Adware, malware, spyware, hijacker discussion and information

[Gain Knowledge]  [Install Prevention]  [Maintain Security]  [Spyware Removal Help]


It is currently Thu Dec 18, 2014 3:22 pm

All times are UTC - 7 hours


Forum rules


ATTN:!! Only users pre-approved by TeMerc may offer help and assistance in malware removal. Any and all unauthorized posts will be removed without notice. Please read this thread for proper HijackThis! installation.



Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 15 posts ] 
Author Message
 Post subject: Has Someone Tapped Into My Computer?
PostPosted: Mon Oct 26, 2009 6:33 am 
Offline

Joined: Sun Oct 25, 2009 7:33 am
Posts: 8
Not sure if I have someone with the ability to review my files, emails or keystrokes?

Several times over the last year or so, confidential information between me and one other person has been breached.

The other person I share tells me that his machine is secure.

Therefore I have to think that there is something on mine. Anti-virus programs from Spybot to Norton say I am clean.

Below is the HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:56 AM, on 10/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatc ... p=aus&qkw=%s&tbid=%tb_id&%language
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80114
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_custom ... tbid=80114
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80114
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_custom ... tbid=80114
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro2.cce.hp.com/ChatEntry/do ... ysinfo.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5841447140
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99c3ee3b67be4) (gupdate1c99c3ee3b67be4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 9752 bytes

Thanks

Pick ><>



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Mon Oct 26, 2009 7:37 am 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15990
Location: PHX, AZ
Hello and w^* to TeMerc Internet Countermeasures Forum and thanks for joining. 1rokon

Lets look a bit deeper into the system.

Please download OTListIt2 from here.
  • Save the file to your desktop.
  • Once on the desktop double click OTListit2.exe and the application will open.
  • Be sure the 'Use Whitelist' box is ticked in each section where this is an option.
  • From the 'File Ages' drop down menu, please select '30 days'
  • Then click the 'Run Scan' button.
The scan will produce a single log file, please post that log file back for me to review.

_________________
Image



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Mon Oct 26, 2009 8:06 am 
Offline

Joined: Sun Oct 25, 2009 7:33 am
Posts: 8
Here is the log


OTL logfile created on: 10/26/2009 10:01:14 AM - Run 1
OTL by OldTimer - Version 3.0.22.1 Folder = C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1015.29 Mb Total Physical Memory | 441.43 Mb Available Physical Memory | 43.48% Memory free
2.39 Gb Paging File | 1.88 Gb Available in Paging File | 78.90% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 141.92 Gb Total Space | 105.06 Gb Free Space | 74.03% Space Free | Partition Type: NTFS
Drive D: | 7.10 Gb Total Space | 2.70 Gb Free Space | 38.06% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PUMA
Current User Name: HP_Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/10/26 09:58:29 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Desktop\OTL.exe
PRC - [2009/09/21 14:46:58 | 12,993,816 | ---- | M] () -- C:\Program Files\RegCure\RegCure.exe
PRC - [2009/08/27 00:18:44 | 00,634,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/08/22 02:28:17 | 00,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
PRC - [2009/05/21 11:34:07 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/05/21 11:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/01/08 07:36:42 | 02,521,464 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
PRC - [2008/10/22 07:25:30 | 00,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2004/08/20 16:55:14 | 00,155,648 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\igfxtray.exe
PRC - [2004/08/20 16:51:14 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\hkcmd.exe
PRC - [2004/08/12 10:41:32 | 00,098,304 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\QuickTime\qttask.exe
PRC - [2004/07/06 10:05:48 | 02,550,272 | ---- | M] (RealTek Semicoductor Corp.) -- C:\WINDOWS\ALCWZRD.EXE
PRC - [2004/07/02 03:58:14 | 00,073,728 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2004/06/30 02:06:38 | 00,088,363 | ---- | M] (Agere Systems) -- C:\WINDOWS\AGRSMMSG.exe
PRC - [2004/06/08 03:42:30 | 00,659,456 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\hphmon06.exe
PRC - [2004/05/29 14:31:38 | 00,241,664 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2003/06/20 15:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2003/06/01 03:02:32 | 07,544,916 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
PRC - [2003/02/12 05:02:48 | 00,061,440 | ---- | M] (Hewlett-Packard Company) -- C:\HP\KBD\KBD.EXE
PRC - [2000/02/24 12:23:44 | 08,810,548 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office\WINWORD.EXE
PRC - [1998/05/08 01:04:38 | 00,052,736 | ---- | M] (Hewlett-Packard Company) -- C:\windows\system\hpsysdrv.exe

========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (Symantec RemoteAssist [On_Demand | Stopped])
SRV - [2009/08/22 02:28:17 | 00,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe -- (Norton Internet Security [Auto | Running])
SRV - [2009/05/21 11:34:05 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2009/03/22 14:53:40 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [Auto | Stopped])
SRV - [2009/03/03 15:30:19 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c99c3ee3b67be4 [Auto | Stopped])
SRV - [2009/03/03 14:53:08 | 00,033,176 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus(R) Helper [On_Demand | Stopped])
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2008/10/22 07:25:30 | 00,020,480 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService [Auto | Running])
SRV - [2008/07/29 22:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/07/29 20:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2008/07/29 20:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - [2008/07/25 12:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2008/07/25 12:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2008/04/13 19:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2007/05/24 08:08:44 | 00,061,440 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])
SRV - [2004/04/22 03:28:04 | 00,401,408 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPodService [On_Demand | Stopped])
SRV - [2003/06/20 15:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])
SRV - [2003/06/01 03:02:32 | 07,544,916 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -- (MSSQL$MICROSOFTBCM [Auto | Running])
SRV - [2002/12/18 02:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -- (SQLAgent$MICROSOFTBCM [On_Demand | Stopped])
SRV - [2002/12/18 02:23:30 | 00,066,112 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe -- (MSSQLServerADHelper [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2009/09/10 15:10:19 | 00,329,080 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091021.001\IDSxpx86.sys -- (IDSxpx86 [System | Running])
DRV - [2009/09/08 18:21:56 | 00,482,432 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\ccHPx86.sys -- (ccHP [System | Running])
DRV - [2009/08/26 03:00:00 | 00,371,248 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl [System | Running])
DRV - [2009/08/26 03:00:00 | 00,102,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv [On_Demand | Running])
DRV - [2009/08/25 03:00:00 | 01,323,568 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091025.035\NAVEX15.SYS -- (NAVEX15 [On_Demand | Running])
DRV - [2009/08/25 03:00:00 | 00,084,912 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20091025.035\NAVENG.SYS -- (NAVENG [On_Demand | Running])
DRV - [2009/08/22 02:28:17 | 00,310,320 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NIS\1007020.00B\SYMEFA.SYS -- (SymEFA [Boot | Running])
DRV - [2009/08/22 02:28:17 | 00,308,272 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SRTSP.SYS -- (SRTSP [On_Demand | Running])
DRV - [2009/08/22 02:28:17 | 00,259,632 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\BHDrvx86.sys -- (BHDrvx86 [System | Running])
DRV - [2009/08/22 02:28:17 | 00,217,136 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMTDI.SYS -- (SYMTDI [System | Running])
DRV - [2009/08/22 02:28:17 | 00,089,904 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMFW.SYS -- (SYMFW [On_Demand | Running])
DRV - [2009/08/22 02:28:17 | 00,043,696 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\NIS\1007020.00B\SRTSPX.SYS -- (SRTSPX [System | Running])
DRV - [2009/08/22 02:28:17 | 00,036,400 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMNDIS.SYS -- (SYMNDIS [On_Demand | Running])
DRV - [2009/08/22 02:28:17 | 00,033,072 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\NIS\1007020.00B\SYMIDS.SYS -- (SYMIDS [On_Demand | Running])
DRV - [2009/08/20 10:24:40 | 00,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\Drivers\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
DRV - [2009/08/18 14:11:17 | 00,036,400 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\DRIVERS\SymIM.sys -- (SymIMMP [On_Demand | Running])
DRV - [2009/08/18 14:11:17 | 00,036,400 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\System32\DRIVERS\SymIM.sys -- (SymIM [On_Demand | Stopped])
DRV - [2008/04/13 11:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2004/08/20 17:26:00 | 00,737,874 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2004/08/04 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2004/07/20 02:33:14 | 00,218,112 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\sisgrp.sys -- (SiS315 [On_Demand | Stopped])
DRV - [2004/07/17 13:20:34 | 00,012,160 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\srvkp.sys -- (SiSkp [System | Running])
DRV - [2004/07/07 08:59:44 | 02,185,408 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2004/06/30 02:07:18 | 01,268,204 | ---- | M] (Agere Systems) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys -- (AgereSoftModem [On_Demand | Running])
DRV - [2004/06/15 14:08:20 | 00,626,220 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\System32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Stopped])
DRV - [2004/05/06 06:28:52 | 00,142,976 | ---- | M] (Copyright (C) VIA/S3 Graphics Co, Ltd.) -- C:\WINDOWS\System32\DRIVERS\vtmini.sys -- (viagfx [On_Demand | Stopped])
DRV - [2004/04/22 18:02:00 | 00,020,368 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2004/04/06 09:42:36 | 00,013,872 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2003/12/12 15:54:14 | 00,391,424 | ---- | M] (Sensaura Ltd) -- C:\WINDOWS\System32\drivers\ALCXSENS.SYS -- (ALCXSENS [On_Demand | Stopped])
DRV - [2003/12/03 03:23:20 | 00,142,336 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\fasttx2k.sys -- (fasttx2k [Boot | Running])
DRV - [2003/09/19 10:47:00 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\System32\drivers\pfc.sys -- (Pfc [On_Demand | Running])
DRV - [2003/09/11 08:36:54 | 00,021,060 | ---- | M] (InterVideo, Inc.) -- C:\WINDOWS\System32\drivers\iviaspi.sys -- (Iviaspi [On_Demand | Running])
DRV - [2003/07/19 01:58:20 | 00,036,992 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys -- (SISAGP [Boot | Running])
DRV - [2003/07/02 20:42:00 | 00,027,904 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys -- (viaagp1 [Boot | Running])
DRV - [2002/10/05 02:04:10 | 00,046,976 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\System32\DRIVERS\R8139n51.SYS -- (rtl8139 [On_Demand | Running])
DRV - [2001/06/04 23:00:00 | 00,014,112 | ---- | M] (Hewlett-Packard Company) -- C:\WINDOWS\System32\DRIVERS\PS2.sys -- (Ps2 [On_Demand | Running])

========== Modules (SafeList) ==========

MOD - [2009/10/26 09:58:29 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Desktop\OTL.exe
MOD - [2009/08/22 02:28:14 | 00,419,696 | R--- | M] (Symantec Corporation) -- C:\PROGRAM FILES\NORTON INTERNET SECURITY\ENGINE\16.7.2.11\ASOEHOOK.DLL
MOD - [2008/04/14 06:42:52 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 19:12:00 | 00,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mslbui.dll

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_custom ... tbid=80114
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80114

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Crawler Search"
FF - prefs.js..browser.search.selectedEngine: "Crawler Search"
FF - prefs.js..keyword.URL: "http://www.crawler.com/search/dispatcher.aspx?tp=aus&tbid=60195&qkw="

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/28 07:55:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/26 08:59:33 | 00,000,000 | ---D | M]

[2009/10/23 10:07:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Application Data\mozilla\Firefox\Profiles\wbz31j0j.default\extensions
[2009/10/23 10:07:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Application Data\mozilla\Firefox\Profiles\wbz31j0j.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/01/26 08:59:48 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/09/16 08:08:12 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/09/16 08:07:51 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/01/26 08:59:48 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2008/09/16 08:07:51 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\real-networks@partners.mozilla.com
[2008/09/16 08:07:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\talkback@mozilla.org
[2006/10/11 03:04:58 | 00,061,036 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2006/10/11 03:04:59 | 00,048,742 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2006/10/11 03:05:03 | 00,029,313 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\myspell.dll
[2006/10/11 03:05:03 | 00,041,082 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\spellchk.dll
[2006/10/11 03:04:58 | 00,166,510 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2009/01/26 08:59:32 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeploytk.dll
[2006/10/11 03:04:59 | 00,017,030 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2006/10/11 03:05:04 | 00,001,514 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2006/10/11 03:05:04 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2007/07/26 12:05:16 | 00,001,329 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\crawlersrch.xml
[2006/10/11 03:05:04 | 00,001,038 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2006/10/11 03:05:04 | 00,001,046 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2006/10/11 03:05:04 | 00,002,320 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2006/10/11 03:05:04 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL (Symantec Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AGRSMMSG] C:\WINDOWS\AGRSMMSG.exe (Agere Systems)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
O4 - HKLM..\Run: [AlcxMonitor] C:\WINDOWS\ALCXMNTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe (HP)
O4 - HKLM..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE (Hewlett-Packard Company)
O4 - HKLM..\Run: [PS2] C:\WINDOWS\System32\ps2.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE ()
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add To HP Organize... - C:\Program Files\Hewlett-Packard\HP Organize\bin\core.hp.main\SendTo.html ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/ ... ontrol.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} https://wimpro2.cce.hp.com/ChatEntry/do ... ysinfo.cab (SysData Class)
O16 - DPF: {656FAD09-4DE3-4C34-9600-0928C855FD7A} http://download.microsoft.com/download/ ... upd806.exe (AxTaskList Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftup ... 5841447140 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab (HP Download Manager)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} http://h20264.www2.hp.com/ediags/dd/ins ... csxp2k.cab (DDRevision Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/aut ... s-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab (get_atlcom Class)
O16 - DPF: Web-Based Email Tools http://email.secureserver.net/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.55.5.10 209.55.5.11
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\intu-help-qb1 {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll (TODO: <Company name>)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll (Symantec Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/07/12 16:48:45 | 00,000,663 | ---- | M] () - C:\autoAlbum.log -- [ NTFS ]
O32 - AutoRun File - [2004/08/12 07:52:25 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/05/15 17:05:33 | 00,000,037 | ---- | M] () - C:\AUTOEXEC.OLD -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 06:07:38 | 00,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2004/04/30 22:01:14 | 00,000,053 | -HS- | M] () - D:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/10/22 17:33:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Local Settings\Application Data\HP
[2009/10/22 17:33:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Local Settings\Application Data\IsolatedStorage
[2009/10/21 11:13:55 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/10/25 09:16:27 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/10/26 09:58:26 | 00,521,728 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Desktop\OTL.exe
[2009/10/25 09:45:35 | 00,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2009/10/23 10:07:30 | 04,938,616 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\My Documents\Silverlight.exe
[2009/10/20 09:26:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\My Documents\CEMINES
[2009/10/07 07:08:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\My Documents\JAC LABELS
[2007/08/25 08:46:48 | 28,868,320 | ---- | C] (Microsoft Corporation) -- C:\Program Files\FileFormatConverters.exe

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[6 C:\WINDOWS\*.tmp files]
[2009/10/26 09:58:29 | 00,521,728 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Desktop\OTL.exe
[2009/10/26 08:28:35 | 00,002,473 | ---- | M] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Desktop\Microsoft Word (2).lnk
[2009/10/26 08:21:21 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009/10/26 08:07:33 | 00,000,280 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2009/10/26 07:57:10 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/10/26 07:56:57 | 00,000,248 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat
[2009/10/26 07:56:55 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009/10/26 07:56:55 | 00,000,460 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2009/10/26 07:56:55 | 00,000,400 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Startup.job
[2009/10/26 07:56:53 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/10/26 07:56:51 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/10/26 07:56:50 | 10,646,85568 | -HS- | M] () -- C:\hiberfil.sys
[2009/10/25 09:16:28 | 00,001,745 | ---- | M] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Desktop\HijackThis.lnk
[2009/10/25 08:20:27 | 00,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2009/10/25 08:18:45 | 00,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2009/10/23 10:07:31 | 04,938,616 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\My Documents\Silverlight.exe
[2009/10/22 16:22:39 | 00,002,471 | ---- | M] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Desktop\Microsoft Excel (2).lnk
[2009/10/21 11:11:59 | 09,080,832 | ---- | M] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\My Documents\my portfolio.mny
[2009/10/21 11:11:58 | 01,598,182 | R--- | M] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\My Documents\My Portfolio Backup_2009-10-21_111153.mbf
[2009/10/21 11:09:41 | 01,601,262 | R--- | M] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\My Documents\My Portfolio Backup_2009-10-21_110935.mbf
[2009/10/21 11:00:25 | 01,591,238 | R--- | M] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\My Documents\My Portfolio Backup_2009-10-21_110019.mbf
[2009/10/21 09:20:00 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/10/20 18:14:20 | 00,000,394 | ---- | M] () -- C:\WINDOWS\tasks\RegCure.job
[2009/10/20 18:14:15 | 00,000,749 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RegCure.lnk
[2009/10/19 18:41:16 | 00,002,443 | ---- | M] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Desktop\Microsoft Office Publisher 2007 (2).lnk
[2009/10/16 18:08:25 | 00,478,582 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/16 18:08:25 | 00,420,298 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/16 18:08:25 | 00,070,090 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/16 18:00:54 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/10/06 12:30:27 | 00,007,670 | ---- | M] () -- C:\WINDOWS\MAPINFOW.PRF
[2009/10/06 12:30:27 | 00,001,768 | ---- | M] () -- C:\WINDOWS\MAPINFOW.WOR
[2009/10/06 10:18:42 | 00,013,030 | ---- | M] () -- C:\PDOXUSRS.NET
[2009/10/02 13:01:57 | 25,198,016 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== Files - No Company Name ==========
[2009/10/25 09:16:28 | 00,001,745 | ---- | C] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Desktop\HijackThis.lnk
[2009/10/21 11:11:58 | 01,598,182 | R--- | C] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\My Documents\My Portfolio Backup_2009-10-21_111153.mbf
[2009/10/21 11:09:41 | 01,601,262 | R--- | C] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\My Documents\My Portfolio Backup_2009-10-21_110935.mbf
[2009/10/21 11:00:25 | 01,591,238 | R--- | C] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\My Documents\My Portfolio Backup_2009-10-21_110019.mbf
[2009/08/27 09:27:04 | 00,010,584 | ---- | C] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Application Data\docXConverter (3).ini
[2009/08/27 09:26:41 | 00,000,126 | -H-- | C] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Application Data\lakerda1967.sys
[2009/08/03 15:07:42 | 00,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/06/28 11:44:06 | 00,005,120 | ---- | C] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/23 18:27:17 | 00,072,944 | ---- | C] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/02/22 19:57:07 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Application Data\desktop.ini
[2009/02/22 19:57:05 | 04,311,370 | -H-- | C] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Local Settings\Application Data\IconCache.db
[2009/02/22 19:57:05 | 00,000,136 | ---- | C] () -- C:\Documents and Settings\HP_Administrator.YOUR-CF765A3AC9\Local Settings\Application Data\fusioncache.dat
[2008/10/10 19:46:22 | 00,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2008/08/18 19:17:03 | 00,001,024 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\1ppt2pdf.dll
[2008/06/25 07:48:07 | 00,116,673 | ---- | C] () -- C:\Program Files\Ami332.zip
[2008/01/07 13:01:14 | 00,000,084 | ---- | C] () -- C:\WINDOWS\csact.ini
[2006/10/19 07:25:48 | 00,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/03/28 18:54:17 | 00,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2006/03/28 18:54:17 | 00,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2006/01/07 15:23:43 | 00,000,173 | ---- | C] () -- C:\WINDOWS\vatwain.ini
[2006/01/07 15:00:53 | 00,000,022 | ---- | C] () -- C:\WINDOWS\ppdrv.ini
[2005/12/30 18:34:17 | 00,000,000 | ---- | C] () -- C:\WINDOWS\javaen.dll
[2005/05/15 17:06:00 | 00,000,163 | ---- | C] () -- C:\WINDOWS\UMAXDRV.INI
[2005/05/15 17:06:00 | 00,000,080 | ---- | C] () -- C:\WINDOWS\VTWAIN.INI
[2005/05/15 17:05:41 | 00,210,944 | ---- | C] () -- C:\WINDOWS\MSVCRT10.DLL
[2005/05/15 17:05:41 | 00,131,264 | ---- | C] () -- C:\WINDOWS\KCME0.DLL
[2005/05/15 17:05:41 | 00,098,236 | ---- | C] () -- C:\WINDOWS\KCME1.DLL
[2005/05/15 17:05:41 | 00,097,914 | ---- | C] () -- C:\WINDOWS\32KCME0.DLL
[2005/05/15 17:05:41 | 00,096,256 | ---- | C] () -- C:\WINDOWS\KPAPI.DLL
[2005/05/15 17:05:41 | 00,093,184 | ---- | C] () -- C:\WINDOWS\KPAPI32.DLL
[2005/05/15 17:05:41 | 00,070,548 | ---- | C] () -- C:\WINDOWS\KPMON.DLL
[2005/05/15 17:05:41 | 00,056,832 | ---- | C] () -- C:\WINDOWS\UCM_16.DLL
[2005/05/15 17:05:41 | 00,050,176 | ---- | C] () -- C:\WINDOWS\KPCP.DLL
[2005/05/15 17:05:41 | 00,049,152 | ---- | C] () -- C:\WINDOWS\UCM_32.DLL
[2005/05/15 17:05:41 | 00,017,920 | ---- | C] () -- C:\WINDOWS\KCMS_SYS.DLL
[2005/05/15 17:05:39 | 00,202,272 | ---- | C] () -- C:\WINDOWS\VS32.DLL
[2005/05/15 17:05:39 | 00,141,824 | ---- | C] () -- C:\WINDOWS\P1220_32.DLL
[2005/05/15 17:05:39 | 00,135,200 | ---- | C] () -- C:\WINDOWS\UDEPP32.DLL
[2005/05/15 17:05:38 | 00,038,400 | ---- | C] () -- C:\WINDOWS\VSCLI32.DLL
[2005/05/15 16:59:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PRESTOPM.INI
[2005/05/15 16:59:30 | 00,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2005/03/18 18:23:00 | 00,003,327 | ---- | C] () -- C:\WINDOWS\logos20.ini
[2005/02/11 08:18:20 | 00,000,176 | ---- | C] () -- C:\WINDOWS\WS_FTP.INI
[2005/02/10 08:51:08 | 00,000,216 | ---- | C] () -- C:\WINDOWS\SF32000.ini
[2005/01/18 08:33:02 | 00,000,165 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/01/16 10:04:33 | 00,000,112 | ---- | C] () -- C:\WINDOWS\WinInit.ini
[2004/10/16 09:38:19 | 00,002,613 | ---- | C] () -- C:\WINDOWS\PAW50.INI
[2004/10/16 09:38:19 | 00,000,805 | ---- | C] () -- C:\WINDOWS\BTI.INI
[2004/10/11 15:53:20 | 00,000,156 | ---- | C] () -- C:\WINDOWS\VERSES.INI
[2004/10/11 12:16:03 | 00,211,773 | ---- | C] () -- C:\Program Files\Salamander for cpying files.zip
[2004/10/10 18:47:34 | 00,000,034 | ---- | C] () -- C:\WINDOWS\regntdrv.ini
[2004/10/10 18:45:02 | 00,000,108 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2004/10/10 14:42:11 | 00,399,872 | ---- | C] () -- C:\WINDOWS\c4dstand.dll
[2004/10/10 14:41:58 | 00,003,371 | ---- | C] () -- C:\WINDOWS\Splash.ini
[2004/10/10 14:08:00 | 00,000,222 | ---- | C] () -- C:\WINDOWS\HPFTBX15.INI
[2004/09/17 08:43:58 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2004/09/17 08:43:58 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2004/09/17 08:43:57 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2004/09/17 08:43:57 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2004/09/17 08:43:57 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2004/09/17 08:43:57 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2004/08/14 09:26:32 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/08/13 01:30:03 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\JAWTAccessBridge.dll
[2004/08/13 01:29:07 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\PcdrKernelModeServices.dll
[2004/08/13 01:29:07 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\ProgressTrace.dll
[2004/08/13 01:23:52 | 00,167,936 | ---- | C] () -- C:\WINDOWS\System32\PCDrJNI_1_1.dll
[2004/08/13 01:16:40 | 00,024,799 | ---- | C] () -- C:\WINDOWS\System32\CHODDI.SYS
[2004/08/13 01:16:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\hpreg.dll
[2004/08/12 10:37:37 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/12 09:22:36 | 00,004,351 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2004/08/12 09:12:52 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004/08/12 08:18:02 | 00,299,073 | ---- | C] () -- C:\WINDOWS\System32\PythonCOM22.dll
[2004/08/12 08:18:02 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes22.dll
[2004/08/12 08:17:30 | 00,016,896 | ---- | C] () -- C:\WINDOWS\System32\bcbmm.dll
[2004/08/12 07:59:20 | 00,000,813 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/12 07:33:14 | 00,000,549 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/08/12 07:32:26 | 00,000,653 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/12 07:32:18 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/08/12 00:41:37 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2004/06/29 14:58:50 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/02/28 02:10:30 | 00,156,160 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2003/03/07 07:53:16 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\hpnvr82.dll
[2003/01/08 00:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1999/12/07 01:00:00 | 00,024,975 | ---- | C] () -- C:\WINDOWS\twain_16.dll
[1999/01/22 13:46:56 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 03:00:00 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL
[1997/09/05 04:49:54 | 00,001,166 | ---- | C] () -- C:\WINDOWS\IF40LE.INI
[1997/02/27 06:06:52 | 00,000,107 | ---- | C] () -- C:\WINDOWS\PEXPLORE.INI
[1996/09/26 05:20:22 | 00,000,245 | ---- | C] () -- C:\WINDOWS\UMXADDIN.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 152 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:0D786AE3
@Alternate Data Stream - 137 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Tue Oct 27, 2009 12:37 am 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15990
Location: PHX, AZ
Thanks for the info, I see one potential issue. But references are old so lets get a scan.

Because some malware can be easily removed, we recommend Malwarebytes' Anti-Malware be run.

It's important to let me know however, if you experience any trouble getting to the site or downloading it or opening it to run. Some rootkits target MBAM and those indicators are the 'tell', if you will. We have another method of double-checking for this rootkit, which if present, will require another special tool.

Download it from here and save it to your desktop. If you're using IE7 you may get prompted to allow the download, please do so.
  • Double-click mbam-setup.exe icon: Image and when the download dialog box appears, please tick the 'Launch Malwarebytes' Anti-Malware when download completes' as displayed:Image
  • Select your language when this option is displayed.
  • Follow default installation instructions
  • Decide if you would like a 'Start Menu' folder created when this option is displayed
  • Choose your options of preference on the 'Select Additional Tasks' screen
  • Review your choices at the 'Ready To Install' screen
  • At the end, be sure a checkmark is placed next to 'Update Malwarebytes' Anti-Malware' and 'Launch Malwarebytes' Anti-Malware' as displayed here:Image
  • Then click the Image button
  • Please read the information box when it appears and click the Image button
  • Please allow access via your firewall if an alert is presented to you
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select 'Perform quick scan'
  • Then click button Image
  • When the scan is complete, you will be presented with a message as such, click the Image button then click the Image button
  • Be sure that each item has its box ticked as displayed here: Image and click Image.
  • When completed, a log will open in Notepad. Please save it to your desktop for easy access. Copy the contents of the file and paste it back into your thread for review along with a new HJT log as well. The MBAM log is also default saved to the following location: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

_________________
Image



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Tue Oct 27, 2009 5:54 am 
Offline

Joined: Sun Oct 25, 2009 7:33 am
Posts: 8
Below are logs as instructed

Thanks

Pick


Malwarebytes' Anti-Malware 1.41
Database version: 3039
Windows 5.1.2600 Service Pack 3

10/27/2009 7:44:45 AM
mbam-log-2009-10-27 (07-44-45).txt

Scan type: Quick Scan
Objects scanned: 131852
Time elapsed: 12 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\BulletProofSoft.com (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\BackUps (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\Plugins (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\Skin (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\Update (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\BulletProofSoft.com\WinTrace Remover\unins000.dat (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\unins000.exe (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\wtr.chm (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\wtr.exe (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\Plugins\PLUGINS.dbs (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\Skin\wtr.skn (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\Skin\wtr.spl (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\Skin\wtr.swf (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\Update\Update.cli (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Program Files\BulletProofSoft.com\WinTrace Remover\Update\Update.exe (Rogue.BulletProofSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\1ppt2pdf.dll (Trojan.Agent) -> Quarantined and deleted successfully.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:25 AM, on 10/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatc ... p=aus&qkw=%s&tbid=%tb_id&%language
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80114
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://toolbar.inbox.com/help/sa_custom ... tbid=80114
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://toolbar.inbox.com/search/ie.aspx?tbid=80114
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://toolbar.inbox.com/help/sa_custom ... tbid=80114
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro2.cce.hp.com/ChatEntry/do ... ysinfo.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5841447140
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/ins ... csxp2k.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c99c3ee3b67be4) (gupdate1c99c3ee3b67be4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 9921 bytes



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Wed Oct 28, 2009 12:21 am 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15990
Location: PHX, AZ
Sorry for long reply here.

The one I was concerned with was the last file, but not sure what the infection would do specifically. But I don't think it was overly aggressive based not he more generic name we gave it.

We can use some other tools to check for hidden files tho, just to be on the safe side.

Please download GMER from the link below and save it to your desktop
http://www.gmer.net/gmer.zip

Physically disconnect from Net by pulling out the cable from the machine & shut down all anti-virus and anti-spyware apps to prevent conflicts.
Disable as many applications as possible, this will give us less chance of false positives in log.

To run GMER:
*Double click gmer.exe to run it.
*Allow driver to install if asked (gmer.sys)
*You may get a warning at program start that there is possible rootkit activity and do you want to run scan.
*Say OK to run scan.
*If no warning, just click "scan".
*Let the scan finish.
*Once done press "save" and please be sure you use the OEM provided Notepad and give the log a name and save it to your desktop
Press save
Reconnect to the Net and send log.

Download the Avenger & save to desktop:

http://swandog46.geekstogo.com/avenger2/download.php

Unzip it. (right click> choose "extract all"> follow wizard to extract files.)
Avenger folder should open for you.
If unzipped properly -- Avenger icon looks like a sword.

Close as many running programs as possible including antimalware because you will be rebooting shortly.

Double click Avenger.exe & allow it to run.
Click OK to first prompt.
Have the following checked:
"check for rootkits"
Have the following UNchecked:
"Automatically disable all rootkits found"
Click "execute"
Click OK.
OK prompt about not having a script.
Windows will reboot.

Post the resulting C:\Avenger.txt here.

_________________
Image



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Wed Oct 28, 2009 1:13 pm 
Offline

Joined: Sun Oct 25, 2009 7:33 am
Posts: 8
Here are the logs:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-28 15:02:38
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\HP_ADM~1.YOU\LOCALS~1\Temp\uxldapoc.sys


---- System - GMER 1.0.15 ----

SSDT 86715D50 ZwAlertResumeThread
SSDT 86716EF0 ZwAlertThread
SSDT 86800570 ZwAllocateVirtualMemory
SSDT 85CB42D0 ZwAssignProcessToJobObject
SSDT 868C48A0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAAC51130]
SSDT 85CB5780 ZwCreateMutant
SSDT 867FD250 ZwCreateSymbolicLinkObject
SSDT 8671C5E8 ZwCreateThread
SSDT 85D2D650 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAAC513B0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAAC51910]
SSDT 868006C8 ZwDuplicateObject
SSDT 86718C30 ZwFreeVirtualMemory
SSDT 85D2EB10 ZwImpersonateAnonymousToken
SSDT 86714850 ZwImpersonateThread
SSDT 868CD8C8 ZwLoadDriver
SSDT 86718A90 ZwMapViewOfSection
SSDT 867FEA88 ZwOpenEvent
SSDT 86800868 ZwOpenProcess
SSDT 8681D050 ZwOpenProcessToken
SSDT 8681A470 ZwOpenSection
SSDT 86800798 ZwOpenThread
SSDT 867FDC00 ZwProtectVirtualMemory
SSDT 868370B8 ZwResumeThread
SSDT 85D30050 ZwSetContextThread
SSDT 86718778 ZwSetInformationProcess
SSDT 8681A1D8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAAC51B60]
SSDT 8681AF10 ZwSuspendProcess
SSDT 86717ED0 ZwSuspendThread
SSDT 8681E050 ZwTerminateProcess
SSDT 867FFA90 ZwTerminateThread
SSDT 85CB7050 ZwUnmapViewOfSection
SSDT 86718F40 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 23E 804E4A78 4 Bytes JMP 0335867F
? SYMEFA.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----




Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.


Thanks

Pick ><>



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Thu Oct 29, 2009 11:42 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15990
Location: PHX, AZ
Not seeing anything odd there. Lets run one more tool.

Please download Sysinternals Autoruns from here.
  • Save Autoruns.exe to your desktop and double-click it to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures
  • Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  • When it's finished, please click on the File button at the top of the program and select Save and click the drop down menu next to Save as type and select Text (*.txt) and save the Autoruns.txt file to your desktop and close Autoruns.
  • Now double click on the Autoruns.txt file located on your desktop to open it with notepad and copy and paste its contents into your next reply.

_________________
Image



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Mon Nov 02, 2009 3:23 pm 
Offline

Joined: Sun Oct 25, 2009 7:33 am
Posts: 8
My screen saver disappeared off my Desktop and when I browsed to find it under Appearances, it was not there anymore.

I left the office for about 2 hours, with my email on. When I returned, I had to go back into IE and then go back into email. In that process, I noticed that the screen saver was gone.

I will do a search for it, but I thought I would tell you about this event, in case it has something to do with what we have been talking about

Pick



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Thu Nov 12, 2009 12:25 pm 
Offline

Joined: Sun Oct 25, 2009 7:33 am
Posts: 8
Tried to download file

Tom....unable to send by pasting. The message I get is "maximum nuymber of allowed characters is 60,000". The log has 171,962.


That is reason why you never saw it.

Is there another way I can send?

Pick



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Fri Nov 13, 2009 12:14 am 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15990
Location: PHX, AZ
pick44 wrote:
Tried to download file

Tom....unable to send by pasting. The message I get is "maximum nuymber of allowed characters is 60,000". The log has 171,962.


That is reason why you never saw it.

Is there another way I can send?

Pick
Send it as an attachment.

_________________
Image



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Fri Nov 13, 2009 7:14 am 
Offline

Joined: Sun Oct 25, 2009 7:33 am
Posts: 8
Okay...here it is...


Attachments:
AutoRuns.txt [132.71 KiB]
Downloaded 81 times

IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Sat Nov 14, 2009 11:24 pm 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15990
Location: PHX, AZ
Well nothing odd or unusual in that log.

At this point I'm comfortable in saying there isn't anything on your computer that's spying on you

_________________
Image



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Sun Nov 15, 2009 6:08 am 
Offline

Joined: Sun Oct 25, 2009 7:33 am
Posts: 8
Tom

Thanks.



IP:
top
Top
 Profile Send private message  
 
 Post subject: Re: Has Someone Tapped Into My Computer?
PostPosted: Mon Dec 07, 2009 12:17 am 
Offline
Site Admin
Site Admin
User avatar

Joined: Fri Jan 28, 2005 5:16 pm
Posts: 15990
Location: PHX, AZ
pick44 wrote:
Tom

Thanks.
Happy to have helped.

Guess it's time we cleaned up some of the tools we used and then our recommendations to remain malware free.

Any specialty tools which were downloaded may be deleted and all pertaining folders as well. These tools constantly have their databases updated and\or have the method of how they work altered and in all likelihood you would need to download new ones.

Be sure your Java is up to date, many infections use exploits of unpatched systems.
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  • Select it and click Remove.
  • Then Download and install the newest version from here
Now that you have regained control of your machine, lets keep it clean. The apps listed below are the ones we recommend. They will help prevent further infections and can be trusted to work well on all systems

SpywareBlaster will prevent known ActiveX installs, by setting killbits into the registry.
With Spyware Blaster, just DL, check for updates, enable all protection and you're done.

And either of the two following hosts file databases will keep an even stronger layer of defense: The latter contains more sites as they tend to include domains\IPs which are involved in even the slightest way with malware distribution or sites involved in any other sort of salacious activities. Basically, lay with dogs, get fleas type of thing.

To manage your hosts file we recommend using HostsXpert. With this tool, you can download the latest updates, merge them with another hosts file, edit entries and much more. It's freeware and works very well on all systems

And to prevent unknown applications from being installed on your machine install WinPatrol 2008 v15. WinPatrol is also great at controlling which applications start with Windows. It's even got a nifty 'delay' feature.

Another thing I would suggest, is to install SiteAdvisor or SiteHound. Each provide similar protection, tho SiteAdvisor also rates sites on business practices and spam. SiteHound will offer some content advice as well as security alerts on known rogue sites.

Confused about which apps are good or not? Read about anti-spyware apps pretending to be just that, but are in fact apps which will infect you. For the latest software rated as such check out the this page.

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Happy surfing!!
Tom :D

As your infection removal here in this forum has been completed, we hope you take the time to look around and get involved in some of the other forums. The forums grow and become even more helpful with input from all of our members. We can all help everyone together as a community.

And if we've helped you out and you'd like to contribute to the costs maintaining the site please use the PayPal button as displayed at the top of the page.
Image


This is 100% optional as all our help to you has always been free and will continue be free forever.

****This topic has been successfully resolved and is now locked. If the original user needs to have this thread re-opened please PM me

Any other users with similar problems please use the 'New Topic' button to begin a new thread.****

Tom\TeMerc

_________________
Image



IP:
top
Top
 Profile Send private message  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 15 posts ] 

All times are UTC - 7 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  

Who is online

Who is online In total there is 1 user online :: 0 registered, 0 hidden and 1 guest (based on users active over the past 5 minutes)
Most users ever online was 282 on Tue Sep 25, 2012 11:30 am

Users browsing this forum: No registered users and 1 guest

New posts    No new posts    Forum locked
cron
Powered by phpBB