 000,000,423 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\Shortcut to gmer.zip.lnk
[2010/10/25 22:16:10 | 000,079,872 | ---- | M] () -- C:\WINDOWS\MBR.exe
[2010/10/25 19:56:16 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/25 14:55:31 | 000,000,282 | ---- | M] () -- C:\Boot.bak
[2010/10/25 12:50:48 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/10/25 12:48:40 | 000,000,324 | ---- | M] () -- C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
[2010/10/25 08:13:19 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\CCleaner.lnk
[2010/10/25 08:12:00 | 000,000,694 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\RegSeeker.lnk
[2010/10/25 06:47:00 | 000,004,096 | -HS- | M] () -- C:\VSNAP.IDX
[2010/10/24 06:58:55 | 000,262,232 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/10/24 06:07:31 | 000,000,694 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\RegSeeker.lnk
[2010/10/24 05:50:56 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\CCleaner.lnk
[2010/10/24 05:13:38 | 000,011,776 | ---- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/23 23:49:16 | 011,701,704 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Admin\Desktop\windows-kb890830-v3.12.exe
[2010/10/21 20:38:52 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/19 22:20:54 | 000,001,603 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch STOPzilla.lnk
[2010/10/19 13:15:07 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\Microsoft_Hardware_Launch_IType_exe.job
[2010/10/19 13:15:07 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\Microsoft_Hardware_Launch_IPoint_exe.job
[2010/10/19 12:36:24 | 000,132,560 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3HTUI5.dll
[2010/10/19 12:36:22 | 000,546,256 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\SZComp5.dll
[2010/10/19 12:36:22 | 000,452,048 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\SZBase5.dll
[2010/10/19 12:36:22 | 000,398,800 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3DBA5.dll
[2010/10/19 12:36:22 | 000,028,624 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3XDat5.dll
[2010/10/19 12:36:22 | 000,022,992 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\SZIO5.dll
[2010/10/19 12:36:20 | 000,390,608 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3UI5.dll
[2010/10/19 12:36:20 | 000,099,792 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Svc5.dll
[2010/10/19 12:36:20 | 000,099,792 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Inet5.dll
[2010/10/19 12:36:20 | 000,067,024 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Hks5.dll
[2010/10/19 12:36:18 | 000,738,768 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Base5.dll
[2010/10/19 12:36:18 | 000,230,864 | R--- | M] (iS3, Inc.) -- C:\WINDOWS\System32\IS3Win325.dll
[2010/10/19 11:41:44 | 000,222,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/10/19 06:17:54 | 000,000,022 | ---- | M] () -- C:\WINDOWS\tpcsd
[2010/10/18 02:53:08 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_point32_01009.Wdf
[2010/10/18 02:51:47 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_dc3d_01009.Wdf
[2010/10/18 02:51:43 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010/10/16 20:42:18 | 000,503,110 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/10/16 20:42:18 | 000,088,508 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/10/11 21:53:51 | 000,000,149 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2010/10/11 21:42:57 | 000,000,723 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Utilities.lnk
[2010/10/08 06:22:15 | 000,002,643 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Nero Express.lnk
[2010/10/08 06:03:09 | 000,000,892 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Nero Vision.lnk
[2010/10/05 03:52:50 | 000,013,539 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Nero.docx
[2010/10/04 05:39:36 | 000,002,827 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Nero Burning ROM 10.lnk
[2010/10/02 18:42:23 | 000,016,029 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Phone Codes.docx

========== Files Created - No Company Name ==========

[2010/10/31 00:58:11 | 3488,698,368 | -HS- | C] () -- C:\hiberfil.sys
[2010/10/31 00:06:05 | 000,016,262 | ---- | C] () -- C:\Documents and Settings\Admin\My Documents\Please run OTL as well and see if anything else surfaces.docx
[2010/10/29 21:23:41 | 000,001,725 | ---- | C] () -- C:\Documents and Settings\Admin\My Documents\Tiger 50.jpg
[2010/10/29 21:09:02 | 000,012,273 | ---- | C] () -- C:\Documents and Settings\Admin\My Documents\Internet Explorer instructions.docx
[2010/10/27 03:31:05 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/10/27 03:31:05 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/10/27 03:31:05 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/10/27 03:31:05 | 000,079,872 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/10/27 03:31:05 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/10/27 00:51:51 | 000,001,870 | ---- | C] () -- C:\Documents and Settings\Admin\My Documents\NewDatabase.kdbx
[2010/10/27 00:13:46 | 000,000,423 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\Shortcut to gmer.zip.lnk
[2010/10/26 22:49:55 | 000,000,690 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\AVG 2011.lnk
[2010/10/25 19:56:16 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/25 14:55:31 | 000,000,282 | ---- | C] () -- C:\Boot.bak
[2010/10/25 14:55:28 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/10/25 12:57:46 | 003,887,256 | R--- | C] () -- C:\Documents and Settings\Admin\Desktop\ComboFix.exe
[2010/10/25 08:13:19 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\CCleaner.lnk
[2010/10/25 08:12:00 | 000,000,694 | ---- | C] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\RegSeeker.lnk
[2010/10/24 06:07:31 | 000,000,694 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\RegSeeker.lnk
[2010/10/24 05:50:56 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\CCleaner.lnk
[2010/10/19 06:17:54 | 000,000,022 | ---- | C] () -- C:\WINDOWS\tpcsd
[2010/10/18 02:53:08 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_point32_01009.Wdf
[2010/10/18 02:51:47 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_dc3d_01009.Wdf
[2010/10/18 02:51:43 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010/10/11 21:42:57 | 000,000,723 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Utilities.lnk
[2010/10/08 06:03:09 | 000,000,892 | ---- | C] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Nero Vision.lnk
[2010/10/05 03:45:50 | 000,013,539 | ---- | C] () -- C:\Documents and Settings\Admin\My Documents\Nero.docx
[2010/10/04 05:40:41 | 000,002,643 | ---- | C] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Nero Express.lnk
[2010/10/04 05:39:36 | 000,002,827 | ---- | C] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Nero Burning ROM 10.lnk
[2010/10/02 18:42:23 | 000,016,029 | ---- | C] () -- C:\Documents and Settings\Admin\My Documents\Phone Codes.docx
[2010/06/24 12:00:55 | 000,000,011 | ---- | C] () -- C:\WINDOWS\EuBcd.ini
[2010/06/24 08:19:05 | 000,513,304 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/06/24 01:30:42 | 000,000,149 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2010/06/14 09:23:52 | 000,002,516 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/06/14 09:23:52 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\49D5D4E04C.sys
[2010/06/13 07:56:42 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2010/06/13 07:27:53 | 000,011,776 | ---- | C] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/06/12 00:40:58 | 000,012,410 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate
[2010/06/12 00:26:06 | 000,019,518 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2010/06/12 00:10:53 | 000,019,896 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2010/06/12 00:10:26 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2010/06/12 00:10:02 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2010/06/11 18:50:54 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2010/01/25 12:58:06 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/12/26 17:35:10 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2003/11/08 22:31:34 | 000,544,768 | ---- | C] () -- C:\WINDOWS\System32\SZFrame.dll
[2001/07/13 07:04:00 | 000,373,248 | ---- | C] () -- C:\WINDOWS\EyeCand3.INI

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/06/12 00:00:14 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/10/25 14:55:31 | 000,000,282 | ---- | M] () -- C:\Boot.bak
[2010/10/27 03:31:55 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2006/02/28 07:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2010/10/31 00:53:35 | 000,025,754 | ---- | M] () -- C:\ComboFix.txt
[2010/06/12 00:00:14 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/10/31 00:58:11 | 3488,698,368 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/12 00:00:14 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/12 00:00:14 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/06/12 21:18:15 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/10/31 00:58:10 | 3219,128,320 | -HS- | M] () -- C:\pagefile.sys
[2010/09/18 17:00:47 | 001,744,896 | -H-- | M] () -- C:\SZKGFS.dat
[2010/10/25 06:47:00 | 000,004,096 | -HS- | M] () -- C:\VSNAP.IDX

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2010/06/12 00:00:04 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2008/07/06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2001/07/13 07:04:00 | 000,253,952 | ---- | M] () -- C:\WINDOWS\Jasc Media Center Plus.scr

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2010/06/11 18:48:00 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2010/06/11 18:48:00 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2010/06/11 18:48:00 | 000,925,696 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2010/06/12 21:23:34 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/06/12 00:04:01 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2010/06/12 00:04:00 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/10/27 03:30:32 | 003,887,256 | R--- | M] () -- C:\Documents and Settings\Admin\Desktop\ComboFix.exe
[2010/10/31 00:01:37 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2010/10/29 10:37:39 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\TFC.exe
[2010/10/23 23:49:16 | 011,701,704 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Admin\Desktop\windows-kb890830-v3.12.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/06/12 00:04:00 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Admin\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/10/31 00:58:24 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\Admin\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe
[2006/06/23 01:48:54 | 000,032,768 | R--- | M] (AsusTek Inc.) -- C:\WINDOWS\inf\UpdateUSB.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.exe >
[2008/04/13 19:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< %USERPROFILE%\Templates\*.tmp >

< %SYSTEMDRIVE%\explorexxx.exe\*.* >

< %Windir%\Installer\*.tmp >
[84 C:\WINDOWS\Installer\*.tmp files -> C:\WINDOWS\Installer\*.tmp -> ]

< %systemroot%\System32\*.xco >

< %ProgramFiles%\system32\*.* >

< %systemroot%\System32\windos\*.* >

< %SystemRoot%\system32\sandbox\*.* >

< %SystemRoot%\system32\*.amo >

< %SystemRoot%\system32\Windows Live\*.* >

< %ProgramFiles%\logs\*.* >

< %ProgramFiles%\Bifrost\*.* >

< %SystemRoot%\system32\*.goo >

< %systemroot%\system32\IME\*.* >

< %systemroot%\BackUp\*.* >

< %systemroot%\system32\*.ico >

< %systemroot%\system\*.dat >

< %systemroot%\system\*.exe >

< %AppData%\Macromedia\Common\*.* >

< %SYSTEMDRIVE%\dir\*.* /s >

< %systemroot%\system32\ras\*.exe >

< %SYSTEMDRIVE%\MFILES\*.* >

< %SYSTEMDRIVE%\mDNSRespon.exe\*.* >

< %systemroot%\system32\services\*.* >

< %systemroot%\Spooler\*.* >

< %ProgramFiles%\system32\*.* >

< %systemroot%\system32\Setup\*.dll /x >

< %systemroot%\system32\*.mine >

< %SYSTEMDRIVE%\cleansweep.exe\*.* >

< %systemroot%\system32\ras\*.dll >

< %systemroot%\system32\ras\*.drv >

< %systemroot%\*.iq >

< %systemroot%\system32\XP\*.* >

< %SYSTEMDRIVE%\Extracted\*.* >

< %systemroot%\system32\windows\*.* >

< %systemroot%\logs\*.* >
[2010/06/19 01:01:23 | 000,168,663 | ---- | M] () -- C:\WINDOWS\Logs\DirectX.log

< %SYSTEMDRIVE%\Win.Msi\*.* >

< %systemroot%\regedit\*.* >

< %systemroot%\system32\skype\*.* >

< %AppData%\Adobe\dlluplwin25\*.* >

< %UserProfile%\*.dat >
[2010/10/31 00:56:49 | 013,107,200 | ---- | M] () -- C:\Documents and Settings\Admin\NTUSER.DAT

< %UserProfile%\*.dll >

< %systemroot%\system32\*.sxo >

< %SYSTEMDRIVE%\Gazma\*.* /s >

< %systemroot%\system32\spynet\*.* >

< %systemroot%\system32\System\*.* >

< %appdata%\Microsoft\Windows\*.* >

< %systemroot%\system32\WinDir\*.* >

< %systemroot%\_\*.* >

< %systemroot%\system32\windows32\*.* >

< %ProgramFiles%\win\*.* >

< %AppData%\Microsoft\CD Burning\*.* >

< %systemroot%\*.cab >

< %systemroot%\K.Backup\*.* >

< %ProgramFiles%\Massenger\*.* >

< %systemroot%\System32\*.doc >

< %systemroot%\Office12\*.* >

< %systemroot%\System32\Rundl32.exe\*.* >

< %ProgramFiles%\yahoo.net\*.* >

< %systemroot%\system32\*.igo >

< %systemroot%\*.rew >

< %systemroot%\System32\spool\DRIVERS\W32X86\3\*.exe >

< %USERPROFILE%\.COMMgr\*.* >

< %USERPROFILE%\Desktop\*.bat >

< %PROGRAMFILES%\Common Files\Real\visualizations\*.rpv /x >

< %PROGRAMFILES%\Internet Explorer\*.Jmp >

< %PROGRAMFILES%\Windows NT\system\*.dll >

< %systemroot%\system32\*.ext >

< %systemroot%\system32\Com\*.cfg >

< %systemroot%\system32\btz\*.* >

< %systemroot%\system32\EMP\*.* >

< %systemroot%\system32\expo\*.* >

< %systemroot%\system32\inet2\*.* >

< %systemroot%\system32\xrem\*.* >

< %ProgramFiles%\Microsoft\*.* >

< %systemroot%\usgwmt\*.* >

< %ProgramFiles%\B\*.* >

< %SYSTEMDRIVE%\lspp\*.* >

< %systemroot%\Kral\*.* >

< %SYSTEMDRIVE%\windowsdvd.exe\*.* >

< %systemroot%\system32\*.ipo >

< %SYSTEMDRIVE%\usxxxxxxxx.exe\*.* >

< %systemroot%\system32\*.mof >
[2009/07/16 10:30:06 | 000,000,789 | ---- | M] () -- C:\WINDOWS\system32\winrmprov.mof

< %systemroot%\*.atm >

< %systemroot%\system32\svhost\*.* >

< %ProgramFiles%\system32\*.* >

< %ProgramFiles%\Docmentt\*.* >

< %systemroot%\Help\*.vbs >

< %ProgramFiles%\Windows WinSxs\*.* /s >

< %ProgramFiles%\Outlook Express\IDT\*.* /s >

< %ProgramFiles%\Microsoft Office\365\*.* /s >

< %ProgramFiles%\Windows Live\*.* >

< %systemroot%\system32\win32\*.* >

< %SYSTEMDRIVE%\RECYCLER\*.* >

< %systemroot%\Fresh1\*.* >

< %ProgramFiles%\Kekj\*.* /s >

< %systemroot%\GDU\*.* >

< %systemroot%\KA\*.* >

< %systemroot%\R\*.* >

< %systemroot%\system32\*.fyo >

< %USERPROFILE%\System\*.* >

< %systemroot%\Source\*.* >

< %systemroot%\system32\ac\*.* >

< %ProgramFiles%\MSDN\*.* >

< %AppData%\AdobeUM\winvcldll54\*.* /s >

< %ProgramFiles%\Internet Explorer\*.ico >

< %systemroot%\system32\*.ojo >

< %systemroot%\system32\d323s\*.* >

< %systemroot%\system32\re\*.* >

< %UserProfile%\Microsoft\*.dll >

< %UserProfile%\Microsoft\*.log >

< %systemroot%\Bios\*.* >

< %ProgramFiles%\Spool\*.* >

< %ProgramFiles%\promp3\*.* >

< %SYSTEMDRIVE%\Driver\*.* /s >

< %SYSTEMDRIVE%\inetserver.exe\*.* >

< %systemroot%\java\trustlib\*.* >

< %ProgramFiles%\Common Files\designer\*.exe >

< %ProgramFiles%\*. >
[2010/06/25 07:30:59 | 000,000,000 | ---D | M] -- C:\Program Files\Ad Muncher
[2010/06/15 03:49:46 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2010/06/13 00:29:20 | 000,000,000 | ---D | M] -- C:\Program Files\AGI
[2010/06/12 00:27:17 | 000,000,000 | ---D | M] -- C:\Program Files\Analog Devices
[2010/06/17 15:09:02 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2010/10/29 13:14:25 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2010/06/25 07:35:44 | 000,000,000 | ---D | M] -- C:\Program Files\BitTorrent
[2010/10/24 05:50:56 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2010/10/31 00:51:46 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2010/06/11 23:58:44 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2010/06/12 03:42:29 | 000,000,000 | ---D | M] -- C:\Program Files\Copernic Agent
[2010/06/15 00:35:33 | 000,000,000 | ---D | M] -- C:\Program Files\Corel
[2010/10/31 00:58:36 | 000,000,000 | ---D | M] -- C:\Program Files\CyberPower PowerPanel Personal Edition
[2010/08/26 01:52:45 | 000,000,000 | ---D | M] -- C:\Program Files\DAP
[2010/06/24 01:33:33 | 000,000,000 | ---D | M] -- C:\Program Files\EASEUS
[2010/06/12 21:58:25 | 000,000,000 | ---D | M] -- C:\Program Files\FILE RECOVERY for Windows
[2010/06/17 23:07:42 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2010/06/12 00:22:53 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2010/10/15 03:02:59 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/06/17 03:38:13 | 000,000,000 | ---D | M] -- C:\Program Files\Jasc Software Inc
[2010/10/17 23:08:55 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/10/25 19:56:19 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/06/12 00:30:01 | 000,000,000 | ---D | M] -- C:\Program Files\Marvell
[2010/06/12 21:25:17 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2010/06/12 03:13:02 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2010/06/12 00:00:29 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2010/10/18 02:52:52 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft IntelliPoint
[2010/10/18 02:51:14 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft IntelliType Pro
[2010/06/13 23:57:37 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2010/10/03 04:23:58 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2010/06/13 23:48:55 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2010/06/16 00:09:25 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Works
[2010/06/23 05:44:58 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2010/08/12 14:23:18 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/10/28 12:30:01 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2010/06/12 20:44:34 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2010/06/12 03:55:58 | 000,000,000 | ---D | M] -- C:\Program Files\MSECACHE
[2010/06/11 23:58:06 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2010/06/11 23:58:28 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2010/06/12 09:15:04 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2010/06/12 02:31:27 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2010/10/19 21:42:29 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2010/06/12 21:20:06 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010/06/21 09:20:31 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Internet Security
[2010/06/12 00:43:03 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Save and Restore
[2010/10/25 12:48:39 | 000,000,000 | ---D | M] -- C:\Program Files\Norton SystemWorks Premier Edition
[2010/10/31 00:46:57 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Utilities 14
[2010/06/23 05:38:42 | 000,000,000 | ---D | M] -- C:\Program Files\NortonInstaller
[2010/09/08 02:48:35 | 000,000,000 | ---D | M] -- C:\Program Files\NVIDIA Corporation
[2010/06/17 23:06:33 | 000,000,000 | ---D | M] -- C:\Program Files\OLYMPUS
[2010/06/12 21:31:45 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/06/17 23:05:50 | 000,000,000 | ---D | M] -- C:\Program Files\PIXELA
[2010/06/17 21:28:26 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2010/06/12 20:44:24 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2010/10/24 06:09:03 | 000,000,000 | ---D | M] -- C:\Program Files\RegSeeker
[2010/06/16 21:38:42 | 000,000,000 | ---D | M] -- C:\Program Files\Seagate
[2010/10/29 20:29:27 | 000,000,000 | ---D | M] -- C:\Program Files\Serials 2005
[2010/06/27 20:31:53 | 000,000,000 | ---D | M] -- C:\Program Files\Siber Systems
[2010/06/12 03:38:02 | 000,000,000 | ---D | M] -- C:\Program Files\SpeedBit Video Accelerator
[2010/10/19 20:40:38 | 000,000,000 | ---D | M] -- C:\Program Files\STOPzilla!
[2010/06/21 09:21:25 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2010/06/12 00:03:57 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/10/02 15:23:32 | 000,000,000 | ---D | M] -- C:\Program Files\uTorrent
[2010/10/12 18:13:46 | 000,000,000 | ---D | M] -- C:\Program Files\VideoSpirit Pro
[2010/06/13 00:29:24 | 000,000,000 | ---D | M] -- C:\Program Files\Webshots
[2010/06/12 03:56:07 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Installer Clean Up
[2010/06/12 03:13:21 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2010/06/12 03:12:47 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2010/06/14 07:09:05 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Components
[2010/06/12 05:24:55 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2010/06/12 21:20:02 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2010/06/12 21:20:02 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2010/06/12 00:06:34 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Sidebar
[2010/06/11 23:59:39 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2010/09/04 07:38:37 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2010/06/12 03:12:05 | 000,000,000 | ---D | M] -- C:\Program Files\WinZip
[2010/06/15 00:32:21 | 000,000,000 | ---D | M] -- C:\Program Files\Xenocode
[2010/06/12 00:00:29 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2010/06/25 01:38:54 | 000,000,000 | ---D | M] -- C:\Program Files\Zinio
[2010/06/13 22:43:01 | 000,000,000 | ---D | M] -- C:\Program Files\Zinio Alert Messenger

< %systemroot%\system32\*.tso >

< %ALLUSERSPROFILE%\Documents\Server\*.* >

< %systemroot%\*.pif >
[2004/08/04 05:00:00 | 000,000,707 | ---- | M] () -- C:\WINDOWS\_default.pif

< %systemroot%\system32\n7533\*.* >

< %systemroot%\Us18336\*.* >

< %systemroot%\system32\*.zip >

< %systemroot%\system32\*.wgo >

< %systemroot%\system32\dllcache\*.com >

< %systemroot%\system32\dllchache\*.* >

< %systemroot%\system32\038840\*.* >

< %systemroot%\system32\13E92A\*.* >

< %systemroot%\system32\1CB5AD\*.* >

< %systemroot%\system32\52682A\*.* >

< %USERPROFILE%\My Documents\*.htm >
[2010/06/26 02:39:05 | 000,171,366 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Credit Report 6_10.htm
[2009/02/16 07:41:22 | 000,000,332 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Equifax Dispute2_09.htm
[2008/08/09 07:00:50 | 000,027,883 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\ExperianDispute.htm
[2009/02/16 06:58:02 | 000,023,362 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\ExperianReport.htm
[2010/06/18 23:33:22 | 000,232,357 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\FilesTreasury Membership.htm
[2010/06/18 23:41:15 | 000,232,052 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\FilesTreasury.htm
[2009/05/13 21:25:07 | 000,017,725 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Newegg OCZ Mem.htm
[2009/05/15 04:11:41 | 000,020,512 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Newegg Order.htm
[2009/05/17 07:45:09 | 000,006,686 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Pet Mountain Receipt.htm
[2009/10/31 22:06:55 | 000,018,478 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Petsmart Receipt.htm
[2010/06/26 01:06:13 | 000,019,561 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\ReportSummary2.do.htm
[2009/12/27 00:54:42 | 000,007,927 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\UPS Label.htm
[2008/09/08 22:31:26 | 000,002,576 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Ups Receipt.htm

< %SYSTEMDRIVE%\Mr_CF\*.* >

< %USERPROFILE%\My Documents\*.dll >

< %USERPROFILE%\My Documents\*.ccc >

< %systemroot%\system32\Sis\*.* >

< %systemroot%\Microsft\*.* >

< %SYSTEMDRIVE%\driverwinx.exe\*.* >

< %systemroot%\BifroXx\*.* >

< %SYSTEMDRIVE%\TSTP\*.* >

< %systemroot%\winsn\*.* >

< %ProgramFiles%\windata\*.* >

< %SYSTEMDRIVE%\msixxxxxxx.exe\*.* >

< %systemroot%\system32\*.sao >

< %systemroot%\system32\*.iem >

< %systemroot%\system32\*.mdd >

< %systemroot%\system32\*.wlo >

< %systemroot%\system32\*.skn >

< %SYSTEMDRIVE%\Winup\*.* >

< %SYSTEMDRIVE%\test\*.* >

< %systemroot%\system32\med\*.* >

< %systemroot%\Bifrost\*.* >

< %systemroot%\system32\explorer.exe\*.* >

< %UserProfile%\UserData\*.dat /x >

< %SYSTEMDRIVE%\Arquivo de programas\*.* >

< %ProgramFiles%\tcpview\*.* >

< %systemroot%\system32\*.lyo >

< %ProgramFiles%\huanbang2\*.* >

< %systemroot%\winhuanbang\*.* >

< %systemroot%\minrsv.ini\*.* >

< %systemroot%\assembly\GAC\*.* >

< %AppData%\Adobe\crtmswin91\*.* >

< %ProgramFiles%\Windows NT\Accessories\*.exe >
[2010/07/12 07:55:03 | 000,218,112 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows NT\Accessories\wordpad.exe

< %systemroot%\system32\*.pdo >

< %SYSTEMDRIVE%\APPDATASH\*.* >

< %SYSTEMDRIVE%\sy\*.* >

< %systemroot%\*.cot >

< %systemroot%\system32\*.html >

< %systemroot%\system32\win32.exe\*.* >

< %systemroot%\System32\9283\*.* >

< %systemroot%\System32\hardpol\*.* /s >

< %systemroot%\Fonts\*.dat >

< %ProgramFiles%\WinNTsystem operation\*.* >

< %SYSTEMDRIVE%\moneyxmexx.exe\*.* >

< %USERPROFILE%\Templates\*.exe >

< %SYSTEMDRIVE%\MSOCache\*.* >

< %systemroot%\inf\win\*.* >

< %SYSTEMDRIVE%\users\*.* /s >

< %systemroot%\Media\*.exe >

< %systemroot%\Media\*.dll >

< %AppData%\AdobeUM\upldrvdrv2\*.* >

< %ProgramFiles%\wiselink\*.* >

< %systemroot%\*.wd >

< %systemroot%\boot\*.* >

< %systemroot%\ime\*.dll /x >

< %systemroot%\system32\GroupPolicy\User\Scripts\*.* /s >

< %systemroot%\system32\*.INS >

< %SYSTEMDRIVE%\Temporary\*.* >

< %AppData%\AdobeUM\vclvclupl66\*.* >

< %SYSTEMDRIVE%\KEY\*.* /s >

< %SYSTEMDRIVE%\INVRSO\*.* >

< %systemroot%\Config\Audit\*.* /s >

< %ProgramFiles%\facebook\*.* >

< %SystemRoot%\system32\___hptmp\*.* >

< %SystemRoot%\system32\Macromedia\*.* >

< %SystemRoot%\system32\Macrocmp\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-10-27 00:03:11

========== Alternate Data Streams ==========

@Alternate Data Stream - 264 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A9662AE0
@Alternate Data Stream - 257 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2B11E0DF
@Alternate Data Stream - 171 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP287FACF
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0B4227B4

< End of report >


----------



## Raz_Man (Oct 17, 2010)

OTL Extras logfile created on: 10/31/2010 1:02:50 AM - Run 1
OTL by OldTimer - Version 3.2.17.1 Folder = C:\Documents and Settings\Admin\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
12.00 Gb Paging File | 12.00 Gb Available in Paging File | 96.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 931.50 Gb Total Space | 744.38 Gb Free Space | 79.91% Space Free | Partition Type: NTFS
Drive F: | 698.64 Gb Total Space | 57.13 Gb Free Space | 8.18% Space Free | Partition Type: NTFS
Drive G: | 698.64 Gb Total Space | 695.12 Gb Free Space | 99.50% Space Free | Partition Type: NTFS

Computer Name: ADMINISTRATOR | User Name: Admin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htafile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5985:TCP" = 5985:TCP:*isabled:Windows Remote Management 
"1033:TCP" = 1033:TCP:*:Enabled:Akamai NetSession Interface
"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\AVG\AVG10\avgdiagex.exe" = C:\Program Files\AVG\AVG10\avgdiagex.exe:*:Enabled:AVG Diagnostics 2011 -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgnsx.exe" = C:\Program Files\AVG\AVG10\avgnsx.exe:*:Enabled:Online Shield -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" = C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgam.exe" = C:\Program Files\AVG\AVG10\avgam.exe:*:Enabled:AVG Alert manager -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG10\avgemcx.exe" = C:\Program Files\AVG\AVG10\avgemcx.exe:*:Enabledersonal E-mail Scanner -- (AVG Technologies CZ, s.r.o.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00F93853-D9D3-4795-A89E-84CCBA0205C9}" = Microsoft IntelliPoint 8.0
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{1A258E63-8DF5-4ADB-9832-38A0121D65EB}" = AVG 2011
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F51A0CA-2BDD-474E-BB90-C7FA8EA78F52}" = ImageMixer VCD/DVD2 for OLYMPUS
"{1F7FB68F-52F6-46A3-B42F-38CE46295AE5}" = Nero MediaHub 10
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{237CCB62-8454-43E3-B158-3ACD0134852E}" = High-Definition Video Playback 10
"{2436F2A8-4B7E-4B6C-AE4E-604C84AA6A4F}" = Nero Core Components 10
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 22
"{277C1559-4CF7-44FF-8D07-98AA9C13AABD}" = Nero Multimedia Suite 10
"{2857dbef-0b50-361c-8690-7d505747009f}" = Webshots Desktop
"{304B576D-A16E-4983-A5E5-53E40806DFB5}" = STOPzilla
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{34490F4E-48D0-492E-8249-B48BECF0537C}" = Nero DiscSpeed 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{36C65751-6AED-4F89-A57B-3BE1239F046C}" = CyberPower PowerPanel Personal Edition 1.2.2
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMB36X Raid Configurer
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{42C8B7DF-FEB0-4D51-B169-506B6BEC5797}" = Nero 10 Menu TemplatePack 1
"{43FBAB46-5969-4200-9958-1FF81FEE506F}" = Nero 10 Movie ThemePack 1
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup 2011
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{63AA3EAB-23BB-48B2-9AD0-44F878075604}" = Nero 10 Menu TemplatePack Basic
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{68AB6930-5BFF-4FF6-923B-516A91984FE6}" = Nero BackItUp 10
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A7867BA-B7CA-4CC9-ACAB-85BA46865EE5}" = Norton Utilities
"{6DFB899F-17A2-48F0-A533-ED8D6866CF38}" = Nero Control Center 10
"{70550193-1C22-445C-8FA4-564E155DB1A7}" = Nero Express 10
"{70F19404-B96C-4EBB-AD2B-3574F8736197}" = Nero 10 Movie ThemePack 2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77364F85-6219-4CB8-AAA0-6D53368D683D}" = Connection Keep Alive
"{7A5D731D-B4B3-490E-B339-75685712BAAB}" = Nero Burning ROM 10
"{82EF29B1-9B60-4142-A155-0599216DD053}" = LightScribe System Software
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83CCB117-5A40-4834-9ED9-357467F22E46}" = Compaq 7550 INF and ICM software
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{8ECEC853-5C3D-4B10-B5C7-FF11FF724807}" = Nero Recode 10
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{92146419-AE44-4C8B-A48B-0ABB1B5EC026}" = Nero 10 Menu TemplatePack 3
"{92A10E9D-EA00-4A46-8F22-EEA660992D61}" = Nero 10 Sample Videos
"{943CFD7D-5336-47AF-9418-E02473A5A517}" = Nero BurnRights 10
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{96ED4B78-300E-4033-AE6C-C115CEB4DF07}" = Nero 10 ClipartPack
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9A4297F3-2A51-4ED9-92CA-4BCB8380947E}" = Nero Vision 10
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A31838F1-8E0D-4CA3-A40A-20825B92F125}" = Serials 2005
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.0
"{ACD15FDF-FC42-4175-B477-576F92FF2256}" = Nero 10 Sample ImagePack
"{B0255743-165B-4BD5-8DA8-37DFB993B201}" = Norton Save and Restore
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B26B00DA-2E5D-4CF2-83C5-911198C0F009}" = GoodSync
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{BA820A24-704B-428D-9904-71A10DAC1372}" = OLYMPUS Master
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C3580AC4-C827-4332-B935-9A282ED5BB97}" = Nero Dolby Files 10
"{CA31120D-2101-484D-9FF1-195DE96FE346}" = Norton Cleanup
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B2}" = WinZip 11.2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
"{D2E707E8-090E-EC5B-4833-1CA694FB7460}" = Zinio Alert Messenger
"{D4CFC5F3-481C-40AA-9944-E7E4E732136C}" = Microsoft IntelliType Pro 8.0
"{D6DE02C7-1F47-11D4-9515-00105AE4B89A}" = Paint Shop Pro 7 Anniversary Edition
"{E1EE5339-5D32-458F-BAAB-B19F6301BCE2}" = Nero SoundTrax 10
"{E337E787-CF61-4B7B-B84F-509202A54023}" = Nero RescueAgent 10
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{E712C273-7564-4C8E-AA59-0FA19BC35117}" = Nero 10 Menu TemplatePack 2
"{E80F62FF-5D3C-4A19-8409-9721F2928206}" = LiveUpdate (Symantec Corporation)
"{EDCDFAD5-DF80-4600-A493-E9DAD6810230}" = Nero WaveEditor 10
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E8CB62-6A1C-4e55-BCD9-1A0F7527B64A}" = Norton SystemWorks Premier Edition
"{F412B4AF-388C-4FF5-9B2F-33DB1C536953}" = Nero InfoTool 10
"{F5CB822F-B365-43D1-BCC0-4FDA1A2017A7}" = Nero 10 Movie ThemePack Basic
"{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}" = Nero StartSmart 10
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"{FCF00A6E-FB58-477A-ABE9-232907105521}" = Nero CoverDesigner 10
"Ad Muncher" = Ad Muncher v4.81 Build 31376
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AI RoboForm" = AI RoboForm (All Users)
"Akamai" = Akamai NetSession Interface
"BitTorrent" = BitTorrent
"Bryce Lightning" = Bryce(R) Lightning
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Copernic Agent Basic" = Copernic Agent Basic
"Download Accelerator Plus (DAP)" = Download Accelerator Plus (DAP)
"EASEUS Todo Backup 1.1_is1" = EASEUS Todo Backup 1.1
"FILE RECOVERY for WindowsNSIS" = FILE RECOVERY for Windows
"InstallShield_{BA820A24-704B-428D-9904-71A10DAC1372}" = OLYMPUS Master
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Marvell Miniport Driver" = Marvell Miniport Driver
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"NIS" = Norton Internet Security
"Norton Utilities_is1" = Norton Utilities
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"PROR" = Microsoft Office Professional 2007
"PsuedoLiveUpdate" = LiveUpdate (Symantec Corporation)
"SpeedBit Video Accelerator" = SpeedBit Video Accelerator
"STOPzilla" = STOPzilla!
"SymSetup.{F0E8CB62-6A1C-4e55-BCD9-1A0F7527B64A}" = Norton SystemWorks (Symantec Corporation)
"uTorrent" = µTorrent
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WIC" = Windows Imaging Component
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Zinio Reader" = Zinio Reader
"ZinioAlertMessenger.9310D8F796442B71068C511E15D70529A702D19D.1" = Zinio Alert Messenger
"ZinioReader4.9310D8F796442B71068C511E15D70529A702D19D.1" = Zinio Reader 4

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/29/2010 12:54:19 PM | Computer Name = ADMINISTRATOR | Source = MsiInstaller | ID = 11500
Description = Product: HiJackThis -- Error 1500. Another installation is in progress.
You must complete that installation before continuing this one.

Error - 10/29/2010 12:54:21 PM | Computer Name = ADMINISTRATOR | Source = MsiInstaller | ID = 11500
Description = Product: HiJackThis -- Error 1500. Another installation is in progress.
You must complete that installation before continuing this one.

Error - 10/29/2010 12:54:23 PM | Computer Name = ADMINISTRATOR | Source = MsiInstaller | ID = 11500
Description = Product: HiJackThis -- Error 1500. Another installation is in progress.
You must complete that installation before continuing this one.

Error - 10/29/2010 12:54:25 PM | Computer Name = ADMINISTRATOR | Source = MsiInstaller | ID = 11500
Description = Product: HiJackThis -- Error 1500. Another installation is in progress.
You must complete that installation before continuing this one.

Error - 10/29/2010 12:54:42 PM | Computer Name = ADMINISTRATOR | Source = MsiInstaller | ID = 11406
Description = Product: AVG 2011 -- Error 1406. Could not write value 409 to key 
\Software\Classes\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}. 
System error . Verify that you have sufficient access to that key, or contact your
support personnel.

Error - 10/29/2010 1:54:25 PM | Computer Name = ADMINISTRATOR | Source = MsiInstaller | ID = 11704
Description = Product: AVG 2011 -- Error 1704. An installation for HiJackThis is
currently suspended. You must undo the changes made by that installation to continue.
Do you want to undo those changes?

Error - 10/29/2010 2:32:01 PM | Computer Name = ADMINISTRATOR | Source = MsiInstaller | ID = 11704
Description = Product: AVG 2011 -- Error 1704. An installation for HiJackThis is
currently suspended. You must undo the changes made by that installation to continue.
Do you want to undo those changes?

Error - 10/29/2010 2:33:54 PM | Computer Name = ADMINISTRATOR | Source = MsiInstaller | ID = 11406
Description = Product: AVG 2011 -- Error 1406. Could not write value 409 to key 
\Software\Classes\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}. 
System error . Verify that you have sufficient access to that key, or contact your
support personnel.

Error - 10/29/2010 2:33:56 PM | Computer Name = ADMINISTRATOR | Source = MsiInstaller | ID = 11406
Description = Product: AVG 2011 -- Error 1406. Could not write value 409 to key 
\Software\Classes\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}. 
System error . Verify that you have sufficient access to that key, or contact your
support personnel.

Error - 10/31/2010 1:49:57 AM | Computer Name = ADMINISTRATOR | Source = Application Error | ID = 1000
Description = Faulting application mbr.cfxxe, version 0.0.0.0, faulting module ntdll.dll,
version 5.1.2600.5755, fault address 0x00002128.

[ System Events ]
Error - 10/31/2010 1:38:59 AM | Computer Name = ADMINISTRATOR | Source = Service Control Manager | ID = 7034
Description = The LightScribeService Direct Disc Labeling Service service terminated
unexpectedly. It has done this 1 time(s).

Error - 10/31/2010 1:38:59 AM | Computer Name = ADMINISTRATOR | Source = Service Control Manager | ID = 7034
Description = The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly.
It has done this 1 time(s).

Error - 10/31/2010 1:38:59 AM | Computer Name = ADMINISTRATOR | Source = Service Control Manager | ID = 7034
Description = The MBAMService service terminated unexpectedly. It has done this
1 time(s).

Error - 10/31/2010 1:38:59 AM | Computer Name = ADMINISTRATOR | Source = Service Control Manager | ID = 7034
Description = The AG Core Services service terminated unexpectedly. It has done
this 1 time(s).

Error - 10/31/2010 1:38:59 AM | Computer Name = ADMINISTRATOR | Source = Service Control Manager | ID = 7034
Description = The PowerPanel Personal Edition Service service terminated unexpectedly.
It has done this 1 time(s).

Error - 10/31/2010 1:38:59 AM | Computer Name = ADMINISTRATOR | Source = Service Control Manager | ID = 7034
Description = The VideoAcceleratorService service terminated unexpectedly. It has
done this 1 time(s).

Error - 10/31/2010 1:38:59 AM | Computer Name = ADMINISTRATOR | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 10/31/2010 1:49:21 AM | Computer Name = ADMINISTRATOR | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/31/2010 1:50:36 AM | Computer Name = ADMINISTRATOR | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
BHDrvx86 ccHP eeCtrl Fips i8042prt intelppm ohci1394 SRTSPX SymIRON SYMTDI

Error - 10/31/2010 1:56:48 AM | Computer Name = ADMINISTRATOR | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

< End of report >

Still got MBR.cfxxe error when running Combofix.


----------



## CatByte (Feb 24, 2009)

Hi

The computer is clean of malware.

The cfxxx error seems to be due to a faulting module ntdll.dll which appears to be related to an AMD chipset.

I would clean out all the quarantined files from all the security programs you have, one program may be picking up the detection from one of your other programs.

Then I would use the TFC program to clean out all the temp files again

then clear all your cookies:

Download *Flush Flash Cookies* by Bobbi Flekman.
Select the Windows version and save flushflash.exe to your Desktop.
Double-click flushflash.exe to run it.
Select *Everything but Site settings.*
Click *Make it so!.*
When the "Killed off all Flash cookies" window opens, click *OK.*
Close Flush Flash Cookies.

clear all other cookies

Delete all currently saved cookies from your computer.

In Internet Explorer, 
click *Tools > Internet Options* and then click the *Delete Cookies* button on the *General* tab.

In Firefox, 
click *Tools > Clear Recent History* > Set *Time range to clear* to *Everything*
Click on the arrow next to *Details* to expand the list of history items. 
Select *Cookies* and make sure that other items you want to keep are not selected. 
Click *Clear Now* to clear the cookies and close the Clear Recent History window

*NEXT*

Reset your Hosts file back to default

Use the 'fix-It" button on this microsoft site;

http://support.microsoft.com/kb/972034

Do you use AdMuncher, RegSeeker, CCCleaner, SpywareHunter and Windows Defender as well as StopZilla, Malwarebytes and your Norton programs?

If not you can uninstall them.

*P2P* - I see you have *P2P* software Bit torrent and utorrent, installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. *This page* will give you further information. 
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
*Perils of P2P File Sharing*.
I would strongly recommend that you uninstall this/these now. You can do so via *Control Panel >> Add or Remove Programs.*

Let's clean up the tools used:

Please do the following:

*Follow these steps to uninstall Combofix *


Make sure your security programs are totally disabled.
Click *START* then *RUN*
Now copy/paste *Combofix /uninstall* into the *runbox* and click *OK.* Note the *space* between the *..X* and the */U*, it needs to be there.










*NEXT*

Clean up with *OTL:*

Double-click *OTL.exe* to start the program.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the *CLEANUP* button
Say *Yes* to the prompt and then allow the program to reboot your computer.

If and Logs/tools remain that I had you download > right click and delete them

Now do a scan with your stopzilla and your Norton and advise the results

be as specific as possible if any detections are found - screen shots if possible, if not - specific paths


----------



## Raz_Man (Oct 17, 2010)

CatByte said:


> I would clean out all the quarantined files from all the security programs you have, one program may be picking up the detection from one of your other programs.


Once something has been quarantined it has been deleted.
I don't understand the 2nd part.

I have Ad Muncher running. I also have CC Cleaner, Regseeker & Malwarebytes. I already uninstalled Windows Defender because I am not using that one. I never have had SpywareHunter nor have I heard of that one. I am not using & do not have any others.

I don't have Bit Torrent & uTorrent installed only uTorrent. All I do is download files that go directly to a disc. Nothing is opened or ran on my computer. I know better then that.

As far as I know my computer has been clean of malware. I haven't seen anything detected yet that I know of however Gmer still does show the same thing as far as Rootkit.

Of course I still have the original problem with the UPX.exe Trojan too.

StopZilla runs a daily scan automatically & Norton runs Idle scan automatically also. Nothing has been detected except the UPX.exe Trojan other then the Malware & other things that don't count since it was for here.

I've done everything else so far now.

Thank you


----------



## CatByte (Feb 24, 2009)

where is UPX.exe being detected?



> Once something has been quarantined it has been deleted.


 not exactly, it's been moved from where it can be executed, but can still be detected. It can't harm your computer, but can still alert detection programs

Let's remove all the old restore points in case there are detections there:

Please do the following:

Click *Start > Run > *copy and paste the following into the run box:
*%SystemRoot%\System32\restore\rstrui.exe*​Press *OK.* Choose *Create a Restore Point* then click *Next.*
Name it (something you'll remember) and click *Create,*
when the confirmation screen shows the restore point has been created click *Close.*

Now remove all previous Restore Points:
Click *Start > Run > *copy and paste the following into the run box:
*cleanmgr*​Choose to scan drive C:\ (if C:\ is your main drive) At the top, click on *More Options* tab. Click the *Clean up* button in the *System Restore* box. 
Click on the *Yes* button. 
When finished, click on *Cancel* button to exit.

*next*

C:\sh4ldr has been associated to Spy Hunter
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]

It appears it was on your machine at one time, or another of your security programs uses the same drive as SpyHunter
take a look in that folder see if you recognize the files.

same with BitTorrent
"BitTorrent" = BitTorrent
< %ProgramFiles%\*. >
[2010/06/25 07:35:44 | 000,000,000 | ---D | M] -- C:\Program Files\BitTorrent

take a look - see if it is there > delete the folder


----------



## Raz_Man (Oct 17, 2010)

CatByte said:


> where is UPX.exe being detected?


What do you mean where? I've said it is being detected with Norton if you mean what is detecting it. If I knew where it was I would have already deleted it by now. I think it must be on both my C & F drive since it is blocked at 2 different points during the course of the scan.



CatByte said:


> not exactly, it's been moved from where it can be executed, but can still be detected.


If that is the case with StopZilla then I don't know how to delete them because there isn't an option to delete them & I can't find then in StopZilla folders.

Spy Hunter from Enigma Software is a game that I have that I had installed awhile ago. I forgot about that. I deleted it from the reg & the folder.

I forgot I had installed BitTorrent so I uninstalled that also.

Should I use RegSeeker and/or CCleaner? I just installed them & probably don't really need them since I already have all Norton Utilities.


----------



## CatByte (Feb 24, 2009)

No, I wouldn't suggest using RegSeeker or CCleaner, you don't need them

what I mean is,

what does Norton report exactly when you say it is being detected.

what is the exact message.

Try totally uninstalling StopZilla, remove all traces of it, use TFC, then Defrag, then rerun Norton

see if it is still being reported.

You can always re-install StopZilla if you still want to use it.


----------



## Raz_Man (Oct 17, 2010)

What I said is that Norton is blocking the Trojan. It says it's located in the windows/temp folder but of course the file isn't on the computer since it was blocked.

The defrag is running. That's going to take awhile before it's finished. Then I will run a Norton scan but Norton doesn't detect anything on it's own as having any problems. The Trojan is blocked is when StopZilla is running a daily scan as I tried to explain.

Attached is a screen cap of the Norton details.

Also was there and/or is there still a rootkit infection since Gmer still showed the same thing.


----------



## CatByte (Feb 24, 2009)

Please download a fresh GMER as it has been updated (delete the one on your desktop) and run another scan,It is likely just reporting your antivirus which is normal.

Norton doesn't give a lot of detail about the incident do they? Does the "origin" tab give any more information?

I'll give you the full instructions for GMER again, save you scrolling back:

Please download *GMER Rootkit Scanner *from *here* or *here*.

 Extract the contents of the zipped file to desktop. 
 Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent . 
 If it gives you a warning about rootkit activity and asks if you want to run scan...click on *NO*.
 In the right panel, you will see several boxes that have been checked. Uncheck the following ...
 IAT/EAT
 Drives/Partition other than Systemdrive (typically C:\) 
 Show All (don't miss this one)

 Then click the Scan button & wait for it to finish. 
 Once done click on the *[Save..]* button, and in the File name area, type in *"Gmer.txt"* or it will save as a .log file which cannot be uploaded to your post. 
Save it where you can easily find it, such as your desktop, and put it in your next reply.

_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries _


----------



## Raz_Man (Oct 17, 2010)

Norton shows no real information that is usable for tracking this down if that is what you are looking for. If there was I would have deleted it already.

This is everything it shows:

c:\windows\temp\upx.exe
____________________________
____________________________
On computer as of
10/30/2010 at 7:11:17 PM
Last Used:
10/30/2010 at 7:11:17 PM
Startup Item: No
Launched: No
____________________________
____________________________
Very Few Users
Fewer than 10 users in the Norton Community have used this file.
____________________________
High
This file risk is high.
____________________________
Threat Details
Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________
Origin

Downloaded from Not Available
____________________________
URL Not Available
UNTESTED

Source
upx.exe
____________________________
File Actions
File: c:\windows\temp\upx.exe
Blocked
____________________________
File Thumbprint:
c61e77adabae8f349cd717ab934f59d60a9d80c55f250e629d51f36560c74d33
____________________________


----------



## CatByte (Feb 24, 2009)

hi

Do you have an AutoHotkey script that Launches the StopZilla program?

http://en.wikipedia.org/wiki/AutoHotkey

If you do then Norton is alerting on a False Positive.

http://www.autohotkey.com/forum/topic53129.html

Compiled ahk's are packed with UPX.

Right now, this is all that I can think of that is happening.

There doesn't appear to be any other reason for it to be occurring.

Other than the norton block

and the GMER detections (which I suspect are related to your AV's)

do you have any other outstanding issues?


----------



## Raz_Man (Oct 17, 2010)

No I don't use an AutoHotkey & StopZilla isn't being launched.

StopZilla is a normal program that is ran like Malwarebytes is. Except you can run the scan when you want to or schedule a scan to be ran daily, weekly, etc...

I ran the new Gmer & still get the same Rootkit message. This is with Norton disabled. So I have no A/V's running. 

I can't paste the file because it is too big now & locks up if I try. So I had to zip the log file instead.


Does that mean Rootkit isn't & wasn't a problem?


----------



## CatByte (Feb 24, 2009)

Looking at those results, I think there might still be a problem with your MBR.

We are not getting proper results from the logs while windows is running.

I'd like to get a dump of the MBR outside of the Windows environment.

You will need a CD

Download *GETxPUD.exe* to the desktop of your clean computer

Run *GETxPUD.exe*
A new folder will appear on the desktop.
Open the *GETxPUD* folder and click on the *get&burn.bat*
The program will download *xpud_0.9.2.iso*, and when finished, it will open *BurnCDCC* which will be ready to burn the image.
Click on *Start* and follow the prompts to burn the image to a CD.

*NEXT*


Boot the infected computer with the CD you just burned
The computer must be set to boot from the CD
Follow the prompts
A *Welcome to xPUD* screen will appear
Click on *File*
Expand *mnt*
*sda1 or sda2* will usually correspond to your HDD
expand the folder that corresponds to your harddrive.
Press *Tool* on the top menu bar
Choose *Open Terminal*
Type *dd if=/dev/sda of=mbr.bin bs=512 count=1*

This will place a back-up of your MBR on your harddrive it will be called *C:/mbr.bin*

Now exit > Home > reboot (remove the CD so your computer will boot normally)

now analyze that MBR Dump at Virus total


Use the *browse button* on that page to navigate to the location of the file to be scanned.
In the *right hand panel*, 
click on the file *C:/mbr.bin*
then click the *open* button. 
The file will now be displayed in the *submit box.*
Scroll down a bit and click *"send file"*, wait for the results
If you get a message saying *File has already been analyzed:* click *Reanalyze file now*
Once scanned, copy and paste the link to the results page in your next reply.


----------



## CatByte (Feb 24, 2009)

I have asked an expert colleague to have a look at that GMER scan as well.

Most of the "hidden - rootkit files" reference Norton and Stopzilla, but there are others there as well, and there is reference to the MBR.having rootkit like behavior, hence my request for the MBR dump.

The expert suggests rebooting your machine...wait 5 minutes before starting it up again, then re-run GMER again to see if you get similar results. (please post the second log so we can compare)

thanks


----------



## Raz_Man (Oct 17, 2010)

This program deleted multiple Windows System files that prevent Windows from being able to boot up. I have gotten messages that NTLDR is missing & l_intl.nls is missing or corrupt. That's most likely why this was being stopped from being run in the 1st place.

I can't even get Windows Setup Disk to run without getting the B.S.O.D & Stop error at the very start before being able to do anything.

At least I can do a Norton Restore to a couple of months ago if nothing else will work. Last known only got me the NTLDR back but left the other file corrupt.

Any ideas on how to undo the changes made by GETxPUD?

The MBR is clean though:
http://www.virustotal.com/file-scan...8f5345df500875b0eb60858329cdf16f33-1288779725



CatByte said:


> Most of the "hidden - rootkit files" reference Norton and Stopzilla, but there are others there as well, and there is reference to the MBR.having rootkit like behavior, hence my request for the MBR dump.


 How can it have anything to do with StopZilla when I have uninstalled & removed StopZilla?


----------



## CatByte (Feb 24, 2009)

There would have been left overs that it referenced.

Can you tell me exactly what took place while dumping that MBR as XPUD does not delete anything unless you actually instruct it to do so.

All it is is a boot disk that loads the hard drive out side of windows.


----------



## Raz_Man (Oct 17, 2010)

I'm not sure what you mean something was leftover that it referenced.

Obviously something happened while doing the MBR because I'm not making this up. I wasn't instructed to do anything.

Like I said. NTLDR was missing originally when I rebooted immediately after creating the MBR.bin. I got that file back by loading the Last Known Good Config but then the l_intl.nls said it was corrupt or missing. So I looked for it & it was there so it must be corrupt. It says to do Windows repair but I can't even get the Setup to start because I keep getting the same Stop error message.

Stop 0x0000007b (0xf78d2524,etc...

How can I undo or fix this?


----------



## Raz_Man (Oct 17, 2010)

Going to reboot & try to run XP Setup again after making a BIOS change. Will see if that works. BRB...


----------



## Raz_Man (Oct 17, 2010)

Still same problem.


----------



## Raz_Man (Oct 17, 2010)

Too bad you can't help me I guess. 

If that last operation didn't delete files then I don't know what else did because that was the only thing I ran. It had to be ran outside of Windows for a reason.

What's in the MBR.bin file being scanned for viruses?


----------



## CatByte (Feb 24, 2009)

The last operation didn't delete any files.

The command copied your MBR and placed a copy of the MBR into a file on your hard drive, that was it.

It must be co-incidental - bad timing.

Do you remember what files you deleted when you first thought you were infected?

I doubt very much that you had the infection that you thought you had. UPX.exe is a legitimate program, it's a packer for executables.

I believe it was used by StopZilla when it scanned your archived files, so the Norton Detection was a false positive. Did the notifications stop when StopZilla was uninstalled?

Your computer likely has a non-standard (custom) MBR - hence the alert by GMER, is it an OEM machine?

The malware removed by ComboFix was unrelated and fairly minor

the fact it didn't run properly and kicked up errors, was concerning, but could have been related to file corruption or missing files from previous deletions.

too many AV's and security programs may have been conflicting with one another

again this could account for the GMER results

Your remaining symptoms didn't appear to be malware related. 

What is the situation with the computer at this moment?

Are you able to boot in normal mode?

Are you able to boot in safe mode?

can you please describe in as much detail as possible what issues you are having


----------



## Raz_Man (Oct 17, 2010)

CatByte said:


> Do you remember what files you deleted when you first thought you were infected?


First of all I never thought I had an infection & I surely wouldn't ever delete System files.

You were the one that told me you thought I had a rootkit infection which is why I was doing everything you had me do in the first place.

During normal operation to began with I didn't have all those Anti-Virus programs installed. I had just installed those temporarily to run scans only.

I had been able to reboot without any problems prior to doing the MBR.bin. I know everything was OK before it because I had rebooted immediately prior to creating it to go back to look at the instructions again because I had done it wrong the 1st time.

After doing it right when I rebooted without the CD in the 1st thing that came up was that the NTLDR was missing. So I booted with the other hard drive & copied it from that one to the other. Then I tried again. That's when I got the next message that the l_intls.nls was missing or corrupt. I then did the same thing again & tried to copy & paste it but still continued to get the same message.

I still can't boot up normally.

I can't boot up in safe mode.

I can't boot up with the Windows Setup CD to do a repair.

In case it matters I am running a mirrored Raid.

That covers as much as I can think of right now. If I come up with more I will post it.


----------



## noahdfear (Nov 20, 2003)

Hi Raz_Man,

CatByte has asked that I assist with the current unexpected problem you're having, and I would be happy to help if you're willing to accept it. I would like to re-iterate that the xPUD routine of copying the hard drive's mbr to a file for inspection should not have had any adverse effect on the drive(s) - it is not a new routine and has been successfully executed many times. That is not to deny that a problem has occured after executing the task, only that it should not have, and I hope to find the cause and solution.

No doubt you've already discovered that the error message(s) you are receiving do not always mean that the file(s) are missing OR corrupt, and that there can be a number of possible causes, including an infected or corrupt mbr, faulty hardware, incorrectly configured BIOS, faulty driver, and more. Having the error when attempting to boot from the XP cd is troubling, and suggests a bigger or separate problem.

I need a bit of clarification on your hard drive configuration. You previously stated that you have 2 drives - C: and F: - and that you also are running a raid mirror. 

That suggests that the C: drive is the mirror containing 2 hard disk drives, and F: is a third - is that correct?
Sata raid?
Is the raid mirror supported by the motherboard or software loaded from the operating system?
Is the raid mirror intact?
Was it necessary to change the raid configuration in the BIOS to boot to xPUD?
Does xPUD see the mirror set as 1 drive or 2?

You also stated that both C: and F: drives are bootable. Are they bootable by themselves, eg; since F: is an old drive and therefore bootable when it is the only drive attached, does (did) the C: drive boot if the F: drive was physically removed from the computer?
Was the F: drive connected when you installed the operating system on the C: drive?



> I know everything was OK before it because I had rebooted immediately prior to creating it to go back to look at the instructions again because I had done it wrong the 1st time.


Please describe in as much detail as possible what exactly you did wrong on the first attempt.

Would you please also zip the mbr.bin file and attach it to your next reply?


----------



## Raz_Man (Oct 17, 2010)

Dave,

Thanx for the help.

I'm getting really confused & I am very stressed ATM.

I am trying not to make matters any worse then they already are. I wish I never messed with any of this to start with. You know the old saying "if everything OK don't F with it"...

I kinda had a feeling the Trojan being blocked was a False Positive & as it turns out it was. Oh well such is life.

Anyways I understand what was supposed to happen with creating the mbr.bin & that part probably wasn't the problem. I think the actual problem is with the xPud boot disk. It boots too fast to see what happens but I have a feeling that within that bat file, or whatever you call it, something is possibly written there that damages XP system files.

In trying to fix my problem with my C drive I accidentally expanded files from the Windows CD to my working drive that I was booted up to, in turn crashing it also 

Now since I was still having the same problem doing a XP repair I decided to go ahead & do a new install to the backup drive. Once I am able to rebuild my backup drive I will be able to access my C drive again. Then I can copy my files back off of there before I do anything to that again.

So it may take me a little while again before I reply. I also have a problem still with trying to do a new install of XP on my backup drive with my BIOS set to RAID like it always has been in the past.

No I did not make any changes on my BIOS previously. As far as running the mbr.bin the only thing I did different the 1st time was that instead of doing the command under the sda folder I had ran it under the main folder instead. That's all. So when I tried to find it on my hard drive it wasn't there.

I don't have the copy of the mbr.bin right now I will have to get it. My C drive is d/c'd ATM because of booting from CD to the backup drive for the install of XP.

You are correct, my backup drive is the F drive. However I do have a total of 4 drives in all. I am running 2 of those raid mirrored for my C drive. I have 2 CD/DVD's, then F & G hard drives.

The raid mirror stays in tact because of a program that I have running, so yes. The software is from Intel, ICH9.
xPud saw the mirror as one.



noahdfear said:


> You also stated that both C: and F: drives are bootable. Are they bootable by themselves, eg; since F: is an old drive and therefore bootable when it is the only drive attached, does (did) the C: drive boot if the F: drive was physically removed from the computer?


I'm not exactly sure what you are asking. The F drive is my old C drive. I don't have to remove my C drive to boot from my F drive though. I just hit F8 at the start & select the drive.

Please let me know what you can about why XP won't install or run with the BIOS set to RAID. I could before & this is with a new install.


----------



## Raz_Man (Oct 17, 2010)

I tried to set the BIOS to AHCI instead, since I have both RAID & non-RAID, but it didn't work either. What happens when I try to boot up is that instead of XP coming up there is a very quick flash of the BSOD with a Stop message that I can't read & then it instantly reboots itself every time.

I don't understand this at all because all I do is change the BIOS to IDE & every thing is normal again. The same is true for using the XP CD as far as when it will & won't work. This is regardless of what I do in relationship to installing RAID drivers or not installing them. Maybe this would be different if I tried with a different RAID driver but I did use the same one I did previously.

I was running mirrored RAID before also on the old hard drive.

P.S. My motherboard is an ASUS P5K-E. The RAID driver is actually Intel ICH9R or 82801R. Chipset P35. CPU is a Intel Q9650, Quad Core 3.0 GHz. That should cover all the specs that matter I think. I hope I haven't left anything out.

Any help is appreciated.


----------



## Raz_Man (Oct 17, 2010)

I just found the same issue with the ASUS P5K-E motherboard in another forum. It appears that the issue with the BIOS is common.

This is going to be a stupid question but I am not that knowledgeable with RAID. Can I run a mirrored RAID with the BIOS set to IDE?

This is the other forum & the message I am talking about:


> Just for your reference, you don't NEED to have two drives or any form of a RAID setup to use a SATA hard drive OR install windows onto it.
> 
> I'm using the same P5K-E as you and I've got it working just fine with XP.
> 
> ...


http://www.tomshardware.com/forum/249978-30-unable-install-0x7b-bsod


----------



## noahdfear (Nov 20, 2003)

Hi Raz,

I can imagine how frustrated you must feel right now, but for me to be helpful to you, I need for you to stop everything, take a deep breath and work with me one step at a time. Anything you do moving forward, as well as anything you have done thus far, can have a direct impact on the ability to return to your previous configuration. I will try to briefly explain a few things, to the best of my ability and to the extent of my knowledge, about the boot process and how it is affected by multiple installations, raid configurations, etc. I think and hope that this will be helpful in answering your questions, as well as determining your exact setup and diagnosing then fixing it.

First, it is important for you to understand that booting from the xPUD cd, nor the Windows XP cd, does anything to the hard drive or it's contents without being told to. In fact, your computer does not even need a hard drive attached to boot to either cd. The difference between the 2 is that the XP cd is designed to load in memory then copy the files necessary to load it's operating system onto a hard drive, and the xPUD cd is designed to load everything, including it's operating system, completely in memory.

When you attach a hard drive and power on the computer, the drive is detected by the BIOS and assigned a number based on how many drives are detected and where they are connected. These assignments are reflected as HDD0, HDD1, HDD2, etc. A single IDE drive connected on the primary header of the motherboard in the Master position (the end of a 2 connector ribbon cable) will be assigned HDD0, and a second IDE drive connected to the Slave position (the middle connector of a 2 connector ribbon cable) will be assigned HDD1. The assignment is similar if using SATA drives rather than IDE drives. Having a mixture of SATA and IDE drives, will affect these assignments. This assignment number is used in the boot.ini file.

The BIOS generally has options for setting which hard drive, if more than one is connected, is the first hard drive to boot from. This is a different setting than which device to boot from first, the boot device order, which can be floppy, cd, hard drive, usb, network, etc. When more than one drive is connected and enabled, the BIOS will check the one assigned as first boot then move to the next, until it finds one that is flagged bootable.

When you boot with an XP installation cd, files required to begin setup are copied to and loaded in memory. Setup does not contain drivers that support raid configurations, so an option is displayed at the bottom of the screen at this time to press F6 if you need to load supporting drivers from a disc. Doing so will interrupt the setup process, allowing you to load the drivers into memory also, so that once setup begins your raid devices can be detected. When setup begins, you are asked if you want to install Windows or repair a previous installation. Whichever choice is selected, setup will then search for an attached hard drive. If a raid configuration is present, and the drivers have been loaded, setup can detect the raid configured drives as well as any other drives not in the raid configuration. Without the required drivers, setup can only detect hard drives not in a raid configuration. I am not positive, but I believe that the AHCI/IDE mode setting will come into play at this stage, and that being in AHCI mode creates a raid configuration as seen by setup even if only one hard drive exists, eg; AHCI mode likely requires loading the drivers. More on raid later .........

Once the hard drive has been detected, setup inspects the drive for partition structure. The basic partition structure is stored in the mbr (Master Boot Record), which is only present in a drive that has been formatted. A hard drive with an mbr that has been corrupted or it's embedded partition structure altered in such a way setup cannot determine the partition structure, can appear to setup as an unformatted drive. Setup must first detect a formatted hard drive to begin the Windows installation.

When setup begins installing Windows in an environment with no previous Windows installations, it copies not only the operating system files to the drive, but it also copies the loaders for the operating system (NTLDR and others) and creates the boot.ini file, which tells the location of the operating system files (which hard drive, partition and system folder). It also writes information to the formatted drive's mbr that tells where to look for the loaders - the bootable partition flag and boot sector. Also created is the MFT (Master File Table) that is used in conjuction with the boot sector to locate the loaders. Corruption in the MFT and/or boot sector can be one of the numerous causes of getting an 'NTLDR is missing' error message when booting.

When you add an additional Windows installation to an existing installation, whether that additional installation is to be on another partition or on another hard drive, setup does not copy the loaders or create a new boot.ini to that partition or hard drive, but instead adds the location of the new installation to the boot.ini in the existing installation. This scenario will result in displaying a menu upon startup with more than one operating system to boot. By the same token, it does not alter the mbr on the additional partition or hard drive. The BIOS will still detect the boot flag (the only boot flag) in the orginal mbr and use the loaders in that partition to load the new installation. As mentioned previously, the BIOS does not care which hard drive is selected as first boot in this scenario - it will check each drive in turn until it finds a boot flag. What this also means is that if the additional installation is to be on another hard drive, that hard drive is not bootable all by itself. If you remove the first hard drive, you remove the mbr with the bootable flag, the loaders needed to boot it and the boot.ini that tells the location of the installation.

Now, let's say you have Windows XP installed on one hard drive and you disconnect that hard drive, attach a new drive and proceed to install Windows on the new drive. Because it is the only drive connected, it will have it's mbr set with a boot flag, the loader files copied to it and the boot.ini file created on it, just like the first drive. You then connect the first drive, and either drive can be booted to, which one being the result of either the BIOS first boot configuration or using F12 (or F9 or F10, depending on the motherboard) to enable the boot device option menu and selecting which hard drive to boot. In this scenario, there is only one operating system location shown in each boot.ini file and therefore only one choice of operating systems displayed at Startup (if displayed at all). In this scenario, one could also manually add the other drive's operating system location to each boot.ini file and then have the option displayed to start either system, regardless of which drive is used as the boot device.

Raid ~~~~ as you know, a raid mirror is a configuration that causes 2 hard drives to act as one. Any information written to the mirrored set is simultaneously written to each drive. The raid configuration is achieved through the use of software and drivers ....... sometimes embedded in the motherboard and sometimes loaded from a disc. Until the mirror is created, the hard drives to be used are detected by the BIOS as separate drives. Once the mirror is created, the BIOS should display the set as 1 hard drive, provided raid is enabled in the BIOS - AHCI/IDE mode in play - and it's drivers loaded. This drive is subject to the same installation and boot device scenarios described above. Altering the physical connections of these drives, or the mode selected in the BIOS, will affect the state of the mirror and may require rebuilding the mirror.

While the boot process is more complex than I've described above, my brief (long-winded) explanation should help you to understand if nothing else, that there are many variables that can affect what we need look for and steps to take in resolving the issue, and why I need to have a clear picture of your configuration. Add in the fact that I have not had the opportunity to test xPUD in a mirrored raid environment or with your hardware, and therefore do not know first hand if or how it will be supported, you can also understand how important your feedback is in painting that picture for me.

All of that said, please give me an update on the current state of things.


----------



## Raz_Man (Oct 17, 2010)

It appears that after running the xPud boot CD that the NTLDR & HAL.dll became corrupt somehow.

All my hard drives are SATA not IDE. That is why I said I run RAID. I always have run RAID & had installed RAID before with the same XP CD while using the F6 to install the RAID driver during the install.

I only had to temporarily switch the BIOS to IDE instead because I was unable to re-install XP or bootup into XP after installing it with it set to RAID or AHCI. I hope you understand now.

I only have partially installed some things so far, on what was my F drive, so that I could have an operational system to communicate from. I also need this to eventually be able to backup all my data off my C drive again. 

I have slowed down now. Let me know what else you need to know at this time. I understand most of what you are talking about I think.


----------



## Raz_Man (Oct 17, 2010)

I still have to get my computer back up & running.
It's been down since the 3rd now.

I understand you have a life also but with just one post a day it's going to take awhile & especially if I don't do anything.


----------



## noahdfear (Nov 20, 2003)

> I only have partially installed some things so far, on what was my F drive, so that I could have an operational system to communicate from.


Does that mean you did a clean install and have only installed a few things to the new installation, on the F: drive, instead of doing a repair install that would have kept everything intact?



> I only had to temporarily switch the BIOS to IDE instead because I was unable to re-install XP or bootup into XP after installing it with it set to RAID or AHCI.


Are you saying that to boot the new installation you now have to set it to IDE mode, or was that just upon first boot?



> I also need this to eventually be able to backup all my data off my C drive again.


With the F: drive bootable again, can you now access your data on the C: drive? Is the raid mirror still intact, eg; are the two drives still seen as one from F: ?

In your previous setup, was the F: drive a bootable system and attached when you created the mirror and installed the operating system on the mirror?


----------



## Raz_Man (Oct 17, 2010)

Great now you are on track.



> Does that mean you did a clean install and have only installed a few things to the new installation, on the F: drive, instead of doing a repair install that would have kept everything intact?


Yes that means I did a clean install to the F drive. I was unable to do just a repair & have it work so I had to completely re-install the drive. I wish I could have.



> Are you saying that to boot the new installation you now have to set it to IDE mode, or was that just upon first boot?


Yes, again. As I said, I was not able to run the XP cd install with the BIOS set to RAID at all period. Even on a new install. It makes no sense at all to me especially since I did this previously with all the same equipment.



> With the F: drive bootable again, can you now access your data on the C: drive? Is the raid mirror still intact, eg; are the two drives still seen as one from F: ?


Right, that is why I am doing what I am doing. Yes the mirror is in tact. It wonh't matter if I have to re-install that drive also. Since I wasn't able to do a repair on this drive I probably won't be able to repair that drive either.

I'm not that worried though. What I am hoping to be able to do is a Norton Restore from a backup that is only about two months old luckily. Unfortunately my computer must have been turned off when it was ran last month. Hopefully the restore will work. I haven't had to use it before. I don't see why it wouldn't though.

I just need to figure out how I can set the BIOS back to RAID & get XP to work again like it did instead of wanting to reboot like it does now. I need to be able to run the XP install cd with the BIOS set to RAID also. I really don't want to change from XP.



> In your previous setup, was the F: drive a bootable system and attached when you created the mirror and installed the operating system on the mirror?


My F drive was my old C drive from previously. When I upgraded my system I took that drive & made it my F drive & put two 1TB drives as my C & D drives then set them up to run as mirrored RAID. I then installed XP on them. I really don't think I had anything more then the two 1TB drives in the system at the time I set that up. I think I transferred my other two drives over at a latter date. There wasn't anything with my system needed to be changed when I added the new drives to them or anything like that.


----------



## noahdfear (Nov 20, 2003)

Before we go any further, since you can access your C: drive, I suggest you go ahead and get your data backed up to the F: drive.


----------



## Raz_Man (Oct 17, 2010)

I was backing it up already, as I was saying, onto a USB Flash Drive 1st. Since I may still have to re-install this drive, with the BIOS set to RAID, after I get my other drives recovered.

I thought of something else. All I have to do with this drive is use Norton Ghost to copy an image of my C drive once I restore it. Then I will have a new backup of that drive & a boot drive also. That should work.


----------



## Raz_Man (Oct 17, 2010)

Does that mean no ideas?

It's hard to not do anything at all.

I already had backed everything up, on both the F drive & the USB drive.

I've attached the mbr.bin now also.


----------



## noahdfear (Nov 20, 2003)

Hi Raz,

Of course there are ideas. I was waiting for you to post back and let me know you were done backing up and ready to move on. Of course, it didn't help much that I had a 20 hr workday yesterday and another 15 today ..........

You have a couple of ways to go here, which my boot process explanation above actually explained. You can either have each drive bootable on it's own and which one you choose to boot achieved by selecting the boot device, or you can have them both depend on one hard drive having a boot flag and a boot.ini that displays which drive to boot as an operating system selection during startup. Whichever you choose, all you need to do is:

Enter the BIOS and enable raid mode, save and exit.
Enter the raid utility then configure/reconfigure the raid mirror.
Restart and go back into the BIOS to verify the raid mirror is detected as such, then set hard drive boot priority (either the mirror or the single drive).
Restart with the XP cd and use F6 to install the raid drivers, then when setup starts, choose to install and select one of the previous installations - you should be prompted to repair the installation.

Perform a Repair Installation
How to Perform a Windows XP Repair Install
Install Windows XP on a RAID Array

If you want each drive to be bootable on it's own, disconnect (or disable in the bios) one of the drives (either the mirrored drives or the single drive) while doing the repair and do not reconnect it until the installation has completed a normal startup. When doing the single drive, you can obviously skip configuring the mirror since that will be the only drive enabled.

Once you've made each drive bootable, if so desired, you can edit the boot.ini on each drive to reflect the operating system on both drives so that you can select either system to boot without the need to change (select) the boot device - both will be displayed on startup regardless of which hard drive is booted. I'll be happy to help you with that when the time comes, if needed.


----------



## Raz_Man (Oct 17, 2010)

I said days ago I re-installed this F drive so that I was able to backup my other drive. I also posted that I had already done it on the 8th.

You are seriously giving me instructions on how to repair or install Windows XP? If I could do that I wouldn't be wasting my time on here. I've told you multiple times that is the problem. I can't set the BIOS to RAID & do that. I can only set it to IDE & have that work. I posted the Stop error message that I get with the BSOD whenever I try to run the XP install CD with the BIOS set to RAID or AHCI.



> If you want each drive to be bootable on it's own, disconnect (or disable in the bios) one of the drives (either the mirrored drives or the single drive) while doing the repair and do not reconnect it until the installation has completed a normal startup. When doing the single drive, you can obviously skip configuring the mirror since that will be the only drive enabled.


What do you mean disable or disconnect the BIOS? How do you do that?
Are you saying that the single drive has to be installed after the mirrored drives are regardless of the fact that it is already installed?
Will my idea as far as a Ghost image of the C drive work for the F drive?


----------



## noahdfear (Nov 20, 2003)

You won't get a stop error if the XP cd is actually used as the boot device. Sounds to me that when set to raid mode it's bypassing the cd. See if pressing F12 or F9 when booting brings up the boot menu where you can select the boot device then select the cd drive. As you already know, when booting to cd it first prompts you to press any key to boot from the cd, then immediately goes to 'Setup is inspecting your computer's hardware configuration' then 'Windows Setup'

I did not say disable or disconnect the bios. I said disconnect the drive or disable it in the bios.


----------



## Raz_Man (Oct 17, 2010)

Sorry I read it wrong.
You didn't answer the other questions.

Before it was sounding like you didn't think I saw what I did with my system not working after using the xPud boot disk. Now I know you are telling me I don't know what I am seeing when I boot with the XP cd.

Setting the BIOS to RAID doesn't change the boot order.

I don't think we are getting any where & you don't really seem to understand RAID anyways so don't worry about. I'm done.

*Maybe this can at least keep someone else from having a problem in the future if at least one thing comes from this. This is a perfect example of what happens when running programs from places you don't know. Programs should be bench tested before being given to other people to run in working environment.*


----------



## noahdfear (Nov 20, 2003)

I'm pretty sure the only question of yours I did not answer was if your Norton backup would work, and I did so sometimes in great detail, and always without the demeaning tone you have taken with me in nearly every one of your responses to me. My only reponse to you now is that it does not matter how many forms of backup a person has, be they images or raid mirrors, they mean nothing if you don't know how to use them (and I DO!!  ).

Good day sir!


----------

