Solved Data Execution Prevention is crashing IE (referred by Wildfire)

CUISTech · 2010/03/11

[Resolved] Data Execution Prevention is crashing IE (referred by Wildfire)

Original Topic

DDS (Ver_09-12-01.01) - NTFSx86
Run by CUISTech at 12:20:42.57 on Thu 03/11/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1993.1369 [GMT -6:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\CUISTech\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hp.com
uInternet Settings,ProxyServer = 10.1.3.50:3128
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\1.bin\MWSSRCAS.DLL
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\1.bin\MWSSRCAS.DLL
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe "
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
uExplorerRun: [1] regedit /c/s \\10.1.3.6\shared\BlueZoneFirewall.reg
uExplorerRun: [2] regedit /c/s \\10.1.3.6\shared\chm.reg
uExplorerRun: [3] regedit /c/s \\10.1.3.6\shared\helpfiles.reg
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remote~1.lnk - c:\program files\symitar\sfw\RemoteAdminServer.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
IE: &Search - http://edits.mywebsearch.com/toolba...YUS&si=&a=spFAVjRGPWA7CE6B6BS0eA&n=2010021209
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/SmileyCentralInitialSetup1.0.1.1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264545951608
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://jha.webex.com/client/T26L10NSP49EP32/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {602452C9-46DA-4D25-B056-7D265AB7CF3E} = 10.1.3.6,10.1.3.2
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-8 214024]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-10 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-10 108392]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-11-8 635416]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-12-10 2477304]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-11-8 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-11-8 149600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-5 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-18 44800]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100310.037\NAVENG.SYS [2010-3-11 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100310.037\NAVEX15.SYS [2010-3-11 1324720]
S2 0257811260303525mcinstcleanup;McAfee Application Installer Cleanup (0257811260303525);c:\docume~1\admini~1\locals~1\temp\025781~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\025781~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-12-10 23888]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-11-8 79816]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-11-8 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-11-8 34248]

=============== Created Last 30 ================

2010-03-10 14:05:53 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-03 22:39:34 0 d-----w- c:\docume~1\CUISTech\applic~1\webex
2010-03-03 19:10:48 3062 ----a-w- c:\windows\SigPlus.ini
2010-03-03 19:04:55 0 d-----w- c:\program files\Symitar
2010-02-12 14:39:34 282 ----a-w- c:\windows\wininit.ini
2010-02-12 14:39:32 28672 ----a-w- c:\windows\system32\f3PSSavr.scr
2010-02-12 14:39:30 0 d-----w- c:\program files\MyWebSearch
2010-02-12 14:39:04 0 d-----w- c:\program files\FunWebProducts
2010-02-11 21:11:09 7680 --sha-w- c:\windows\Thumbs.db
2010-02-11 21:11:08 7168 --sha-w- C:\Thumbs.db
2010-02-11 21:10:46 7413 ----a-w- C:\2010sig.gif
2010-02-10 23:09:10 0 ----a-w- c:\windows\BridgerInsight.INI
2010-02-10 23:02:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-02-10 23:00:56 33280 ----a-w- c:\windows\system32\dllcache\csrsrv.dll
2010-02-10 23:00:49 17920 ----a-w- c:\windows\system32\dllcache\msyuv.dll
2010-02-10 23:00:44 8704 ----a-w- c:\windows\system32\dllcache\tsbyuv.dll
2010-02-10 23:00:44 48128 ----a-w- c:\windows\system32\dllcache\iyuv_32.dll
2010-02-10 23:00:44 28672 ----a-w- c:\windows\system32\dllcache\msvidc32.dll
2010-02-10 23:00:44 11264 ----a-w- c:\windows\system32\dllcache\msrle32.dll
2010-02-10 23:00:41 343040 ----a-w- c:\windows\system32\dllcache\mspaint.exe
2010-02-10 22:54:59 17024 ----a-w- c:\windows\system32\drivers\CCDECODE.sys
2010-02-10 22:49:15 3599000 ----a-w- c:\windows\system32\drivers\lvuvc.sys
2010-02-10 22:49:12 416280 ----a-w- c:\windows\system32\lvcodec2.dll
2010-02-10 22:49:09 465432 ----a-w- c:\windows\system32\LVUI2RC.dll
2010-02-10 22:49:07 490008 ----a-w- c:\windows\system32\LVUI2.dll
2010-02-10 22:48:56 19344 ----a-w- c:\windows\system32\Repository.reg
2010-02-10 22:48:50 1920920 ----a-w- c:\windows\system32\drivers\lvpopflt.sys
2010-02-10 22:48:49 41752 ----a-w- c:\windows\system32\drivers\LVUSBSta.sys
2010-02-10 22:48:48 58163 ----a-w- c:\windows\system32\lvcoinst.ini
2010-02-10 22:48:47 195096 ----a-w- c:\windows\system32\lvci1110.dll
2010-02-10 22:48:45 22296 ----a-w- c:\windows\system32\drivers\lvuvcflt.sys
2010-02-10 22:28:47 33821 ----a-w- c:\windows\system32\drivers\TopazUsb.sys
2010-02-10 22:28:44 0 d-----w- c:\windows\SigPlus

==================== Find3M ====================

2010-03-11 13:53:28 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-02-05 18:33:13 249856 ----a-w- c:\windows\Setup1.exe
2010-02-05 18:14:26 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-02-05 15:57:13 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-05 15:57:13 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-05 15:57:13 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-05 15:57:13 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-04 22:21:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-11-08 06:42:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-12-08 22:15:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009120820091209\index.dat
2009-12-08 22:15:14 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-08 22:15:14 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-08 22:15:14 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 12:20:53.21 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/8/2009 2:16:30 PM
System Uptime: 3/10/2010 10:44:51 PM (14 hours ago)

Motherboard: Hewlett-Packard | | 3048h
Processor: Intel Pentium III Xeon processor | XU1 PROCESSOR | 2792/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 134.2 GiB free.
D: is CDROM ()
G: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.
H: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.
I: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.
J: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.
K: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.
L: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.
P: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.
Q: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.
T: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.
U: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.
V: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.
W: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.
Y: is NetworkDisk (NTFS) - 410 GiB total, 214.294 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2: 1/26/2010 4:49:12 PM - Software Distribution Service 3.0
RP3: 1/26/2010 5:31:41 PM - Software Distribution Service 3.0
RP4: 2/4/2010 2:57:10 PM - Installed ApplicationXtender Desktop 5.30 SP3
RP5: 2/4/2010 3:23:12 PM - Removed 2007 Microsoft Office system
RP6: 2/4/2010 3:30:05 PM - Software Distribution Service 3.0
RP7: 2/4/2010 4:21:08 PM - Installed Java(TM) 6 Update 18
RP8: 2/5/2010 9:42:54 AM - Installed Adobe Reader 9.3.
RP9: 2/5/2010 10:02:28 AM - Installed Microsoft Office Standard Edition 2003
RP10: 2/5/2010 10:22:13 AM - Installed BVS Quick-Connect Gateway
RP11: 2/5/2010 12:18:42 PM - Installed RFG Crystal XI Framework
RP12: 2/5/2010 12:26:20 PM - Installed RFG Live Update
RP13: 2/5/2010 12:29:01 PM - Installed Integrator Hotfix - UDS
RP14: 2/5/2010 12:29:04 PM - Installed Integrator Update: Consumer Segments
RP15: 2/5/2010 12:30:26 PM - Installed Integrator 8.0 Hotfix 3C
RP16: 2/5/2010 12:30:30 PM - Installed Integrator 8.0 Hotfix 5B
RP17: 2/5/2010 2:26:48 PM - Installed HMDA Data Entry Software 2009
RP18: 2/10/2010 4:28:39 PM - Topaz e-Signatures SigPlus 3.74 Installation
RP19: 2/10/2010 4:32:33 PM - Topaz e-Signatures SigPlus 3.74 Installation
RP20: 2/10/2010 4:50:51 PM - Logitech Camera Driver Install
RP21: 2/11/2010 3:13:29 PM - Software Distribution Service 3.0
RP22: 2/16/2010 2:42:16 PM - System Checkpoint
RP23: 2/18/2010 10:09:58 PM - System Checkpoint
RP24: 2/23/2010 7:20:54 PM - System Checkpoint
RP25: 2/24/2010 9:36:20 AM - Software Distribution Service 3.0
RP26: 2/25/2010 5:17:51 PM - System Checkpoint
RP27: 3/1/2010 8:08:52 AM - System Checkpoint
RP28: 3/2/2010 8:57:38 AM - System Checkpoint
RP29: 3/3/2010 5:26:24 PM - System Checkpoint
RP30: 3/4/2010 10:00:30 PM - System Checkpoint
RP31: 3/6/2010 8:02:21 AM - System Checkpoint
RP32: 3/8/2010 9:55:13 AM - System Checkpoint
RP33: 3/9/2010 1:38:53 PM - System Checkpoint
RP34: 3/10/2010 4:00:13 PM - Software Distribution Service 3.0

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3
ApplicationXtender Desktop 5.30 SP3
BlueZone
BVS Quick-Connect Gateway
HMDA Data Entry Software 2009
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952117-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB958756)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
HP Help and Support
Initial Episys Installation
Integrator 8.0
Integrator 8.0 Hotfix 3C
Integrator 8.0 Hotfix 5B
Integrator Hotfix - UDS
Integrator Update: Consumer Segments
Intel(R) Graphics Media Accelerator Driver
Intel(R) Network Connections 13.5.32.0
Intel Active Management Technology
InterVideo WinDVD 8
Java Auto Updater
Java(TM) 6 Update 18
LiveUpdate 3.3 (Symantec Corporation)
Logitech QuickCam
Logitech Camera Driver
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 Redistributable
MMS32
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
MVision
My Web Search (Smiley Central)
PDF Complete Special Edition
Realtek High Definition Audio Driver
RFG Crystal XI Framework
RFG Live Update
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Symantec Endpoint Protection
SymForm
Topaz e-Signatures SigPlus 3.74
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VNC Free Edition 4.1.2
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8

==== Event Viewer Messages From Past Week ========

3/4/2010 5:30:05 PM, error: NETLOGON [5719] - No Domain Controller is available for domain [domain] due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
3/4/2010 5:19:13 PM, error: NETLOGON [5719] - No Domain Controller is available for domain [domain] due to the following: The RPC server is unavailable. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

==== End Of File ===========================

broni · 2010/03/11

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 3. Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackThis log.
NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

CUISTech · 2010/03/11

Can these be done via RDC or some other remote tool? Or do I need to be sitting at the keyboard?

broni · 2010/03/11

I'm not sure how comfortable you're with remote tools, so I can't tell you.
Personally, I'd be there.

CUISTech · 2010/03/15

Please close this topic. I've been instructed to just run Spybot and Ad-Aware and resolve the problem when Symantec fails to work like it did. My boss is not familiar with MBAM and GMER, and doesn't trust them yet.

Thanks, Broni, for taking the time to read this. Sorry to have wasted your time.

broni · 2010/03/15

No problem

CUISTech · 2010/03/17

Hey, Broni... Can we re-open this? I'm going to tell me boss that ad-aware and spybot are returning 0 results now (which is true), and that everything should be fine. I'd like to work on this in the meantime, though.

I can't run GMER because I'm not at the computer. It disconnects the computer when it finishes, so I can't save the log. I will, however, post all the logs I *do* have from today. (I wish I didn't have to change the computer... This probably makes it harder on you, but boss' orders and all. Let me know how I can help work this, though.)

Here's the logs in order.

--- Report generated: 2010-03-17 11:02 ---

FunWebProducts: [SBI $561F0D2E] User settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-682003330-117609710-725345543-3307\Software\Microsoft\Internet Explorer\MenuExt\&Search\=...http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml...

FunWebProducts: [SBI $8CC75C5A] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-682003330-117609710-725345543-1706\Software\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D}

FunWebProducts: [SBI $8CC75C5A] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-682003330-117609710-725345543-2288\Software\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D}

FunWebProducts: [SBI $8CC75C5A] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-682003330-117609710-725345543-3307\Software\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D}

MyWay.MyWebSearch: [SBI $6404C538] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-682003330-117609710-725345543-1706\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

MyWay.MyWebSearch: [SBI $6404C538] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-682003330-117609710-725345543-2288\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

MyWay.MyWebSearch: [SBI $6404C538] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-682003330-117609710-725345543-3307\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

MyWay.MyWebSearch: [SBI $B1C70274] Browser helper object (Registry key, fixed)
HKEY_USERS\S-1-5-21-682003330-117609710-725345543-1706\Software\MyWebSearch

MyWay.MyWebSearch: [SBI $B1C70274] Browser helper object (Registry key, fixed)
HKEY_USERS\S-1-5-21-682003330-117609710-725345543-2288\Software\MyWebSearch

MyWay.MyWebSearch: [SBI $B1C70274] Browser helper object (Registry key, fixed)
HKEY_USERS\S-1-5-21-682003330-117609710-725345543-3307\Software\MyWebSearch

MyWay.MyWebSearch: [SBI $BF485355] IE toolbar (Registry value, fixed)
HKEY_USERS\S-1-5-21-682003330-117609710-725345543-3307\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07B18EA9-A523-4961-B6BB-170DE4475CCA}

Right Media: Tracking cookie (Internet Explorer: etaylor) (Cookie, fixed)

FastClick: Tracking cookie (Internet Explorer: etaylor) (Cookie, fixed)

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-03-15 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-02-17 Includes\Adware.sbi (*)
2010-03-16 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-03-16 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-03-16 Includes\HijackersC.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2010-03-16 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-03-02 Includes\Malware.sbi (*)
2010-03-17 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2010-03-16 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-03-16 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-03-02 Includes\Spyware.sbi (*)
2010-03-16 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-03-03 Includes\Trojans.sbi (*)
2010-03-16 Includes\TrojansC-02.sbi (*)
2010-03-16 Includes\TrojansC-03.sbi (*)
2010-03-16 Includes\TrojansC-04.sbi (*)
2010-03-17 Includes\TrojansC-05.sbi (*)
2010-03-16 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

CUISTech · 2010/03/17

Logfile created: 3/17/2010 11:07:17
Ad-Aware version: 8.2.0
User performing scan: etaylor

*********************** Definitions database information ***********************
Lavasoft definition file: 149.177
Genotype definition file version: 2010/03/16 15:53:58

******************************** Scan results: *********************************
Scan profile name: Full Scan (ID: full)
Objects scanned: 33959
Objects detected: 135

Type Detected
==========================
Processes.......: 0
Registry entries: 17
Hostfile entries: 0
Files...........: 21
Folders.........: 0
LSPs............: 0
Cookies.........: 97
Browser hijacks.: 0
MRU objects.....: 0

Skipped items:
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005466.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 101908 Family ID: 2075 MD5: f3ed25e48ad95ebae7c5003410f5595f
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005469.EXE Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 373049 Family ID: 2075 MD5: 9abbe6f791c0b599a7128c9aca27c094
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005474.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 101901 Family ID: 2075 MD5: acb88f31279e312f633b24f48f8c0808
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005475.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 101903 Family ID: 2075 MD5: e651be4f6e4dcd99aa66ef80c5cdd28b
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005476.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 1441211 Family ID: 2075 MD5: 807d3213938a474995cc69eb73e86de9
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005478.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 1441198 Family ID: 2075 MD5: 61059f5398a9c44d7097be901bb83096
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005481.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 373078 Family ID: 2075 MD5: 40f5c8587253ce8f534e53b0bd7bd8fc
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005482.SCR Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 373067 Family ID: 2075 MD5: 4cd346697529efc743a608b2f5d0cc94
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005483.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 1440304 Family ID: 2075 MD5: f79220b730d91fbf4d8c94ba91c1a857
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005485.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 373073 Family ID: 2075 MD5: c4ff418909d55a7744b04774a83135c9
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005486.EXE Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 1400669 Family ID: 2075 MD5: 1a2e51efc702c133e25dc2c8fca3db54
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005488.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 372996 Family ID: 2075 MD5: cee57e05eccf470e751689ded838b7d2
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005492.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 373071 Family ID: 2075 MD5: d460eca5d4574507ff4dabcc2cbc5f2e
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005493.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 373075 Family ID: 2075 MD5: 86445e5a1c4b02574d8bb1b49ebc1a73
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005494.EXE Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 379553 Family ID: 2075 MD5: fff6063f3245896a084068cd5d8250fe
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005496.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 1440302 Family ID: 2075 MD5: 445ca5e2da8147d1c7bd7c6d5a8fac4f
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005497.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 373112 Family ID: 2075 MD5: 26f833b7ad465a044a8da50b619775b2
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005499.DLL Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 373072 Family ID: 2075 MD5: d1a29fbd9263013a3afd6bb24ee92604
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005500.EXE Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 1441204 Family ID: 2075 MD5: 0606cbcdc54d2e5971f2b6aec860ff6d
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005505.EXE Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 528034 Family ID: 2075 MD5: 319f6520eeace462c0fbfeb6ab400332
Description: C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005513.scr Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 373067 Family ID: 2075 MD5: 4cd346697529efc743a608b2f5d0cc94
Description: HKLM:SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499300 Family ID: 2075
Description: HKLM:SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499301 Family ID: 2075
Description: HKU:S-1-5-21-682003330-117609710-725345543-1706\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499305 Family ID: 2075
Description: HKU:S-1-5-21-682003330-117609710-725345543-2288\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499305 Family ID: 2075
Description: HKU:S-1-5-21-682003330-117609710-725345543-3307\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499305 Family ID: 2075
Description: HKCR:CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499318 Family ID: 2075
Description: HKLM:SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499323 Family ID: 2075
Description: HKLM:SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499324 Family ID: 2075
Description: HKLM:SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499325 Family ID: 2075
Description: HKLM:SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499326 Family ID: 2075
Description: HKLM:SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499327 Family ID: 2075
Description: HKLM:SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499328 Family ID: 2075
Description: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4D7B-9389-0F166788785A}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499331 Family ID: 2075
Description: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499332 Family ID: 2075
Description: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499334 Family ID: 2075
Description: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98D9753D-D73B-42D5-8C85-4469CDA897AB}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499336 Family ID: 2075
Description: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9FF05104-B030-46FC-94B8-81276E4E27DF}: Family Name: MyWebSearch Engine: 1 Clean status: Success Item ID: 499337 Family ID: 2075

Removed items:
Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *real* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408817 Family ID: 0
Description: *247realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408945 Family ID: 0
Description: *realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409139 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
Description: *adbrite* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409218 Family ID: 0
Description: *.bridgetrack* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409095 Family ID: 0
Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0
Description: *ads.pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408927 Family ID: 0
Description: *advertis* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409017 Family ID: 0
Description: *apmebf* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409163 Family ID: 0
Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
Description: *bs.serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408902 Family ID: 0
Description: *serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409130 Family ID: 0
Description: *casalemedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409152 Family ID: 0
Description: *specificclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408807 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
Description: *fastclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408869 Family ID: 0
Description: *insightexpressai* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409259 Family ID: 0
Description: *iwon* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408852 Family ID: 0
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0
Description: *mediaplex* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408991 Family ID: 0
Description: *real* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408817 Family ID: 0
Description: *247realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408945 Family ID: 0
Description: *realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409139 Family ID: 0
Description: *overture* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408834 Family ID: 0
Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0
Description: *questionmarket* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408819 Family ID: 0
Description: *serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409130 Family ID: 0
Description: *specificclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408807 Family ID: 0
Description: *statcounter* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409185 Family ID: 0
Description: *statse.webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408803 Family ID: 0
Description: *webtrendslive* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408954 Family ID: 0
Description: *.webtrendslive* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409033 Family ID: 0
Description: *statse.webtrendslive* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409269 Family ID: 0
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0
Description: *tacoda* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409123 Family ID: 0
Description: *trafficmp* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408787 Family ID: 0
Description: *tribalfusion* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408785 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *iwon* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408852 Family ID: 0
Description: zedo* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408736 Family ID: 0
Description: *adbureau* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409027 Family ID: 0
Description: *real* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408817 Family ID: 0
Description: *247realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408945 Family ID: 0
Description: *realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409139 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409172 Family ID: 0
Description: *adbrite* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409218 Family ID: 0
Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0
Description: *ads.pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408927 Family ID: 0
Description: *advertis* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409017 Family ID: 0
Description: *apmebf* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409163 Family ID: 0
Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
Description: *bs.serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408902 Family ID: 0
Description: *serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409130 Family ID: 0
Description: *casalemedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409152 Family ID: 0
Description: *specificclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408807 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
Description: *fastclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408869 Family ID: 0
Description: *insightexpressai* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409259 Family ID: 0
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0
Description: *mediaplex* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408991 Family ID: 0
Description: *2o7* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408943 Family ID: 0
Description: *real* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408817 Family ID: 0
Description: *realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409139 Family ID: 0
Description: *pointroll* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408826 Family ID: 0
Description: *doubleclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408875 Family ID: 0
Description: *questionmarket* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408819 Family ID: 0
Description: *real* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408817 Family ID: 0
Description: *realmedia* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409139 Family ID: 0
Description: *rotator.adjuggler* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409135 Family ID: 0
Description: *serving-sys* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409130 Family ID: 0
Description: *specificclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408807 Family ID: 0
Description: *specificclick* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408807 Family ID: 0
Description: *statcounter* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409185 Family ID: 0
Description: *statse.webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408803 Family ID: 0
Description: *webtrendslive* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408954 Family ID: 0
Description: *.webtrendslive* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409033 Family ID: 0
Description: *statse.webtrendslive* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409269 Family ID: 0
Description: *webtrends* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599640 Family ID: 0
Description: *tacoda* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409123 Family ID: 0
Description: *trafficmp* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408787 Family ID: 0
Description: *tribalfusion* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408785 Family ID: 0
Description: *adbureau* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 409027 Family ID: 0
Description: *wunderloop* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 599639 Family ID: 0
Description: zedo* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408736 Family ID: 0
Description: *atdmt* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408910 Family ID: 0
Description: *questionmarket* Family Name: Cookies Engine: 1 Clean status: Success Item ID: 408819 Family ID: 0

Scan and cleaning complete: Finished correctly after 393 seconds

*********************************** Settings ***********************************

Scan profile:
ID: full, enabled:1, value: Full Scan
ID: folderstoscan, enabled:1, value: C:\
ID: useantivirus, enabled:1, value: true
ID: sections, enabled:1
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true
ID: rootkitlevel, enabled:1, value: mild, domain: medium,mild,strict
ID: usespywareheuristics, enabled:1, value: true

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: off, domain: normal,off,silently
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily1, enabled:1, value: Daily 1
ID: time, enabled:1, value: Mon Mar 15 13:41:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily2, enabled:1, value: Daily 2
ID: time, enabled:1, value: Mon Mar 15 19:41:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily3, enabled:1, value: Daily 3
ID: time, enabled:1, value: Mon Mar 15 01:41:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updatedaily4, enabled:1, value: Daily 4
ID: time, enabled:1, value: Mon Mar 15 07:41:00 2010
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly1, enabled:1, value: Weekly
ID: time, enabled:1, value: Mon Mar 15 13:41:00 2010
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: true
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: autoentertainmentmode, enabled:1, value: true
ID: guimode, enabled:1, value: mode_simple, domain: mode_advanced,mode_simple
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: modules, enabled:1
ID: processprotection, enabled:1, value: true
ID: onaccessprotection, enabled:1, value: true
ID: registryprotection, enabled:1, value: true
ID: networkprotection, enabled:1, value: true
ID: layers, enabled:1
ID: useantivirus, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant

****************************** System information ******************************
Computer name: CSDFSR99
Processor name: Pentium(R) Dual-Core CPU E6300 @ 2.80GHz
Processor identifier: x86 Family 6 Model 23 Stepping 10
Processor speed: ~2793MHZ
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 5898, number of processors 2, processor features: [MMX,SSE,SSE2]
Physical memory available: 1161949184 bytes
Physical memory total: 2089992192 bytes
Virtual memory available: 1767587840 bytes
Virtual memory total: 2147352576 bytes
Memory load: 44%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 768 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 816 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 840 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 892 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 904 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1076 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1160 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1248 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1356 name: C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1388 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1472 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1572 name: C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1904 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1940 name: C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 328 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 548 name: C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe owner: SYSTEM domain: NT AUTHORITY
PID: 580 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY
PID: 652 name: C:\Program Files\Intel\AMT\LMS.exe owner: SYSTEM domain: NT AUTHORITY
PID: 740 name: C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1216 name: C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE owner: SYSTEM domain: NT AUTHORITY
PID: 1300 name: C:\Program Files\PDF Complete\pdfsvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1296 name: C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1504 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1544 name: C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1960 name: C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe owner: SYSTEM domain: NT AUTHORITY
PID: 244 name: C:\Program Files\RealVNC\VNC4\WinVNC4.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1500 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 2208 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 10040 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 9332 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 10172 name: C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe owner: etaylor domain: NCU
PID: 8312 name: C:\WINDOWS\system32\rdpclip.exe owner: etaylor domain: NCU
PID: 8928 name: C:\WINDOWS\Explorer.EXE owner: etaylor domain: NCU
PID: 7844 name: C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe owner: etaylor domain: NCU
PID: 7576 name: C:\WINDOWS\system32\logon.scr owner: SYSTEM domain: NT AUTHORITY
PID: 8196 name: C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe owner: etaylor domain: NCU
PID: 8884 name: C:\WINDOWS\RTHDCPL.EXE owner: etaylor domain: NCU
PID: 8408 name: C:\Program Files\Common Files\Java\Java Update\jusched.exe owner: etaylor domain: NCU
PID: 7148 name: C:\Program Files\Common Files\Symantec Shared\ccApp.exe owner: etaylor domain: NCU
PID: 6828 name: C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe owner: etaylor domain: NCU
PID: 9964 name: C:\Program Files\Logitech\QuickCam\Quickcam.exe owner: etaylor domain: NCU
PID: 9980 name: C:\WINDOWS\system32\ctfmon.exe owner: etaylor domain: NCU
PID: 776 name: C:\Program Files\Symitar\SFW\RemoteAdminServer.exe owner: etaylor domain: NCU
PID: 4152 name: C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe owner: etaylor domain: NCU
PID: 3704 name: C:\WINDOWS\system32\wuauclt.exe owner: SYSTEM domain: NT AUTHORITY
PID: 6420 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 8716 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: etaylor domain: NCU
PID: 9608 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 9484 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: etaylor domain: NCU

Startup items:
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name: IgfxTray
imagepath: C:\WINDOWS\system32\igfxtray.exe
Name: HotKeysCmds
imagepath: C:\WINDOWS\system32\hkcmd.exe
Name: Persistence
imagepath: C:\WINDOWS\system32\igfxpers.exe
Name: picon
imagepath: "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
Name: RTHDCPL
imagepath: RTHDCPL.EXE
Name: PDF Complete
imagepath: C:\Program Files\PDF Complete\pdfsty.exe
Name: SetRefresh
imagepath: C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
Name: SunJavaUpdateSched
imagepath: "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
Name: Adobe Reader Speed Launcher
imagepath: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
Name: Adobe ARM
imagepath: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
Name: ccApp
imagepath: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
Name: LogitechCommunicationsManager
imagepath: "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe "
Name: LogitechQuickCamRibbon
imagepath: "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Name:
location: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Remote Admin Server.lnk
imagepath: C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
Name:
imagepath: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *

Running services:
Name: ALG
displayname: Application Layer Gateway Service
Name: AudioSrv
displayname: Windows Audio
Name: BITS
displayname: Background Intelligent Transfer Service
Name: Browser
displayname: Computer Browser
Name: ccEvtMgr
displayname: Symantec Event Manager
Name: ccSetMgr
displayname: Symantec Settings Manager
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: dmserver
displayname: Logical Disk Manager
Name: Dnscache
displayname: DNS Client
Name: ERSvc
displayname: Error Reporting Service
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: helpsvc
displayname: Help and Support
Name: HidServ
displayname: HID Input Service
Name: IviRegMgr
displayname: IviRegMgr
Name: JavaQuickStarterService
displayname: Java Quick Starter
Name: LanmanServer
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: LMS
displayname: Intel(R) Management and Security Application Local Management Service
Name: LVCOMSer
displayname: LVCOMSer
Name: LVPrcSrv
displayname: Process Monitor
Name: MDM
displayname: Machine Debug Manager
Name: Netlogon
displayname: Net Logon
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: pdfcDispatcher
displayname: PDF Document Manager
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPSEC Services
Name: ProtectedStorage
displayname: Protected Storage
Name: PSI_SVC_2
displayname: Protexis Licensing V2
Name: RasMan
displayname: Remote Access Connection Manager
Name: RemoteRegistry
displayname: Remote Registry
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: SmcService
displayname: Symantec Management Client
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: Symantec AntiVirus
displayname: Symantec Endpoint Protection
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: UNS
displayname: Intel(R) Management and Security Application User Notification Service
Name: W32Time
displayname: Windows Time
Name: WebClient
displayname: WebClient
Name: winmgmt
displayname: Windows Management Instrumentation
Name: WinVNC4
displayname: VNC Server Version 4
Name: wuauserv
displayname: Automatic Updates
Name: WZCSVC
displayname: Wireless Zero Configuration

CUISTech · 2010/03/17

Malwarebytes' Anti-Malware 1.44
Database version: 3876
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/17/2010 12:31:56 PM
mbam-log-2010-03-17 (12-31-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 274688
Time elapsed: 30 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 19
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@mywebsearch.com/Plugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005466.DLL (Adware.FunWeb) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005469.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005470.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005471.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005474.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005477.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005482.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005483.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005485.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005486.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005489.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005490.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005491.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005492.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005493.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005495.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005496.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005497.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005498.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005499.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005500.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005501.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005502.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005503.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005504.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005505.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005506.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005513.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DD0CF2F7-77D2-4945-B346-6B5613DA5B5D}\RP37\A0005494.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

CUISTech · 2010/03/17

Malwarebytes' Anti-Malware 1.44
Database version: 3876
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/17/2010 1:08:57 PM
mbam-log-2010-03-17 (13-08-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 274897
Time elapsed: 29 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

CUISTech · 2010/03/17

DDS (Ver_09-12-01.01) - NTFSx86
Run by etaylor at 13:09:41.26 on Wed 03/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1993.1229 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\logon.scr
C:\Documents and Settings\etaylor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.hp.com
uInternet Settings,ProxyServer = 10.1.3.50:3128
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe "
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
uExplorerRun: [1] regedit /c/s \\10.1.3.6\shared\BlueZoneFirewall.reg
uExplorerRun: [2] regedit /c/s \\10.1.3.6\shared\chm.reg
uExplorerRun: [3] regedit /c/s \\10.1.3.6\shared\helpfiles.reg
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remote~1.lnk - c:\program files\symitar\sfw\RemoteAdminServer.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
IE: &Search - ?s=100000348&p=ZSYYYYYYYYUS&si=&a=spFAVjRGPWA7CE6B6BS0eA&n=2010021209
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264545951608
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://jha.webex.com/client/T26L10NSP49EP32/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {602452C9-46DA-4D25-B056-7D265AB7CF3E} = 10.1.3.6,10.1.3.2
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-15 64288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-8 214024]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-10 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-12-10 108392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1229232]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-11-8 635416]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-12-10 2477304]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-11-8 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-11-8 149600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-5 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-12-18 44800]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100316.003\NAVENG.SYS [2010-3-16 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100316.003\NAVEX15.SYS [2010-3-16 1324720]
S2 0257811260303525mcinstcleanup;McAfee Application Installer Cleanup (0257811260303525);c:\docume~1\admini~1\locals~1\temp\025781~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\admini~1\locals~1\temp\025781~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-12-10 23888]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-11-8 79816]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-11-8 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-11-8 34248]

=============== Created Last 30 ================

2010-03-17 16:44:53 0 d-----w- c:\docume~1\etaylor\applic~1\Malwarebytes
2010-03-17 16:44:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 16:44:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-17 16:44:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 16:44:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 16:13:54 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-17 16:06:35 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-15 18:41:12 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-15 18:36:59 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-15 18:36:52 0 d-----w- c:\program files\Lavasoft
2010-03-15 18:28:01 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-03-15 18:28:01 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-03-10 14:05:53 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-03 22:39:34 0 d-----w- c:\docume~1\etaylor\applic~1\webex
2010-03-03 19:10:48 3062 ----a-w- c:\windows\SigPlus.ini
2010-03-03 19:04:55 0 d-----w- c:\program files\Symitar

==================== Find3M ====================

2010-03-17 17:33:39 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-02-05 18:33:13 249856 ----a-w- c:\windows\Setup1.exe
2010-02-05 18:14:26 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-02-05 15:57:13 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-05 15:57:13 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-05 15:57:13 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-05 15:57:13 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-04 22:21:10 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-11-08 06:42:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-12-08 22:15:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009120820091209\index.dat
2009-12-08 22:15:14 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-12-08 22:15:14 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-12-08 22:15:14 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 13:09:55.77 ===============

CUISTech · 2010/03/17

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/8/2009 2:16:30 PM
System Uptime: 3/17/2010 12:33:24 PM (1 hours ago)

Motherboard: Hewlett-Packard | | 3048h
Processor: Intel Pentium III Xeon processor | XU1 PROCESSOR | 2793/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 133.085 GiB free.
D: is CDROM ()
G: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.
H: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.
I: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.
J: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.
K: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.
L: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.
P: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.
Q: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.
T: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.
U: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.
V: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.
W: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.
Y: is NetworkDisk (NTFS) - 410 GiB total, 212.761 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP2: 1/26/2010 4:49:12 PM - Software Distribution Service 3.0
RP3: 1/26/2010 5:31:41 PM - Software Distribution Service 3.0
RP4: 2/4/2010 2:57:10 PM - Installed ApplicationXtender Desktop 5.30 SP3
RP5: 2/4/2010 3:23:12 PM - Removed 2007 Microsoft Office system
RP6: 2/4/2010 3:30:05 PM - Software Distribution Service 3.0
RP7: 2/4/2010 4:21:08 PM - Installed Java(TM) 6 Update 18
RP8: 2/5/2010 9:42:54 AM - Installed Adobe Reader 9.3.
RP9: 2/5/2010 10:02:28 AM - Installed Microsoft Office Standard Edition 2003
RP10: 2/5/2010 10:22:13 AM - Installed BVS Quick-Connect Gateway
RP11: 2/5/2010 12:18:42 PM - Installed RFG Crystal XI Framework
RP12: 2/5/2010 12:26:20 PM - Installed RFG Live Update
RP13: 2/5/2010 12:29:01 PM - Installed Integrator Hotfix - UDS
RP14: 2/5/2010 12:29:04 PM - Installed Integrator Update: Consumer Segments
RP15: 2/5/2010 12:30:26 PM - Installed Integrator 8.0 Hotfix 3C
RP16: 2/5/2010 12:30:30 PM - Installed Integrator 8.0 Hotfix 5B
RP17: 2/5/2010 2:26:48 PM - Installed HMDA Data Entry Software 2009
RP18: 2/10/2010 4:28:39 PM - Topaz e-Signatures SigPlus 3.74 Installation
RP19: 2/10/2010 4:32:33 PM - Topaz e-Signatures SigPlus 3.74 Installation
RP20: 2/10/2010 4:50:51 PM - Logitech Camera Driver Install
RP21: 2/11/2010 3:13:29 PM - Software Distribution Service 3.0
RP22: 2/16/2010 2:42:16 PM - System Checkpoint
RP23: 2/18/2010 10:09:58 PM - System Checkpoint
RP24: 2/23/2010 7:20:54 PM - System Checkpoint
RP25: 2/24/2010 9:36:20 AM - Software Distribution Service 3.0
RP26: 2/25/2010 5:17:51 PM - System Checkpoint
RP27: 3/1/2010 8:08:52 AM - System Checkpoint
RP28: 3/2/2010 8:57:38 AM - System Checkpoint
RP29: 3/3/2010 5:26:24 PM - System Checkpoint
RP30: 3/4/2010 10:00:30 PM - System Checkpoint
RP31: 3/6/2010 8:02:21 AM - System Checkpoint
RP32: 3/8/2010 9:55:13 AM - System Checkpoint
RP33: 3/9/2010 1:38:53 PM - System Checkpoint
RP34: 3/10/2010 4:00:13 PM - Software Distribution Service 3.0
RP35: 3/11/2010 5:20:12 PM - System Checkpoint
RP36: 3/12/2010 5:29:22 PM - System Checkpoint
RP37: 3/15/2010 1:47:51 AM - System Checkpoint
RP38: 3/16/2010 10:41:52 PM - System Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3
ApplicationXtender Desktop 5.30 SP3
BlueZone
BVS Quick-Connect Gateway
HMDA Data Entry Software 2009
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952117-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB958756)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
HP Help and Support
Initial Episys Installation
Integrator 8.0
Integrator 8.0 Hotfix 3C
Integrator 8.0 Hotfix 5B
Integrator Hotfix - UDS
Integrator Update: Consumer Segments
Intel(R) Graphics Media Accelerator Driver
Intel(R) Network Connections 13.5.32.0
Intel® Active Management Technology
InterVideo WinDVD 8
Java Auto Updater
Java(TM) 6 Update 18
LiveUpdate 3.3 (Symantec Corporation)
Logitech QuickCam
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Standard Edition 2003
Microsoft Visual C++ 2005 Redistributable
MMS32
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
MVision
PDF Complete Special Edition
Realtek High Definition Audio Driver
RFG Crystal XI Framework
RFG Live Update
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Spybot - Search & Destroy
Symantec Endpoint Protection
SymForm
Topaz e-Signatures SigPlus 3.74
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC Free Edition 4.1.2
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8

==== End Of File ===========================

CUISTech · 2010/03/17

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:48 PM, on 3/17/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\etaylor\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.3.50:3128
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe "
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [1] regedit /c/s \\10.1.3.6\shared\BlueZoneFirewall.reg
O4 - HKCU\..\Policies\Explorer\Run: [2] regedit /c/s \\10.1.3.6\shared\chm.reg
O4 - HKCU\..\Policies\Explorer\Run: [3] regedit /c/s \\10.1.3.6\shared\helpfiles.reg
O4 - Global Startup: Remote Admin Server.lnk = C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search - ?s=100000348&p=ZSYYYYYYYYUS&si=&a=spFAVjRGPWA7CE6B6BS0eA&n=2010021209
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264545951608
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://jha.webex.com/client/T26L10NSP49EP32/webex/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ncu.local
O17 - HKLM\Software\..\Telephony: DomainName = ncu.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{602452C9-46DA-4D25-B056-7D265AB7CF3E}: NameServer = 10.1.3.6,10.1.3.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ncu.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ncu.local
O23 - Service: McAfee Application Installer Cleanup (0257811260303525) (0257811260303525mcinstcleanup) - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\025781~1.EXE (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9525 bytes

broni · 2010/03/17

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

CUISTech · 2010/03/29

Sorry it took a week getting this out... vacation called me away from all things digital...

ComboFix 10-03-28.03 - etaylor 03/29/2010 13:11:42.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1993.1133 [GMT -5:00]
Running from: c:\documents and settings\etaylor\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-2696585728-3528824684-3534746004-500
C:\Thumbs.db
c:\windows\system32\Ijl11.dll
c:\windows\system32\zip32.dll

----- BITS: Possible infected sites -----

hxxp://ncuexch2
.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-29 )))))))))))))))))))))))))))))))
.

2010-03-29 13:57 . 2010-03-29 13:57 -------- d-----w- c:\program files\IncrediMail
2010-03-19 21:11 . 2010-03-19 21:11 -------- d-----w- c:\program files\XtenderSolutions
2010-03-19 21:11 . 2010-03-19 21:14 -------- d-----w- c:\windows\Pixtran
2010-03-19 21:11 . 2010-03-19 21:55 -------- d-----w- c:\program files\Common Files\XtenderSolutions
2010-03-19 15:20 . 2010-03-19 15:20 -------- d-----w- c:\program files\Symitar
2010-03-18 18:41 . 2010-03-18 18:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-18 12:53 . 2010-03-18 12:53 -------- d-sh--w- c:\documents and settings\abales.NCU.000\IECompatCache
2010-03-17 18:05 . 2010-03-17 18:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-17 16:44 . 2010-03-17 16:44 -------- d-----w- c:\documents and settings\etaylor\Application Data\Malwarebytes
2010-03-17 16:44 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 16:44 . 2010-03-17 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-17 16:44 . 2010-03-17 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 16:44 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 16:13 . 2010-03-17 16:06 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-17 16:05 . 2010-03-18 18:41 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-03-17 16:05 . 2010-03-18 18:41 848160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-03-17 16:05 . 2010-03-18 18:41 855352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-03-17 16:05 . 2010-03-18 18:41 1597440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-03-17 16:05 . 2010-03-18 18:41 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-03-17 16:05 . 2010-03-18 18:41 1263728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-03-16 13:31 . 2010-03-16 13:31 -------- d-----w- c:\documents and settings\abales.NCU.000\Application Data\webex
2010-03-15 18:41 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-15 18:36 . 2010-03-15 18:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-15 18:36 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-15 18:36 . 2010-03-15 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-15 18:36 . 2010-03-15 18:37 -------- d-----w- c:\program files\Lavasoft
2010-03-15 18:28 . 2010-03-17 15:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-15 18:28 . 2010-03-15 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-15 18:07 . 2010-03-15 18:07 -------- d-sh--w- c:\documents and settings\administrator.NCU\PrivacIE
2010-03-10 14:05 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 16:03 . 2010-03-05 16:08 -------- d-----w- c:\documents and settings\abales.NCU.000\Local Settings\Application Data\Adobe
2010-03-05 14:14 . 2010-03-05 14:14 -------- d-sh--w- c:\documents and settings\abales.NCU.000\PrivacIE
2010-03-04 22:21 . 2010-03-04 22:21 503808 ----a-w- c:\documents and settings\abales.NCU.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e2683ef-n\msvcp71.dll
2010-03-04 22:21 . 2010-03-04 22:21 499712 ----a-w- c:\documents and settings\abales.NCU.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e2683ef-n\jmc.dll
2010-03-04 22:21 . 2010-03-04 22:21 348160 ----a-w- c:\documents and settings\abales.NCU.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e2683ef-n\msvcr71.dll
2010-03-04 22:20 . 2010-03-04 22:20 61440 ----a-w- c:\documents and settings\abales.NCU.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45e0b815-n\decora-sse.dll
2010-03-04 22:20 . 2010-03-04 22:20 12800 ----a-w- c:\documents and settings\abales.NCU.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45e0b815-n\decora-d3d.dll
2010-03-04 21:53 . 2010-03-04 21:53 -------- d-----w- c:\documents and settings\abales.NCU.000\Local Settings\Application Data\Symitar
2010-03-04 21:52 . 2009-11-08 06:51 -------- d-----w- c:\documents and settings\abales.NCU.000\Application Data\SiteAdvisor
2010-03-04 21:52 . 2009-11-08 06:48 -------- d-----w- c:\documents and settings\abales.NCU.000\Local Settings\Application Data\Seven Zip
2010-03-04 21:52 . 2009-11-08 06:47 -------- d-----w- c:\documents and settings\abales.NCU.000\Local Settings\Application Data\Microsoft Help
2010-03-04 21:52 . 2009-11-08 06:42 -------- d-sh--w- c:\documents and settings\abales.NCU.000\IETldCache
2010-03-04 17:07 . 2010-03-04 17:07 503808 ----a-w- c:\documents and settings\abales.NCU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-519e5b14-n\msvcp71.dll
2010-03-03 22:14 . 2010-03-03 22:14 -------- d-----w- c:\documents and settings\testuser\Local Settings\Application Data\Symitar
2010-03-03 21:59 . 2010-03-03 21:59 -------- d-----w- c:\documents and settings\scavallone\Local Settings\Application Data\Symitar
2010-03-03 21:59 . 2010-03-03 21:59 -------- d-----w- c:\documents and settings\scavallone\Local Settings\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-29 12:48 . 2010-02-10 22:54 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-03-25 05:45 . 2009-11-08 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\PDFC
2010-03-19 15:27 . 2009-11-08 06:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-18 18:41 . 2010-03-17 16:06 885736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-03-18 18:41 . 2010-03-17 16:06 210552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-03-18 18:41 . 2010-03-17 16:06 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-03-18 18:41 . 2010-03-17 16:06 565392 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-03-18 18:41 . 2010-03-17 16:06 221920 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2010-03-18 18:41 . 2010-03-17 16:06 430496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-03-18 18:41 . 2010-03-17 16:06 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-03-18 18:41 . 2010-03-17 16:06 329560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-03-18 18:41 . 2010-03-17 16:06 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-03-17 19:53 . 2010-02-04 22:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 16:06 . 2010-03-17 16:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-17 16:06 . 2010-03-17 16:06 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-17 16:06 . 2010-03-17 16:06 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-03-17 16:06 . 2010-03-17 16:06 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-17 16:06 . 2010-03-17 16:06 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-17 16:06 . 2010-03-17 16:06 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-17 16:06 . 2010-03-17 16:06 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-17 16:06 . 2010-03-17 16:06 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-17 16:06 . 2010-03-17 16:06 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-04 21:53 . 2010-03-04 21:52 69264 ----a-w- c:\documents and settings\abales.NCU.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 17:08 . 2010-03-04 17:08 69264 ----a-w- c:\documents and settings\administrator.NCU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 17:07 . 2010-03-04 17:07 499712 ----a-w- c:\documents and settings\abales.NCU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-519e5b14-n\jmc.dll
2010-03-04 17:07 . 2010-03-04 17:07 348160 ----a-w- c:\documents and settings\abales.NCU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-519e5b14-n\msvcr71.dll
2010-03-04 17:07 . 2010-03-04 17:07 61440 ----a-w- c:\documents and settings\abales.NCU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7d36fc2b-n\decora-sse.dll
2010-03-04 17:07 . 2010-03-04 17:07 12800 ----a-w- c:\documents and settings\abales.NCU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7d36fc2b-n\decora-d3d.dll
2010-03-03 22:39 . 2010-03-03 22:39 -------- d-----w- c:\documents and settings\etaylor\Application Data\webex
2010-03-03 22:26 . 2010-03-03 22:25 69264 ----a-w- c:\documents and settings\abales.NCU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 22:14 . 2010-03-03 22:14 69264 ----a-w- c:\documents and settings\testuser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 21:59 . 2010-03-03 21:58 69264 ----a-w- c:\documents and settings\scavallone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 19:04 . 2009-11-08 06:44 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-12 22:28 . 2010-02-12 22:28 69264 ----a-w- c:\documents and settings\phouse\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 22:54 . 2010-02-10 22:43 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-02-10 22:50 . 2010-02-10 22:50 10134 ----a-r- c:\documents and settings\etaylor\Application Data\Microsoft\Installer\{35725FBC-A136-4A46-9F29-091759D9BB93}\ARPPRODUCTICON.exe
2010-02-10 22:43 . 2010-02-10 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-02-10 22:43 . 2010-02-10 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-02-10 22:43 . 2010-02-10 22:43 -------- d-----w- c:\program files\Logitech
2010-02-10 22:24 . 2009-11-08 06:44 69264 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 20:23 . 2009-12-08 20:21 69264 ----a-w- c:\documents and settings\etaylor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 18:42 . 2010-02-05 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-02-05 18:33 . 2010-02-05 18:33 249856 ----a-w- c:\windows\Setup1.exe
2010-02-05 18:18 . 2010-02-05 18:18 -------- d-----w- c:\program files\Common Files\Business Objects
2010-02-05 18:18 . 2010-02-05 18:18 -------- d-----w- c:\program files\Business Objects
2010-02-05 18:14 . 2010-02-05 18:14 -------- d-----w- c:\program files\RFG
2010-02-05 18:14 . 2010-02-05 18:14 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-02-05 18:12 . 2010-02-05 18:12 -------- d-----w- c:\program files\SEAGULL
2010-02-05 16:22 . 2010-02-05 16:22 -------- d-----w- c:\program files\BVS Performance Systems
2010-02-05 16:21 . 2010-02-05 16:21 -------- d-----w- c:\program files\QConnect
2010-02-05 16:03 . 2010-02-05 16:03 -------- d-----w- c:\program files\Common Files\L&H
2010-02-05 16:03 . 2010-02-05 16:03 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-05 16:03 . 2010-02-05 16:03 -------- d-----w- c:\program files\Microsoft Works
2010-02-05 16:02 . 2010-02-05 16:02 -------- d-----w- c:\program files\Microsoft.NET
2010-02-05 15:58 . 2010-02-05 15:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-05 15:58 . 2010-02-05 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-05 15:57 . 2010-02-05 15:57 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-05 15:57 . 2010-02-05 15:57 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-05 15:57 . 2010-02-05 15:57 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-05 15:57 . 2010-02-05 15:57 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-05 15:57 . 2010-02-05 15:56 -------- d-----w- c:\program files\Symantec
2010-02-05 15:43 . 2010-02-05 15:42 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-05 15:39 . 2010-02-04 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-04 22:21 . 2010-02-04 22:21 503808 ----a-w- c:\documents and settings\etaylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-538699ea-n\msvcp71.dll
2010-02-04 22:21 . 2010-02-04 22:21 499712 ----a-w- c:\documents and settings\etaylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-538699ea-n\jmc.dll
2010-02-04 22:21 . 2010-02-04 22:21 348160 ----a-w- c:\documents and settings\etaylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-538699ea-n\msvcr71.dll
2010-02-04 22:21 . 2010-02-04 22:21 -------- d-----w- c:\program files\Common Files\Java
2010-02-04 22:21 . 2010-02-04 22:21 61440 ----a-w- c:\documents and settings\etaylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51015268-n\decora-sse.dll
2010-02-04 22:21 . 2010-02-04 22:21 12800 ----a-w- c:\documents and settings\etaylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51015268-n\decora-d3d.dll
2010-02-04 22:21 . 2010-02-04 22:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-04 22:21 . 2010-02-04 22:21 -------- d-----w- c:\program files\Java
2010-02-04 22:07 . 2010-02-04 22:06 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-02-04 21:45 . 2010-02-04 21:45 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-04 21:23 . 2009-11-08 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-31 16:50 . 2008-04-14 09:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2009-08-26 141336]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2009-08-26 173592]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2009-08-26 142872]
"picon "= "c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL "= "RTHDCPL.EXE" [2009-07-03 18665472]
"PDF Complete "= "c:\program files\PDF Complete\pdfsty.exe" [2009-06-18 563736]
"SetRefresh "= "c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-12-10 115560]
"LogitechCommunicationsManager "= "c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon "= "c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Remote Admin Server.lnk - c:\program files\Symitar\SFW\RemoteAdminServer.exe [2010-3-19 266752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-1138\Scripts\Logon\0\0]
"Script "=\\ncu.local\SysVol\ncu.local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-1138\Scripts\Logon\1\0]
"Script "=\\ncu.local\SysVol\ncu.local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-3307\Scripts\Logon\0\0]
"Script "=\\ncu.local\SysVol\ncu.local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-3307\Scripts\Logon\1\0]
"Script "=\\ncu.local\SysVol\ncu.local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-500\Scripts\Logon\0\0]
"Script "=\\ncu.local\SysVol\ncu.local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/15/2010 1:41 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1263728]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [11/8/2009 1:48 AM 635416]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [11/8/2009 1:44 AM 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [11/8/2009 2:33 AM 149600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/5/2010 1:28 PM 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 12:46 PM 44800]
S2 0257811260303525mcinstcleanup;McAfee Application Installer Cleanup (0257811260303525);c:\docume~1\ADMINI~1\LOCALS~1\Temp\025781~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\025781~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12/10/2009 5:31 PM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-03-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 18:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
uInternet Settings,ProxyServer = 10.1.3.50:3128
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {602452C9-46DA-4D25-B056-7D265AB7CF3E} = 10.1.3.6,10.1.3.2
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 13:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath "= "c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\igfxdev.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-03-29 13:15:16
ComboFix-quarantined-files.txt 2010-03-29 18:15

Pre-Run: 141,433,888,768 bytes free
Post-Run: 142,219,657,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3EB57C88A644D00859CCB42D4B88415B

broni · 2010/03/29

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\drivers\lvuvc.hs


Folder::

Driver::
0257811260303525mcinstcleanup


Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
 "DisablePersonalDirChange "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
 "DisableMonitoring "=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
 "3389:TCP "=-


RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

CUISTech · 2010/03/31

ComboFix 10-03-28.03 - etaylor 03/31/2010 13:30:54.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1993.1338 [GMT -5:00]
Running from: c:\documents and settings\etaylor\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\etaylor\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\system32\drivers\lvuvc.hs "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\lvuvc.hs

----- BITS: Possible infected sites -----

hxxp://ncuexch2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_0257811260303525MCINSTCLEANUP
-------\Service_0257811260303525mcinstcleanup

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))
.

2010-03-29 19:59 . 2010-03-29 19:59 45056 ----a-w- c:\documents and settings\abales.NCU.000\Application Data\Sun\Java\Deployment\cache\6.0\49\615348b1-2853bc9c-n\AfsNativeUtils.dll
2010-03-29 13:57 . 2010-03-29 13:57 -------- d-----w- c:\program files\IncrediMail
2010-03-19 21:11 . 2010-03-19 21:11 -------- d-----w- c:\program files\XtenderSolutions
2010-03-19 21:11 . 2010-03-19 21:14 -------- d-----w- c:\windows\Pixtran
2010-03-19 21:11 . 2010-03-19 21:55 -------- d-----w- c:\program files\Common Files\XtenderSolutions
2010-03-19 15:20 . 2010-03-19 15:20 -------- d-----w- c:\program files\Symitar
2010-03-18 18:41 . 2010-03-18 18:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-18 12:53 . 2010-03-18 12:53 -------- d-sh--w- c:\documents and settings\abales.NCU.000\IECompatCache
2010-03-17 18:05 . 2010-03-17 18:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-17 16:44 . 2010-03-17 16:44 -------- d-----w- c:\documents and settings\etaylor\Application Data\Malwarebytes
2010-03-17 16:44 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 16:44 . 2010-03-17 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-17 16:44 . 2010-03-17 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 16:44 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 16:13 . 2010-03-17 16:06 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-17 16:05 . 2010-03-18 18:41 966104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-03-17 16:05 . 2010-03-18 18:41 848160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-03-17 16:05 . 2010-03-18 18:41 855352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-03-17 16:05 . 2010-03-18 18:41 1597440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-03-17 16:05 . 2010-03-18 18:41 818256 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-03-17 16:05 . 2010-03-18 18:41 1263728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-03-16 13:31 . 2010-03-16 13:31 -------- d-----w- c:\documents and settings\abales.NCU.000\Application Data\webex
2010-03-15 18:41 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-03-15 18:36 . 2010-03-15 18:37 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-15 18:36 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-03-15 18:36 . 2010-03-15 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-15 18:36 . 2010-03-15 18:37 -------- d-----w- c:\program files\Lavasoft
2010-03-15 18:28 . 2010-03-17 15:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-15 18:28 . 2010-03-15 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-15 18:07 . 2010-03-15 18:07 -------- d-sh--w- c:\documents and settings\administrator.NCU\PrivacIE
2010-03-10 14:05 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-05 16:03 . 2010-03-05 16:08 -------- d-----w- c:\documents and settings\abales.NCU.000\Local Settings\Application Data\Adobe
2010-03-05 14:14 . 2010-03-05 14:14 -------- d-sh--w- c:\documents and settings\abales.NCU.000\PrivacIE
2010-03-04 22:21 . 2010-03-04 22:21 503808 ----a-w- c:\documents and settings\abales.NCU.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e2683ef-n\msvcp71.dll
2010-03-04 22:21 . 2010-03-04 22:21 499712 ----a-w- c:\documents and settings\abales.NCU.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e2683ef-n\jmc.dll
2010-03-04 22:21 . 2010-03-04 22:21 348160 ----a-w- c:\documents and settings\abales.NCU.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-7e2683ef-n\msvcr71.dll
2010-03-04 22:20 . 2010-03-04 22:20 61440 ----a-w- c:\documents and settings\abales.NCU.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45e0b815-n\decora-sse.dll
2010-03-04 22:20 . 2010-03-04 22:20 12800 ----a-w- c:\documents and settings\abales.NCU.000\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-45e0b815-n\decora-d3d.dll
2010-03-04 21:53 . 2010-03-04 21:53 -------- d-----w- c:\documents and settings\abales.NCU.000\Local Settings\Application Data\Symitar
2010-03-04 21:52 . 2009-11-08 06:51 -------- d-----w- c:\documents and settings\abales.NCU.000\Application Data\SiteAdvisor
2010-03-04 21:52 . 2009-11-08 06:48 -------- d-----w- c:\documents and settings\abales.NCU.000\Local Settings\Application Data\Seven Zip
2010-03-04 21:52 . 2009-11-08 06:47 -------- d-----w- c:\documents and settings\abales.NCU.000\Local Settings\Application Data\Microsoft Help
2010-03-04 21:52 . 2009-11-08 06:42 -------- d-sh--w- c:\documents and settings\abales.NCU.000\IETldCache
2010-03-04 17:07 . 2010-03-04 17:07 503808 ----a-w- c:\documents and settings\abales.NCU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-519e5b14-n\msvcp71.dll
2010-03-03 22:14 . 2010-03-03 22:14 -------- d-----w- c:\documents and settings\testuser\Local Settings\Application Data\Symitar
2010-03-03 21:59 . 2010-03-03 21:59 -------- d-----w- c:\documents and settings\scavallone\Local Settings\Application Data\Symitar
2010-03-03 21:59 . 2010-03-03 21:59 -------- d-----w- c:\documents and settings\scavallone\Local Settings\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 05:45 . 2009-11-08 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\PDFC
2010-03-19 15:27 . 2009-11-08 06:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-18 18:41 . 2010-03-17 16:06 885736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-03-18 18:41 . 2010-03-17 16:06 210552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-03-18 18:41 . 2010-03-17 16:06 393896 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-03-18 18:41 . 2010-03-17 16:06 565392 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-03-18 18:41 . 2010-03-17 16:06 221920 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
2010-03-18 18:41 . 2010-03-17 16:06 430496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-03-18 18:41 . 2010-03-17 16:06 167312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-03-18 18:41 . 2010-03-17 16:06 329560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-03-18 18:41 . 2010-03-17 16:06 94712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-03-17 19:53 . 2010-02-04 22:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 16:06 . 2010-03-17 16:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-17 16:06 . 2010-03-17 16:06 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-17 16:06 . 2010-03-17 16:06 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-03-17 16:06 . 2010-03-17 16:06 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-17 16:06 . 2010-03-17 16:06 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-17 16:06 . 2010-03-17 16:06 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-17 16:06 . 2010-03-17 16:06 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-17 16:06 . 2010-03-17 16:06 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-17 16:06 . 2010-03-17 16:06 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-04 21:53 . 2010-03-04 21:52 69264 ----a-w- c:\documents and settings\abales.NCU.000\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 17:08 . 2010-03-04 17:08 69264 ----a-w- c:\documents and settings\administrator.NCU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-04 17:07 . 2010-03-04 17:07 499712 ----a-w- c:\documents and settings\abales.NCU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-519e5b14-n\jmc.dll
2010-03-04 17:07 . 2010-03-04 17:07 348160 ----a-w- c:\documents and settings\abales.NCU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-519e5b14-n\msvcr71.dll
2010-03-04 17:07 . 2010-03-04 17:07 61440 ----a-w- c:\documents and settings\abales.NCU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7d36fc2b-n\decora-sse.dll
2010-03-04 17:07 . 2010-03-04 17:07 12800 ----a-w- c:\documents and settings\abales.NCU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7d36fc2b-n\decora-d3d.dll
2010-03-03 22:39 . 2010-03-03 22:39 -------- d-----w- c:\documents and settings\etaylor\Application Data\webex
2010-03-03 22:26 . 2010-03-03 22:25 69264 ----a-w- c:\documents and settings\abales.NCU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 22:14 . 2010-03-03 22:14 69264 ----a-w- c:\documents and settings\testuser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 21:59 . 2010-03-03 21:58 69264 ----a-w- c:\documents and settings\scavallone\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 19:04 . 2009-11-08 06:44 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-12 22:28 . 2010-02-12 22:28 69264 ----a-w- c:\documents and settings\phouse\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 22:54 . 2010-02-10 22:43 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-02-10 22:50 . 2010-02-10 22:50 10134 ----a-r- c:\documents and settings\etaylor\Application Data\Microsoft\Installer\{35725FBC-A136-4A46-9F29-091759D9BB93}\ARPPRODUCTICON.exe
2010-02-10 22:43 . 2010-02-10 22:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-02-10 22:43 . 2010-02-10 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-02-10 22:43 . 2010-02-10 22:43 -------- d-----w- c:\program files\Logitech
2010-02-10 22:24 . 2009-11-08 06:44 69264 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 20:23 . 2009-12-08 20:21 69264 ----a-w- c:\documents and settings\etaylor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 18:42 . 2010-02-05 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-02-05 18:33 . 2010-02-05 18:33 249856 ----a-w- c:\windows\Setup1.exe
2010-02-05 18:18 . 2010-02-05 18:18 -------- d-----w- c:\program files\Common Files\Business Objects
2010-02-05 18:18 . 2010-02-05 18:18 -------- d-----w- c:\program files\Business Objects
2010-02-05 18:14 . 2010-02-05 18:14 -------- d-----w- c:\program files\RFG
2010-02-05 18:14 . 2010-02-05 18:14 73216 ----a-w- c:\windows\ST6UNST.EXE
2010-02-05 18:12 . 2010-02-05 18:12 -------- d-----w- c:\program files\SEAGULL
2010-02-05 16:22 . 2010-02-05 16:22 -------- d-----w- c:\program files\BVS Performance Systems
2010-02-05 16:21 . 2010-02-05 16:21 -------- d-----w- c:\program files\QConnect
2010-02-05 16:03 . 2010-02-05 16:03 -------- d-----w- c:\program files\Common Files\L&H
2010-02-05 16:03 . 2010-02-05 16:03 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-02-05 16:03 . 2010-02-05 16:03 -------- d-----w- c:\program files\Microsoft Works
2010-02-05 16:02 . 2010-02-05 16:02 -------- d-----w- c:\program files\Microsoft.NET
2010-02-05 15:58 . 2010-02-05 15:56 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-05 15:58 . 2010-02-05 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-02-05 15:57 . 2010-02-05 15:57 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-02-05 15:57 . 2010-02-05 15:57 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-02-05 15:57 . 2010-02-05 15:57 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-02-05 15:57 . 2010-02-05 15:57 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-02-05 15:57 . 2010-02-05 15:56 -------- d-----w- c:\program files\Symantec
2010-02-05 15:43 . 2010-02-05 15:42 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-05 15:39 . 2010-02-04 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-04 22:21 . 2010-02-04 22:21 503808 ----a-w- c:\documents and settings\etaylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-538699ea-n\msvcp71.dll
2010-02-04 22:21 . 2010-02-04 22:21 499712 ----a-w- c:\documents and settings\etaylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-538699ea-n\jmc.dll
2010-02-04 22:21 . 2010-02-04 22:21 348160 ----a-w- c:\documents and settings\etaylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-538699ea-n\msvcr71.dll
2010-02-04 22:21 . 2010-02-04 22:21 -------- d-----w- c:\program files\Common Files\Java
2010-02-04 22:21 . 2010-02-04 22:21 61440 ----a-w- c:\documents and settings\etaylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51015268-n\decora-sse.dll
2010-02-04 22:21 . 2010-02-04 22:21 12800 ----a-w- c:\documents and settings\etaylor\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-51015268-n\decora-d3d.dll
2010-02-04 22:21 . 2010-02-04 22:21 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-04 22:21 . 2010-02-04 22:21 -------- d-----w- c:\program files\Java
2010-02-04 22:07 . 2010-02-04 22:06 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-02-04 21:45 . 2010-02-04 21:45 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-04 21:23 . 2009-11-08 06:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
.

((((((((((((((((((((((((((((( SnapShot@2010-03-29_18.14.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-31 18:35 . 2010-03-31 18:35 16384 c:\windows\Temp\Perflib_Perfdata_250.dat
+ 2009-04-06 14:51 . 2010-03-31 18:39 68360 c:\windows\system32\perfc009.dat
- 2009-04-06 14:51 . 2010-03-19 22:12 68360 c:\windows\system32\perfc009.dat
+ 2009-12-08 22:14 . 2010-03-30 01:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-08 22:14 . 2010-03-25 18:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-12-08 22:14 . 2010-03-30 01:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-12-08 22:14 . 2010-03-25 18:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-12-08 22:14 . 2010-03-25 18:42 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-03-30 01:04 . 2010-03-30 01:04 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-06 14:51 . 2010-03-31 18:39 435590 c:\windows\system32\perfh009.dat
- 2009-04-06 14:51 . 2010-03-19 22:12 435590 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2009-08-26 141336]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2009-08-26 173592]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2009-08-26 142872]
"picon "= "c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]
"RTHDCPL "= "RTHDCPL.EXE" [2009-07-03 18665472]
"PDF Complete "= "c:\program files\PDF Complete\pdfsty.exe" [2009-06-18 563736]
"SetRefresh "= "c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-21 525824]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-12-10 115560]
"LogitechCommunicationsManager "= "c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"LogitechQuickCamRibbon "= "c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 2027792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Remote Admin Server.lnk - c:\program files\Symitar\SFW\RemoteAdminServer.exe [2010-3-19 266752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-1138\Scripts\Logon\0\0]
"Script "=\\ncu.local\SysVol\ncu.local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-1138\Scripts\Logon\1\0]
"Script "=\\ncu.local\SysVol\ncu.local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-3307\Scripts\Logon\0\0]
"Script "=\\ncu.local\SysVol\ncu.local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-3307\Scripts\Logon\1\0]
"Script "=\\ncu.local\SysVol\ncu.local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-682003330-117609710-725345543-500\Scripts\Logon\0\0]
"Script "=\\ncu.local\SysVol\ncu.local\scripts\logon.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@=" "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"%windir%\\system32\\sessmgr.exe "=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/15/2010 1:41 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 10:52 AM 1263728]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [11/8/2009 1:48 AM 635416]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 11:09 PM 11032]
R2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [11/8/2009 1:44 AM 2066968]
R3 e1kexpress;Intel(R) PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [11/8/2009 2:33 AM 149600]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/5/2010 1:28 PM 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [12/18/2007 12:46 PM 44800]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12/10/2009 5:31 PM 23888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 18:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
uInternet Settings,ProxyServer = 10.1.3.50:3128
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {602452C9-46DA-4D25-B056-7D265AB7CF3E} = 10.1.3.6,10.1.3.2
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-31 13:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath "= "c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\program files\RealVNC\VNC4\wm_hooks.dll

- - - - - - - > 'explorer.exe'(8884)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\program files\RealVNC\VNC4\wm_hooks.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\msiexec.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-03-31 13:42:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-31 18:42
ComboFix2.txt 2010-03-29 18:15

Pre-Run: 142,059,487,232 bytes free
Post-Run: 141,970,096,128 bytes free

- - End Of File - - 85E556C3F0EDA55F439AEB7B10784936

CUISTech · 2010/03/31

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:41 PM, on 3/31/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\etaylor\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.3.50:3128
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe "
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Remote Admin Server.lnk = C:\Program Files\Symitar\SFW\RemoteAdminServer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.mcafee.com (HKLM)
O15 - ESC Trusted Zone: http://betavscan.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://vs.mcafeeasap.com (HKLM)
O15 - ESC Trusted Zone: http://www.mcafeeasap.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1264545951608
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://jha.webex.com/client/T26L10NSP49EP32/webex/ieatgpc.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ncu.local
O17 - HKLM\Software\..\Telephony: DomainName = ncu.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{602452C9-46DA-4D25-B056-7D265AB7CF3E}: NameServer = 10.1.3.6,10.1.3.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ncu.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ncu.local
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 8833 bytes

broni · 2010/03/31

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

=================================================================

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

[color=5]Important![/color] Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

CUISTech · 2010/04/22

Sorry. Jury duty took my last week away from me. Here's the whole Dr Web log:

RegUBP2b-etaylor.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;

Log in or Sign up

Solved Data Execution Prevention is crashing IE (referred by Wildfire)

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Data Execution Prevention is crashing IE (referred by Wildfire)

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

CUISTech Inactive Thread Starter

broni Moderator Malware Analyst

CUISTech Inactive Thread Starter

Share This Page

Useful Searches